Problem with SVNKit & https & Java 7/8

Discussion:

ALIX LOURME

2015-04-08 15:11:07 UTC

Hi,

I'm facing to a certificate problem using SVNKit with Java 7 or 8.
I have a maven plugin who check some Subversion items during a build (status ...) with SVNKit, works perfectly in Maven 3.2.x (Java 6 execution).
With Maven 3.3.1 migration (=> Java 7 execution), any SVNKit operation get the error: "Certificates does not conform to algorithm constraints" (detailed stack in bottom)

SVNKit v1.8.7<http://search.maven.org/#artifactdetails|org.tmatesoft.svnkit|svnkit|1.8.7|jar> is used, https certificate information (part) is: AES256-SHA, key 2048 bit.

I tried some tips from forums and http://svnkit.com/kb/user-guide-config-settings.html :

1) Install last available JDK (1.8.0_40)

2) Install UnlimitedJCEPolicyJDK8 (local_policy.jar & US_export_policy.jar replacement) ;

3) Blank properties jdk.certpath.disabledAlgorithms/jdk.tls.disabledAlgorithms in java.security file ;

4) Add "ssl-trust-default-ca = yes" in "%APPDATA%\Subversion\servers" file

But no way ...

I'm a little lost because this simple https url call works in Java 8:
----
String urlString = "https://scm.mycompanyinternet.com/svn/myrepo/trunk/myProject";

// Test content with simple HttpsURLConnection
Authenticator.setDefault(new SimpleAuthenticator(proxyUserName, proxyPassword));
System.setProperty("https.proxyHost", proxyHost);
System.setProperty("https.proxyPort", String.valueOf(proxyPort));

URL url = new URL(urlString);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
Assert.assertTrue(IOUtils.toString(con.getInputStream()).contains("pom.xml"));
---

But on a simple SVNKit operation, any SVNClientManager.getXX fails (CertificateException with java 7/8), sample:
---
String urlString = "https://scm.mycompanyinternet.com/svn/myrepo/trunk/myProject";

// Client initialization (proxy configured in '%APPDATA%\Subversion\servers' file)
SVNClientManager clientManager = SVNClientManager.newInstance(SVNWCUtil.createDefaultOptions(true), SVNWCUtil.createDefaultAuthenticationManager(userName, password));

// Simple SVN list command and get content
StringBuilder content = new StringBuilder();
clientManager.getLogClient().doList(SVNURL.parseURIEncoded(urlString), SVNRevision.HEAD, SVNRevision.HEAD, false, false,
new ISVNDirEntryHandler() {
@Override
public void handleDirEntry(SVNDirEntry dirEntry) throws SVNException {
content.append(dirEntry.getName());
}
});
Assert.assertTrue(content.toString().contains("pom.xml"));
---

Is there now a particular job todo for dealing with Certificate, or a Cipher manipulation?

Thanks in Advance.
Best regards.
Alix.

Java Stack trace:
----
org.tmatesoft.svn.core.SVNException: svn: E175002: SSL handshake failed: 'java.security.cert.CertificateException: Certificates does not conform to algorithm constraints'
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64)
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:506)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:375)
[...]
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[...]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[...]
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.sendData(HTTPConnection.java:325)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:170)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:474)
... 37 more
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1055)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:981)
[...]
... 49 more
----

Alexander Kitaev

2015-04-21 22:14:51 UTC

Permalink

Hello,

I apologize for delay with the reply.

SVNKit relies on JVM SSL support, but also adds some custom configuration
that might be the reason of the problem.

Do you also have SSL proxy configured when SVNKit is used? By default
SVNKit will read proxy settings from Subversion configuration file at
~/.subversion/servers on Linux or OS X or from %APPDATA%\Subversion\servers
file - if not, then your plain Java test connects through proxy, while
SVNKit bypass it - this could explain the problem.

Alexander Kitaev,
TMate Software,
http://subgit.com/ - Svn to Git Migration!
http://svnkit.com/ - Java [Sub]Versioning Library!
http://hg4j.com/ - Java Mercurial Library!
http://sqljet.com/ - Java SQLite Library!

