QuickFIX/J - Certificates do not conform to algorithm constraints
I am currently developing a QuickFIX/J application running on Java 17, intended to establish a secure connection with an external party using provided JKS certificates. Upon attempting the connection, I am encountering a java.security.cert.CertificateException with the message Certificates do not conform to algorithm constraints.
Here are the details:
- QuickFIX/J version: 2.3.1
- Java version: 17
- Error Message: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
I have attached the relevant portions of my QuickFIX/J configuration and the stack trace of the error. Could anyone provide advice on how to resolve this certificate issue or suggest any configurations that might prevent this error?
Thank you very much for any help you can provide!
My QuickFIX/J configuration
ConnectionType=initiator
SocketConnectHost=my_ip
SocketConnectPort=my_port
SocketUseSSL=Y
CipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
EnabledProtocols=TLSv1.2
SocketKeyStore=/path/cert.jks
SocketKeyStorePassword=my_passowrd
SocketTrustStore=/path-trust/truststore.jks
SocketTrustStorePassword=my_password
My error
javax.net.ssl|ERROR|A2|NioProcessor-2|2024-05-08 16:28:46.528 BRT|TransportContext.java:370|Fatal (UNSUPPORTED_CERTIFICATE): Certificates do not conform to algorithm constraints (
"throwable" : {
java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1573)
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1538)
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1456)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:816)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:591)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:356)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:517)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1569)
... 30 more}
Requirements from the party to the connection
Listing the cipher suites textually:
- TLS_ECDHE_RSA_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_AES_128_CBC_SHA256
In this post QuickFIX/J CipherSuites , I received a tip on what CipherSuites I need to inform.
Thanks for the help @ChristophJohn and @dave_thompson_085
Clarifying my problem
I was tasked with establishing a connection with an acceptor using a JKS certificate. Upon inspecting the certificate using the command keytool -list -v -keystore cert.jks -storepass my_password, I discovered that it employs the SHA1withRSA signature algorithm.
According to the error stack trace, this algorithm is not accepted by my current Java security policy. Ideally, the solution would involve obtaining a new certificate that doesn't use SHA1withRSA. However, due to constraints beyond my control, this was not feasible. Consequently, I was compelled to find a way to adjust my Java security properties to permit the use of this algorithm.
Solution
Following the advices from these two posts java.security.cert.CertificateException: Certificates does not conform to algorithm constraints and Java Algorithm constraints check failed on key RSA with size of 1024bits , I changed my java.security to allow SHA1withRSA.
- Restricting access to static methds with ArchUnit
- Java day of the week from string
- Populating Spinner using ArrayList in Android
- Ionic Capacitor - Unknown Kotlin JVM target: 21
- Singleton & Multithreading in Java
- Maven version management w multiple child modules
- get number of working days in specific month
- Issue with Regex Pattern (split string with characters & numbers)
- Why would I ever create a separate mutex/lock object?
- Happens before guarantee in Volatile
- android.security.KeyStoreException: Signature/MAC verification failed
- array of parameterized types
- JavaFX WARNING: Unsupported JavaFX configuration: classes were loaded from 'unnamed module @...'
- unit test @Valid of springboot without having to spin up / mock the server
- Why dec 31 2010 returns 1 as week of year?
- Performance Difference of AtomicInteger vs Integer
- how do i restric a float value to only one placess after decimal in kotlin android
- consecutive pairs divisible by 3
- How to call a service from Main application calls Spring Boot?
- Setting Namespace Attributes on an Element
- How to find jUnit tests in a Java project?
- validate the credit card expiry date using java?
- A failure occurred while executing com.android.build.gradle.internal.tasks.FinalizeBundleTask$BundleToolRunnable
- Is Java completely Platform Independent?
- What does it exactly mean to use @DirtiesContext annotation on a class?
- Spring JBDC bad SQL grammar on PostgreSQL
- Test REST APIs on a real server (without localhost )
- How can I pass an array of objects in query params in postman for the post request?
- Is there a way to do 24-hour format and 60-minute format in Java?
- Removing files installed by previous version in Inno Setup