logo标签列表

收到HTTP传输错误:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败。

javaweb-servicesssljax-wspkcs#12
3
我正在使用jaxws-maven-plugin插件的wsimport目标在一个maven子模块中实现jax-ws web服务客户端。该插件负责解析多个已配置的.wsdl文件以生成所需的艺术品来编写客户端。
生成过程正常工作,但在实现客户端时,我需要在与部署的Web服务通信时使用SSL。为此,客户端向我提供了一个证书(cert.p12文件)和密码。
由于在使用jax-ws生成的艺术品实现Web服务客户端时没有访问HttpsURLConnection初始化SSLContext的权限,因此我编写了一个initProxySettings()方法,该方法将负责在调用客户端之前设置系统属性,如下所示。
private void initProxySettings() {
        Properties systemSettings = System.getProperties();

        systemSettings.setProperty("proxySet", "true");
        systemSettings.setProperty("http.proxyHost", proxyHost);
        systemSettings.setProperty("http.proxyPort", "443");
        systemSettings.setProperty("https.proxyHost", sslProxyHost);
        systemSettings.setProperty("https.proxyPort", sslProxyPort);

        systemSettings.setProperty("javax.net.ssl.keyStore", p12FilePath); 
        systemSettings.setProperty("javax.net.ssl.keyStorePassword",p12FilePassword); 
        systemSettings.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); 
        systemSettings.setProperty("javax.net.debug", "ssl"); 

        System.setProperties(systemSettings);
    }

尝试通过服务运行连接测试时,我遇到了以下错误:
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:121)
    at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:142)
    at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:83)
    at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:105)
    at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:587)
    at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:546)
    at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:531)
    at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:428)
    at com.sun.xml.internal.ws.client.Stub.process(Stub.java:211)
    at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:124)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:98)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:107)
    at $Proxy95.reportRatesTrade(Unknown Source)
    at myCompany.connectivity.myApp.wsconnector.FpmlReportSender.sendRateFpmlReport(FpmlReportSender.java:66)
    at myCompany.connectivity.myAPP.wsconnector.FpmlWsClientSender.sendFpmlViaWebService(FpmlWsClientSender.java:67)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:407)
    at org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:278)
    at org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:251)
    at org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:166)
    at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:72)
    at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:398)
    at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
    at org.apache.camel.processor.Pipeline.process(Pipeline.java:118)
    at org.apache.camel.processor.Pipeline.process(Pipeline.java:80)
    at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
    at org.apache.camel.component.file.GenericFileConsumer.processExchange(GenericFileConsumer.java:401)
    at org.apache.camel.component.file.GenericFileConsumer.processBatch(GenericFileConsumer.java:201)
    at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:165)
    at org.apache.camel.impl.ScheduledPollConsumer.doRun(ScheduledPollConsumer.java:187)
    at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:114)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
    at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
    at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:181)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:205)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:109)
    ... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:325)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:219)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
    ... 55 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:320)
    ... 61 more

以下是我缩短后的SSL调试摘录:
keyStore type is : pkcs12
keyStore provider is : 
init keystore
init keymanager of type SunX509
***
found key for : company- mail@mail.com
chain [0] = [
[
  Version: V3
  Subject: CN=company99DF011B-51A9-57F9-E341-E0A68D4B9751, OU=USERS, O=KGC0418
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  SunPKCS11-Solaris RSA public key, 2048 bits (id 139309464, session object)
  modulus: 22112756093157512458757695440781457752806273315592450355957740196952202759592017766120571999875831031807562268295134910443622272782776544232874456458580772402436337356828895708779249509298037562892132455656130873883482145964182231114271360652011365917415253840206676718726431817484730833855366587344152579527243740623
  public exponent: 65537
  Validity: [From: Sun Dec 08 17:31:09 MET 2013,
               To: Thu Jan 08 17:31:09 MET 2015]
  Issuer: CN=KGC0418 companyPROD, OU=company Authorized Use Only, O=KGC0418, C=US
  SerialNumber: [    03]

Certificate Extensions: 3
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   S/MIME
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1A C2 D9 E5 AC 6D 36 2F   65 F1 4C A2 11 3B 92 EB  .....m6/e.L..;..
0010: 9B F9 4B CA                                        ..K.
]

[CN=company Global Root CA, OU=company Authorized Use Only, O=COMPANY, C=US]
SerialNumber: [    14]
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:....
.........
......
.....
.....
***
trustStore is: /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
.........
........
.........
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1373450395 bytes = { 223, 37, 1, 148, 219, 69, 149, 109, 169, 194, 44, 197, 99, 80, 16, 189, 197, 104, 28, 99, 157, 172, 34, 240, 145, 73, 49, 89 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
Camel (myApp) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Handshake, length = 73
Camel (myApp) thread #0 - file://src/test/resources/fpml, WRITE: SSLv2 client hello message, length = 98
Camel (myApp) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: 1373446593 bytes = { 83, 8, 141, 30, 34, 196, 26, 7, 232, 255, 119, 56, 80, 5, 201, 181, 68, 107, 17, 160, 109, 152, 79, 219, 19, 16, 181, 222 }
Session ID:  {146, 198, 54, 212, 84, 229, 79, 190, 99, 152, 78, 98, 18, 19, 152, 253, 197, 212, 1, 37, 17, 33, 77, 113, 59, 86, 136, 120, 33, 19, 126, 1}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
Camel (myApp) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 1295
*** Certificate chain
chain [0] = [
[....
.....
.....
.....
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:...
....
...
]
***
Camel (myApp) thread #0 - file://src/test/resources/fpml, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
Camel (myApp) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Alert, length = 2
Camel (myApp) thread #0 - file://src/test/resources/fpml, called closeSocket()
Camel (myApp) thread #0 - file://src/test/resources/fpml, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Finalizer, called close()
Finalizer, called closeInternal(true)

