如何在 java 6 上启用 TLSv1.2 (TLSv1.2 + Bouncycastle + Java 1.6_45)

Question

我的应用程序当前在 java 1.6_45 和 OSGI 3.2 上运行。

我应该适配 TLSv1.2，因为服务器从现在开始只支持 TLSv1.2。

我仍然收到 bad_record_mac 错误。

谁能帮帮我？

我尝试了以下****

        // Installiere Bouncy Castle und TLS 1.2
        if (Security.getProvider(BouncyCastleJsseProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleJsseProvider());
        }

        ....

        SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
        System.out.println("TLSv1.2 ist vorhanden.");

        ......

        sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { defaultTrustManager }, null);


        // Create SSLConnectionSocketFactory with TLSv1.2
        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" }, null,
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());

        // Create clients
        HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();

        // Set UnirestClient
        Unirest.setHttpClient(httpClient);

        ....

        // Unirest Httpclient get request
        HttpResponse<String> response = Unirest.get(url.toString()).basicAuth(<username>, <pass>).header("Accept-Language", "de").asString();

我得到以下异常***

        1559 [SpringOsgiExtenderThread-10] INFO  org.bouncycastle.jsse.provider.ProvTlsClient - Client raised fatal(2) bad_record_mac(20) alert: Failed to read record
        org.bouncycastle.tls.TlsFatalAlert: bad_record_mac(20)
at org.bouncycastle.tls.crypto.impl.TlsAEADCipher.decodeCiphertext(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.RecordStream.decodeAndVerify(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) [httpclient-4.5.3.jar:4.5.3]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) [httpclient-4.5.3.jar:4.5.3]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) [httpclient-4.5.3.jar:4.5.3]
at 

        Caused by: java.lang.IllegalStateException: javax.crypto.BadPaddingException: mac check in GCM failed
at org.bouncycastle.tls.crypto.impl.jcajce.JceAEADCipherImpl.doFinal(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
... 51 common frames omitted
        Caused by: javax.crypto.BadPaddingException: mac check in GCM failed
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown Source) [bcprov-jdk15on-160.jar:1.60.0]
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source) [bcprov-jdk15on-160.jar:1.60.0]
at javax.crypto.Cipher.doFinal(DashoA13*..) [na:1.6]
... 52 common frames omitted

Answer 1

我找到了一个新的解决方案，如下所示

public class TLSSocketConnectionFactory extends SSLSocketFactory {

// ******************Adding Custom BouncyCastleProvider*********************//

static {
    if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
        Security.addProvider(new BouncyCastleProvider());
}

// ******************HANDSHAKE LISTENER*********************//

public class TLSHandshakeListener implements HandshakeCompletedListener {
    @Override
    public void handshakeCompleted(HandshakeCompletedEvent event) {

    }
}

private SecureRandom _secureRandom = new SecureRandom();

// ******************Adding Custom BouncyCastleProvider*********************//

@Override
public Socket createSocket(Socket socket, final String host, int port, boolean arg3) throws IOException {
    if (socket == null) {
        socket = new Socket();
    }
    if (!socket.isConnected()) {
        socket.connect(new InetSocketAddress(host, port));
    }

    final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), _secureRandom);
    return _createSSLSocket(host, tlsClientProtocol);
}

// ******************SOCKET FACTORY METHODS*********************//

@Override
public String[] getDefaultCipherSuites() {
    return null;
}

@Override
public String[] getSupportedCipherSuites() {
    return null;
}

@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
    return null;
}

@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
    return null;
}

@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
    return null;
}

@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
    return null;
}

// ******************SOCKET CREATION*********************//

private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
    return new SSLSocket() {
        private java.security.cert.Certificate[] peertCerts;

        @Override
        public InputStream getInputStream() throws IOException {
            return tlsClientProtocol.getInputStream();
        }

        @Override
        public OutputStream getOutputStream() throws IOException {
            return tlsClientProtocol.getOutputStream();
        }

        @Override
        public synchronized void close() throws IOException {
            tlsClientProtocol.close();
        }

        @Override
        public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) {

        }

        @Override
        public boolean getEnableSessionCreation() {
            return false;
        }

