【问题标题】:Writing java client for ssl authentication [duplicate]为ssl身份验证编写java客户端[重复]
【发布时间】:2015-10-05 04:48:40
【问题描述】:

我已经按照这些命令创建了一个 openssl 证书

D:\softwares\apache-tomcat-8.0.24\bin>openssl genrsa -out serverprivatekey.pem 2048

D:\softwares\apache-tomcat-8.0.24\bin>openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095

D:\softwares\apache-tomcat-8.0.24\bin>openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem

D:\softwares\apache-tomcat-8.0.24\bin>keytool -importkeystore -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

我配置了tomcat的server.xml文件并启用了HTTPS。当我在网络浏览器上打开该网站时,它工作得非常好。

现在我正在尝试使用 Java8 和 Apache HttpClient 4.5 为此编写一个 java 客户端。我写了以下代码

  CloseableHttpClient httpclient = HttpClients.createDefault();
  HttpGet httpGet = new HttpGet("https://localhost:8443/first/rest/hello");
  CloseableHttpResponse response = httpclient.execute(httpGet);
  System.out.println( response.getStatusLine());

而且我遇到了以下异常。我必须在 java 密钥库中添加证书吗?要不然是啥 ?我已经这样做了,但是该密钥库是从 tomcat 主目录执行的。不知道该怎么办。

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
    at com.vogella.jersey.first.Test.usingApacheHttp(Test.java:34)
    at com.vogella.jersey.first.Test.main(Test.java:27)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
    ... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 27 more

【问题讨论】:

  • 当您使用带有自签名证书的自定义信任库时,您需要创建一个 SSLContext 并将自定义信任库加载到它,类似于this example here

标签: java rest tomcat ssl apache-httpclient-4.x


【解决方案1】:

您的 Java 客户端信任库不信任服务器证书。您必须:

  1. 将其从服务器密钥库导出到客户端信任库,或者更好
  2. 由 CA 签署。

【讨论】:

    猜你喜欢
    • 2014-07-01
    • 2014-04-23
    • 2014-09-15
    • 2014-11-13
    • 1970-01-01
    • 2019-01-08
    • 1970-01-01
    • 2015-03-01
    • 1970-01-01
    相关资源
    最近更新 更多