你能告诉我在使用JAX-WS客户端时是否正确使用.p12证书的方法吗?如果我的实现有意义,那么我错过了什么?

------更新-------

如@Jcs在下一篇文章中建议的那样,我通过以下步骤创建了一个自定义的JKS格式新密钥库:

1/ 使用以下命令从cert.p12文件中提取公钥:

openssl.exe pkcs12 -in cert.p12 -clcerts -nokeys -out publicCert.pem

2/ 使用以下方法在JKS格式中创建新的信任存储:

keytool -import -alias test -file publicCert.pem -keystore myTrustStore.jks

然后,保持keyStore的相同配置,我已经将trusStore属性配置为指向这个新生成的JKS存储,如下所示:

systemSettings.setProperty("javax.net.ssl.trustStore", myTrustStore.jks);
systemSettings.setProperty("javax.net.ssl.trustStorePassword", jksFilePassword);
systemSettings.setProperty("javax.net.ssl.trustStoreType", "JKS");
/*****/
systemSettings.setProperty("javax.net.ssl.keyStore", cert.p12); 
systemSettings.setProperty("javax.net.ssl.keyStorePassword", p12FilePassword); 
systemSettings.setProperty("javax.net.ssl.keyStoreType", "pkcs12");

现在从ssl.debug控制台中可以看到,trustStore指向我在实现中设置的那个:

***
trustStore is: src\test\resources\certificate\myTrustStore.jks
trustStore type is : JKS
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=COMPANY 99DF011B-51A9-57F9-E341-E0A68D4B9751, OU=USERS, O=KGC0418
  Issuer:  CN=KGC0418 XXXXXXXXX
  Algorithm: RSA; Serial number: 0x3
  Valid from Sun Dec 08 17:31:09 GMT+01:00 2013 until Thu Jan 08 17:31:09 GMT+01:00 2015

trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1373559519 bytes = { 73, 210, 46, 42, 251, 113, 112, 255, 135, 100, 241, 240, 245, 125, 197, 72, 118, 72, 226, 121, 151, 222, 36, 76, 69, 108, 59, 223 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
Camel (camel-2) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Handshake, length = 73
Camel (camel-2) thread #0 - file://src/test/resources/fpml, WRITE: SSLv2 client hello message, length = 98
Camel (camel-2) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: 1373559520 bytes = { 208, 198, 151, 119, 235, 39, 193, 62, 48, 230, 205, 106, 86, 238, 78, 91, 82, 255, 187, 234, 12, 5, 121, 49, 30, 109, 211, 209 }
Session ID:  {6, 28, 249, 26, 112, 151, 19, 203, 2, 16, 79, 111, 188, 253, 24, 4, 247, 139, 66, 144, 210, 30, 101, 226, 40, 73, 228, 161, 55, 230, 221, 114}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
Camel (camel-2) thread #0 - file://src/test/resources/fpml, READ: TLSv1 Handshake, length = 1295
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=xxxxxxxxxxxx
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 26518340377185970618433427871998795874305944949774222457599695023228997443108630011833718821919400987851754545189639992819856454324827540671299918071626122667103792561945932972886083246760975456684092491592159887675835743379582226715892057387136711529603424019350987371140627696296825793550900188321364783977163343619847560039629745177775488269466101953205609461762679291911956872358518707250384413293488030799581673273259857148207483603504965811669522407902645141827155299400058670101699158958543405382995894352227209548308584112363108195961049506258872806165116902528885827281882201616114758666943336739405701681289
  public exponent: 65537
  Validity: [From: Thu Nov 07 12:56:30 GMT+01:00 2013,
               To: Sat Jan 09 18:53:11 GMT+01:00 2016]
  Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
  SerialNumber: [    02a093]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://gtssl-ocsp.geotrust.com, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://gtssl-aia.geotrust.com/gtssl.crt]
]
....
[2]: ObjectId: 2.xx.xx.17 Criticality=false
....
[3]: ObjectId: 2.xx.xx.35 Criticality=false
...
[4]: ObjectId: 2.xx.xx.14 Criticality=false
....
[5]: ObjectId: 2.xx.xx.32 Criticality=false
....
[6]: ObjectId: 2.xx.xx.19 Criticality=true
....
[7]: ObjectId: 2.xx.xx.37 Criticality=false
....
[8]: ObjectId: 2.xx.xx.31 Criticality=false
..
.
[9]: ObjectId: 2.xx.xx.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 14 EB 1F A8 91 DE F0 A6   54 B4 BB D1 6F E4 10 63  ........T...o..c