        @Override
        public String[] getEnabledCipherSuites() {
            // return null;
            return new String[] { "" };
        }

        @Override
        public String[] getEnabledProtocols() {
            // return null;
            return new String[] { "" };
        }

        @Override
        public boolean getNeedClientAuth() {
            return false;
        }

        @Override
        public SSLSession getSession() {
            return new SSLSession() {

                @Override
                public int getApplicationBufferSize() {
                    return 0;
                }

                @Override
                public String getCipherSuite() {
                    return "";
                }

                @Override
                public long getCreationTime() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public byte[] getId() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public long getLastAccessedTime() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public java.security.cert.Certificate[] getLocalCertificates() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public Principal getLocalPrincipal() {
                    return null;
                }

                @Override
                public int getPacketBufferSize() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
                    return null;
                }

                @Override
                public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
                    return peertCerts;
                }

                @Override
                public String getPeerHost() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public int getPeerPort() {
                    return 0;
                }

                @Override
                public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
                    return null;
                    // throw new UnsupportedOperationException();
                }

                @Override
                public String getProtocol() {
                    return "";
                }

                @Override
                public SSLSessionContext getSessionContext() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public Object getValue(String arg0) {
                    throw new UnsupportedOperationException();
                }

                @Override
                public String[] getValueNames() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public void invalidate() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public boolean isValid() {
                    throw new UnsupportedOperationException();
                }

                @Override
                public void putValue(String arg0, Object arg1) {
                    throw new UnsupportedOperationException();
                }

                @Override
                public void removeValue(String arg0) {
                    throw new UnsupportedOperationException();
                }
            };
        }

        @Override
        public String[] getSupportedProtocols() {
            return null;
        }

        @Override
        public boolean getUseClientMode() {
            return false;
        }

        @Override
        public boolean getWantClientAuth() {
            return false;
        }

        @Override
        public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) {
        }

        @Override
        public void setEnableSessionCreation(boolean arg0) {
        }

        @Override
        public void setEnabledCipherSuites(String[] arg0) {
        }

        @Override
        public void setEnabledProtocols(String[] arg0) {
        }

        @Override
        public void setNeedClientAuth(boolean arg0) {
        }

        @Override
        public void setUseClientMode(boolean arg0) {
        }

        @Override
        public void setWantClientAuth(boolean arg0) {
        }

        @Override
        public String[] getSupportedCipherSuites() {
            return null;
        }

        @Override
        public void startHandshake() throws IOException {
            tlsClientProtocol.connect(new DefaultTlsClient() {
                @Override
                public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
                    Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
                    if (clientExtensions == null) {
                        clientExtensions = new Hashtable<Integer, byte[]>();
                    }

                    // Add host_name
                    byte[] host_name = host.getBytes();

                    final ByteArrayOutputStream baos = new ByteArrayOutputStream();
                    final DataOutputStream dos = new DataOutputStream(baos);
                    dos.writeShort(host_name.length + 3); // entry size
                    dos.writeByte(0); // name type = hostname
                    dos.writeShort(host_name.length);
                    dos.write(host_name);
                    dos.close();
                    clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
                    return clientExtensions;
                }

                @Override
                public TlsAuthentication getAuthentication() throws IOException {
                    return new TlsAuthentication() {
                        @Override
                        public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
                            try {
                                CertificateFactory cf = CertificateFactory.getInstance("X.509");
                                List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
                                for (org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
                                    certs.add(cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())));
                                }
                                peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
                            } catch (CertificateException e) {
                                System.out.println("Failed to cache server certs" + e);
                                throw new IOException(e);
                            }
                        }

                        @Override
                        public TlsCredentials getClientCredentials(CertificateRequest arg0) throws IOException {
                            return null;
                        }
                    };
                }
            });
        }
    };// Socket

}
}

并创建新的 http 客户端，如下所示

        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(new TLSSocketConnectionFactory(), new String[] { "TLSv1.2" }, null,
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());

        // Create clients
        HttpClient httpClient = HttpClientBuilder.create().setSSLSocketFactory(sf).build();

        // Set UnirestClient
        Unirest.setHttpClient(httpClient);

现在效果很好:)