Post by ALIX LOURME
Hi,
I'm facing to a certificate problem using SVNKit with Java 7 or 8.
I have a maven plugin who check some Subversion items during a build
(status ...) with SVNKit, works perfectly in Maven 3.2.x (Java 6 execution).
With Maven 3.3.1 migration (=> Java 7 execution), any SVNKit operation get
the error: â*Certificates does not conform to algorithm constraints*â
(detailed stack in bottom)
SVNKit v1.8.7
<http://search.maven.org/#artifactdetails%7Corg.tmatesoft.svnkit%7Csvnkit%7C1.8.7%7Cjar>
is used, https certificate information (part) is: AES256-SHA, key 2048 bit.
I tried some tips from forums and
1) Install last available JDK (1.8.0_40)
2) Install *UnlimitedJCEPolicyJDK8* (local_policy.jar &
US_export_policy.jar replacement) ;
3) Blank properties *jdk.certpath.disabledAlgorithms*/
*jdk.tls.disabledAlgorithms* in *java.security* file ;
4) Add âssl-trust-default-ca = yesâ in
â%APPDATA%\Subversion\serversâ file
But no way âŠ
----
String urlString = "
https://scm.mycompanyinternet.com/svn/myrepo/trunk/myProject";
// Test content with simple HttpsURLConnection
Authenticator.*setDefault*(*new* SimpleAuthenticator(proxyUserName,
proxyPassword));
System.*setProperty*("https.proxyHost", proxyHost);
System.*setProperty*("https.proxyPort", String.*valueOf*(proxyPort));
URL url = *new* URL(urlString);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
Assert.*assertTrue*(IOUtils.*toString*(con.getInputStream()).contains(
"pom.xml"));
---
But on a simple SVNKit operation, any * SVNClientManager.getXX* fails (
---
String urlString = "
https://scm.mycompanyinternet.com/svn/myrepo/trunk/myProject";
// Client initialization (*proxy* configured in
'%APPDATA%\Subversion\servers' file)
SVNClientManager clientManager = SVNClientManager.*newInstance*(SVNWCUtil.
*createDefaultOptions*(*true*), SVNWCUtil.
*createDefaultAuthenticationManager*(userName, password));
// Simple SVN list command and get content
StringBuilder content = *new* StringBuilder();
clientManager.getLogClient().doList(SVNURL.*parseURIEncoded*(urlString),
SVNRevision.*HEAD*, SVNRevision.*HEAD*, *false*, *false*,
* new* ISVNDirEntryHandler() {
@Override
*public* *void* handleDirEntry(SVNDirEntry dirEntry) *throws*
SVNException {
content.append(dirEntry.getName());
}
});
Assert.*assertTrue*(content.toString().contains("pom.xml"));
---
Is there now a particular job todo for dealing with Certificate, or a Cipher manipulation?
Thanks in Advance.
Best regards.
Alix.
----
'java.security.cert.CertificateException: Certificates does not conform to
algorithm constraints'
at
org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64)
at
org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51)
at
org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:506)
at
org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:375)
[âŠ]
java.security.cert.CertificateException: Certificates does not conform to
algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[âŠ]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
[âŠ]
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at
org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.sendData(HTTPConnection.java:325)
at
org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:170)
at
org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:474)
... 37 more
Caused by: java.security.cert.CertificateException: Certificates does not
conform to algorithm constraints
at
sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1055)
at
sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:981)
[âŠ]
... 49 more
----

ALIX LOURME

2015-04-22 11:38:18 UTC

Permalink

Hi Alexander,

Thanks for the reply. I had fixed my problem but I have not the exact root cause. Here some elements about my knowledge:

FI: I discovered the problem at my home => without proxy => not sure the proxy is the root cause.

With property â-Djavax.net.debug=allâ (very useful) I found in a certificate chain a Verisign with MD2withRSA Algorithm.
DefaultSVNSSLTrustManager used implicitly with DefaultSVNAuthenticationManager seems to have problem to deal with that when JDK >= 7 used.
Some posts can be found on forums about this algorithm & direct X509TrustManager extend (and not X509ExtendedTrustManager) & JDK 7.

In method checkServerTrusted, SVNSSLUtil.getServerCertificateFailures returns 12 as result (same result with JDK 6), authProvider is null and an SSLHandshakeException is found when back to HTTPConnection ; origin is not clear âŠ I can't debug when it has been thrown.

So I tried to use the default JVM trustmanager, who can explain why the direct HttpsURLConnection snippet code works.

Feasible with an extension of BasicAuthenticationManager (and better in my Maven plugin usage: fully java without â%APPDATA%\Subversionâ requirements):
---
public class BasicWithCertificateTrustedAuthenticationManager extends BasicAuthenticationManager {
public BasicWithCertificateTrustedAuthenticationManager(String userName, String password) {
super(userName, password);
}
@Override
public TrustManager getTrustManager(SVNURL url) throws SVNException {
try {
// HTTPS URL requires certificate trust process
if (url != null && url.getProtocol() != null && url.getProtocol().startsWith("https")) {
// TrustManagerUtils comes from commons-net:commons-net:3.3
return TrustManagerUtils.getDefaultTrustManager(null);
}
return null;
} catch (GeneralSecurityException e) {
throw new SVNException(SVNErrorMessage.create(SVNErrorCode.IO_ERROR, e.getMessage()), e);
}
}
}

Usage: SVNClientManager clientManager = SVNClientManager.newInstance(SVNWCUtil.createDefaultOptions(true), new BasicWithCertificateTrustedAuthenticationManager(userName, password));
---

=> It is ok for me. For investigation I could give you if you want the HTTPS URL in a private mail (mine: ***@gmail.com). The Certificate problem occurs before credential requirements.

Best Regards.