]
***
Camel (camel-2) thread #0 - file://src/test/resources/fpml, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
Camel (camel-2) thread #0 - file://src/test/resources/fpml, WRITE: TLSv1 Alert, length = 2
Camel (camel-2) thread #0 - file://src/test/resources/fpml, called closeSocket()
Camel (camel-2) thread #0 - file://src/test/resources/fpml, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Camel (camel-2) thread #0 - file://src/test/resources/fpml, called close()
Camel (camel-2) thread #0 - file://src/test/resources/fpml, called closeInternal(true)

但是我仍然遇到相同的错误:

com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:121)
    at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:142)
    at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:83)
    at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:105)
    at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:587)
    at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:546)
    at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:531)
    at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:428)
    at com.sun.xml.internal.ws.client.Stub.process(Stub.java:211)
    at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:124)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:98)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:107)
    at $Proxy102.reportRatesTrade(Unknown Source)
    at myCompany.connectivity.myApp.wsconnector.FpmlReportSender.sendRateFpmlReport(FpmlReportSender.java:75)
    at myCompany.connectivity.myApp.wsconnector.FpmlWsClientSender.sendFpmlViaWebService(FpmlWsClientSender.java:67)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:407)
    at org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:278)
    at org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:251)
    at org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:166)
    at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:72)
    at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:398)
    at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
    at org.apache.camel.processor.Pipeline.process(Pipeline.java:118)
    at org.apache.camel.processor.Pipeline.process(Pipeline.java:80)
    at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:191)
    at org.apache.camel.component.file.GenericFileConsumer.processExchange(GenericFileConsumer.java:401)
    at org.apache.camel.component.file.GenericFileConsumer.processBatch(GenericFileConsumer.java:201)
    at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:165)
    at org.apache.camel.impl.ScheduledPollConsumer.doRun(ScheduledPollConsumer.java:187)
    at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:114)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
    at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
    at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:181)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:205)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:109)
    ... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
    ... 55 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 61 more

我是否正确设置了keyStore和trustStore?

您可以将 Issuer: CN=KGC0418 XXXXXXXXX 的证书添加为受信任的证书,而服务器使用的证书是 Issuer: CN=GeoTrust SSL CA。请尝试将正确的证书(Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US)添加到信任存储中。 - user1516873
1个回答
4
据我所见,您正确使用了PKCS#12文件。问题是由服务器证书引起的。由于您没有设置任何trustStore,因此默认的trustStore被使用。这在以下日志行中说明:
trustStore is: /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts

然而,SSL实现无法将服务器证书链附加到此存储中的任何受信任证书。可能该服务器证书是自签名的,可能由专用内部认证机构颁发,或者可能仅由未在此处列出的认证机构颁发。
要解决此问题,请向客户端请求根CA证书并将其添加到cacerts文件或创建一个新的自定义密钥库。您可以使用keytool -importcert命令。
如果您创建了一个新的密钥库,则需要将其添加到您的代码中:
systemSettings.setProperty("javax.net.ssl.trustStore", "/path/to/trust/store"); 
systemSettings.setProperty("javax.net.ssl.trustStorePassword", "trustStorePassword");
感谢您的回复,从我所了解的情况来看,我有两个选择:一是将客户端提供的根CA导入默认的cacerts文件中,该文件位于…/jre/lib/security/cacerts下;另一个选择是创建一个新的密钥库,并将其设置为信任存储区(trustStore),我猜测这个JKS文件描述了一个公钥(在这种情况下,我需要使用客户端最初发送给我的原始.p12文件吗?)。谢谢。 - Karim L.
是的,这是你的两个选择。我不认为.p12文件包含根证书(即使值得验证)。据我理解,此p12文件包含在使用Web服务时所需的客户端身份验证的密钥和证书。 - Jcs
感谢您的快速回复@Jcs,我已经从.p12证书生成了一个JKS文件,并将其设置为我的实现中的新trustStore。我现在指向新的trustStore,但仍然出现相同的异常。我已编辑我的帖子以跟踪您提到的更改 - Karim L.
1
抱歉,我觉得我在那一点上表达不清楚:信任存储必须包含颁发服务器SSL证书的根认证机构的证书,而不是您自己的证书(在p12文件中)。此外,您的证书和服务器证书由同一机构签名并没有什么理由。 - Jcs
是的,我改变了我的策略,通过使用浏览器从其URL导入证书到我JDK安装下的默认cacerts存储中(我列出了cacerts证书并发现所需的证书已成功导入),然后我设法将cacerts用作默认的trustStore而不是自定义的密钥库,并保留属性systemSettings.setProperty("javax.net.ssl.keyStore", "cert.p12");以将cert.p12文件用作密钥库。最终,不幸的是,我始终面临相同的错误。 - Karim L.
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接