JAVA SSL Invalid CertificateVerify signature

Question

I'm using:

• openJDK 15
• springboot 2.3.4 with embedded undertow

I don't think the issue is related to springboot but it's related to some my mistake. More exactly I'm using this openJDK version:

openjdk version "15" 2020-09-15
OpenJDK Runtime Environment (build 15+36-1562)
OpenJDK 64-Bit Server VM (build 15+36-1562, mixed mode, sharing)

Here what I need: I need a x.509 with spring security. In order to build a good truststore, I made a code that is able in connecting [here][1] parse the XML and create the truststore file

Then I configured my spring boot in this way:

server.ssl.trust-store=myTrustLocation/myTrustJks.jks
server.ssl.trust-store-password=myTrustPwd
server.ssl.trust-store-type=PKCS12
server.ssl.client-auth=need
server.ssl.enabled=true
#ssl ciphers
#server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3

It seems to me that truststore is correctly loaded (if I use a wrong name the app doesn't start).

Now I have a x509 client certificate and a device connected to the laptop via USB. The client certificate is provided by Actalis and it's valid till 2021.

When I try to connect to my spring boot app, it asks to me foro the certificate. I send it to the APP but openJDK and undertow complain about verification of certificate signature. By starting the app with -Djavax.net.debug=all I have this error:

javax.net.ssl|DEBUG|2C|XNIO-1 task-1|2020-10-22 17:38:05.147 CEST|CertificateMessage.java:1161|Consuming client Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [
  {
  .............................
  }
  ]
)
javax.net.ssl|DEBUG|2C|XNIO-1 task-1|2020-10-22 17:38:05.163 CEST|X509TrustManagerImpl.java:301|Found trusted certificate (
  "certificate" : {
    [
      .......
    ]}
)
javax.net.ssl|ERROR|2C|XNIO-1 task-1|2020-10-22 17:38:05.165 CEST|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Invalid CertificateVerify signature (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Invalid CertificateVerify signature
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
    at java.base/sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.<init>(CertificateVerify.java:1009)
    at java.base/sun.security.ssl.CertificateVerify$T13CertificateVerifyConsumer.consume(CertificateVerify.java:1160)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199)
    at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1107)
    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
    at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
    at java.base/java.lang.Thread.run(Thread.java:832)}

)
javax.net.ssl|ALL|2C|XNIO-1 task-1|2020-10-22 17:38:05.166 CEST|SSLSessionImpl.java:1224|Invalidated session:  Session(1603381082397|TLS_AES_256_GCM_SHA384)
javax.net.ssl|WARNING|24|XNIO-1 I/O-5|2020-10-22 17:38:05.166 CEST|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.166 CEST|SSLEngineOutputRecord.java:510|WRITE: TLS13 alert, length = 2
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.167 CEST|SSLCipher.java:2063|Plaintext before ENCRYPTION (
  0000: 02 28 15 00 00 00 00 00   00 00 00 00 00 00 00 00  .(..............
  0010: 00 00 00                                           ...
)
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.167 CEST|SSLEngineOutputRecord.java:528|Raw write (
  0000: 17 03 03 00 23 C4 F6 89   E4 E1 58 81 C6 99 7D AE  ....#.....X.....
  0010: 8B 65 BA 49 1F 6F 57 28   73 F1 08 47 21 80 33 0F  .e.I.oW(s..G!.3.
  0020: CF FF 65 2A 2D 16 93 99                            ..e*-...
)

I can't understand why on server side I can't verify certificate signature.

May anyone give me a tip?

Thank you

Angelo [1]: https://eidas.agid.gov.it/TL/TSL-IT.xml

UPDATE

I solved the issue by removing the TLSv1.3; so now my spring boot configuration file is:

server.ssl.trust-store=myTrustLocation/myTrustJks.jks
server.ssl.trust-store-password=myTrustPwd
server.ssl.trust-store-type=PKCS12
server.ssl.client-auth=need
server.ssl.enabled=true
#ssl ciphers
#server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2

The request now arrives to Spring Security org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter but no request param with name javax.servlet.request.X509Certificate is found.

These are all the request params and headers I found in the request:

2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER VALUE org.springframework.web.context.request.async.WebAsyncManager@5d2019a3
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.header.HeaderWriterFilter@40d63d7e.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY __spring_security_scpf_applied VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.key_size VALUE 256
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.http.HttpServletResponse VALUE org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterResponse@479cfa9
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY characterEncodingFilter.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY webMvcMetricsFilter.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.FilterChainProxy.APPLIED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY _csrf VALUE SaveOnAccessCsrfToken [delegate=org.springframework.security.web.csrf.DefaultCsrfToken@7be2014]
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.cipher_suite VALUE TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter$TimingContext VALUE org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter$TimingContext@10e6a38
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.ssl_session_id VALUE [45, 69, -121, -113, 43, -28, 65, -68, 113, 77, 78, 5, -13, -54, 110, -77, -14, -70, -2, 107, 112, 46, 93, -31, -101, -97, -103, 121, 34, 71, 86, -13]
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.csrf.CsrfFilter@3cabd235.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY formContentFilter.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY requestContextFilter.FILTERED VALUE true
2020-10-22 19:35:59,725 24752 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.csrf.CsrfToken VALUE SaveOnAccessCsrfToken [delegate=org.springframework.security.web.csrf.DefaultCsrfToken@7be2014]
2020-10-22 19:35:59,736 24763 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Cookie HEAD VALUE JSESSIONID=9bxOO7wIleO0zohbZ3V5X-WX5ydAJHtsP74LicCx
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept HEAD VALUE text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Cache-Control HEAD VALUE max-age=0
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Upgrade-Insecure-Requests HEAD VALUE 1
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME User-Agent HEAD VALUE Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Connection HEAD VALUE keep-alive
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Host HEAD VALUE eid-tls-svil.regione.puglia.it:8443
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept-Language HEAD VALUE en-US,en;q=0.5
2020-10-22 19:35:59,739 24766 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept-Encoding HEAD VALUE gzip, deflate, br

May anybody suggest me why?

Thank you

Angelo

SECOND UPDATE

I tried to change the embedded server from undertow to tomcat and now it works without touching anything else in spring configuration. So, basically, with undertow it seems to me that client certificate is not sent to spring security.

Am I missing anything?