logo标签列表

Java证书客户端SSL:无法找到请求目标的有效认证路径

javasslcertificateclientpem
4
我们要求客户端身份认证才能够向我们的一些Web服务发送RESTful请求。我已经通过密钥工具在我的本地Mac OS上安装了客户端证书(.pem)和密钥,它们并非自签名。
openssl pkcs12 -export -name myservercert -in not_self_signed.crt -inkey server.key -out keystore.p12

转换为JKS格式

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

我正在尝试构建一个Java客户端来进行身份验证。目前我已经想出了以下内容:
import java.io.FileInputStream;
import java.security.KeyStore;

import javax.net.ssl.SSLContext;

import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;


public class TestClientCustomSSL {

    public final static void main(String[] args) throws Exception {

        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(new FileInputStream("/Users/me/mykeystore.jks"), "mypassword".toCharArray());

        SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, "mypassword".toCharArray()).build();

        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1"},
                null,
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());

        CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();

        try {

            HttpGet httpget = new HttpGet("https://restful-service-i-am-calling/v1/endpoint/data?ip=0.0.0.1");

            System.out.println("Executing request " + httpget.getRequestLine());

            CloseableHttpResponse response = httpclient.execute(httpget);
            try {
                HttpEntity entity = response.getEntity();

                System.out.println("----------------------------------------");
                System.out.println(response.getStatusLine());
                EntityUtils.consume(entity);
            } finally {
                response.close();
            }
        } finally {
            httpclient.close();
        }
    }

}

以下是我收到的堆栈跟踪信息。但根据我在这里阅读的内容,我的类应该能够顺利发送请求。
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
    at com.mycompany.main(ClientCustomSSL.java:101)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421)
    ... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 26 more

非常感谢您的帮助。

编辑:

我想告诉您,我已经成功地使用相同的 pem 和 key 在服务器上进行了 wget 操作,并且得到了 200 响应。

wget --certificate ~/Desktop/my.cert.pem --private-key ~/Desktop/my.key.key https://mycompany.com/v1/939044?data=0.0.0.1

编辑 2:::*

根据下面 @EJP 的回答,还需要添加来自服务器站点的证书:

openssl x509 -in <(openssl s_client -connect the.api.i.am.calling.com:443 -prexit 2>/dev/null) -out ~/Desktop/the.api.i.am.calling.crt

然后我将证书导入到相同的密钥库中:

keytool -importcert -file ~/Desktop/the.api.i.am.calling.crt -alias the.api.i.am.calling.com -keystore /Users/me/mykeystore.jks -storepass mypassword

运行list命令会显示两个证书都在密钥库中:
keytool -list -keystore /Users/me/mykeystore.jks 
Enter keystore password:  *********

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

my.auth.client.cert.com, Oct 17, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 3D:95:32:E5:F9:9E:4A:53:84:EB:AB:1B:B9:A2:4C:A5:1B:5E:DA:76
the.api.i.am.calling.com, Oct 18, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 7C:4A:7B:CE:9B:0B:92:C0:4F:C0:DA:84:CF:F2:24:CF:99:83:0B:3F

但是我仍然收到相同的错误。

编辑3:

我忘记提及的另一件事是,我只向服务器端团队提供了我们的客户端证书名称... 例如dev.auth.client.com。我真的需要获取服务器端证书并将其存储在密钥库中吗?

2个回答
5

  1. 使用openssl生成P12文件

    openssl pkcs12 -export -in /Users/me/test.authclient.int.com.crt -inkey /Users/me/test.authclient.int.com.key -out authClient.p12 -name authClientCert

  2. 生成信任库密钥

    keytool -genkey -dname "cn=CLIENT" -alias trustStoreKey -keyalg RSA -keystore authClient-truststore.jks -keypass mypassword -storepass mypassword

  3. 现在,导入信任库密钥

    keytool -import -keystore authClient-truststore.jks -file /Users/me/test.authclient.int.com/test.authclient.int.com.crt -alias.test.authclient.int.com

  4. 获取远程证书

    openssl x509 -in <(openssl s_client -connect the.ssl.api.i.want.to.call.com:443 -prexit 2>/dev/null) -out the.api.i.want.to.call.crt

  5. 将服务器证书添加到信任库中

    keytool -importcert -file the.api.i.want.to.call.crt -alias the.api.i.want.to.call.com -keystore /Users/me/authClient-truststore.jks -storepass mypassword

这是我用来调用需要身份验证的API的客户端。

    KeyStore clientStore = KeyStore.getInstance("PKCS12");
    clientStore.load(new FileInputStream("/Users/me/authClient.p12"), "mypassword".toCharArray());

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(clientStore, "mypassword".toCharArray());
    KeyManager[] keyManagers = kmf.getKeyManagers();

    KeyStore trustStore = KeyStore.getInstance("JKS");
    trustStore.load(new FileInputStream("/Users/me/authClient-truststore.jks"), "mypassword".toCharArray());

    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(trustStore);
    TrustManager[] tms = tmf.getTrustManagers();

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(keyManagers, tms, new SecureRandom());

    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext);
    CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();

    HttpGet httpget = new HttpGet(requestUrl);

    httpclient.execute(httpget);

好的,这就是全部。如果需要进一步帮助,请告诉我。但这应该已经足够了。

我无法理解这个。第一步没有使用keytool。第二步生成了一个密钥对,放在一个keystore中。第三步导入的是证书,而不是密钥。你把客户端KeyStore和truststore搞混了。第四步到第五步正是你声称不起作用的部分。 - user207421
我相信其他人会发现它很有用。 - Matt
@MattB,谢谢你的解决方案。这是唯一一个适用于authClient身份验证的方法。 - treize
@MattB,在我的情况下,我正在连接到一个Kafka服务器。 我错过了第4和第5步,只有这样我才能成功连接。谢谢! - caraca
3

这与您的客户端证书无关。您的信任存储不信任 服务器 证书。

谢谢EJP。如果您不介意提供一些关于如何让它信任服务器证书的细节,那将非常有帮助。我正在本地运行这个程序。 - Matt
真正的问题是为什么服务器证书没有签名?如果它们都是您的证书,请从服务器KeyStore中导出服务器证书,并使用keytool将其作为受信任的证书导入客户端truststore。 - user207421
如果是这种情况,我能发送这个吗?在我的本地工作得很好。wget --certificate ~/Desktop/my.cert.pem --private-key ~/Desktop/my.key.key https://mycompany.com/v1/939044?data=0.0.0.1 - Matt
我已将服务器证书添加到密钥库中。编辑2显示此更新…仍然是相同的结果。欢迎提供任何额外的指针。 - Matt
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接