堆栈内存溢出
  简体   繁体   English

SOAP-PKIX路径构建失败

[英]SOAP - PKIX path building failed

 原文  2013-02-28 14:57:54       java/ soap/ pkcs#12

问题描述

I'm building a server that has to call two webservices. 我正在构建一个必须调用两个Web服务的服务器。 Webservices have the same CA certificate (PKCS12). Web服务具有相同的CA证书(PKCS12)。

the first one receives request by GET, the other one by SOAP call. 第一个通过GET接收请求,另一个通过SOAP调用。

follow a part of code that creates connection for GET request 遵循为GET请求创建连接的一部分代码 

            InputStream inputStream = null;

            // is https protocol?
            if (url.getProtocol().toLowerCase().equals("https")) {

                trustAllHosts();
                // create connection
                HttpsURLConnection httpsUrlConnection = null;
                if(proxy != null){
                    httpsUrlConnection = (HttpsURLConnection) url.openConnection(proxy);
                } else {
                    httpsUrlConnection = (HttpsURLConnection) url.openConnection();
                }
                // set the check to: do not verify
                httpsUrlConnection.setHostnameVerifier(new HostnameVerifier() {
                    @Override
                    public boolean verify(String hostname, SSLSession session) {
                        return true;
                    }
                });

                setHeaders(httpsUrlConnection, headers);    

                //set del certificato

                log.debug("set certificate for get...");
                File cerp12 = new File(Utils.getWebAppLocalPath(),"WEB-INF"+String.valueOf(File.separatorChar)+PropConfig.getProperty("cer.p12"));
                ((HttpsURLConnection) httpsUrlConnection).setSSLSocketFactory(security(cerp12,PropConfig.getProperty("cer.pwd"))); 
                httpsUrlConnection.connect();

                inputStream = httpsUrlConnection.getInputStream();

            } else {
                HttpURLConnection httpUrlConnection = null;
                if(proxy != null){
                    httpUrlConnection = (HttpURLConnection) url.openConnection(proxy);
                } else {
                    httpUrlConnection = (HttpURLConnection) url.openConnection();
                }

                setHeaders(httpUrlConnection, headers);    

                inputStream = httpUrlConnection.getInputStream();
            }

            in = new BufferedReader(new InputStreamReader(inputStream));

            String inputLine;
            while ((inputLine = in.readLine()) != null) {
                result.append(inputLine);
            }

and this part is for SOAP request 这部分是针对SOAP请求的 

            InputStream inputStream = null;

            // is https protocol?
            if (url.getProtocol().toLowerCase().equals("https")) {

                trustAllHosts();
                // create connection
                HttpsURLConnection httpsUrlConnection = null;
                if(proxy != null){
                    httpsUrlConnection = (HttpsURLConnection) url.openConnection(proxy);
                } else {
                    httpsUrlConnection = (HttpsURLConnection) url.openConnection();
                }
                // set the check to: do not verify
                httpsUrlConnection.setHostnameVerifier(new HostnameVerifier() {
                    @Override
                    public boolean verify(String hostname, SSLSession session) {
                        return true;
                    }
                });

                setHeaders(httpsUrlConnection, headers);    

                //set del certificato

                log.debug("set certificate for get...");
                File cerp12 = new File(Utils.getWebAppLocalPath(),"WEB-INF"+String.valueOf(File.separatorChar)+PropConfig.getProperty("cer.p12"));
                ((HttpsURLConnection) httpsUrlConnection).setSSLSocketFactory(security(cerp12,PropConfig.getProperty("cer.pwd"))); 
                httpsUrlConnection.connect();

                inputStream = httpsUrlConnection.getInputStream();

            } else {
                HttpURLConnection httpUrlConnection = null;
                if(proxy != null){
                    httpUrlConnection = (HttpURLConnection) url.openConnection(proxy);
                } else {
                    httpUrlConnection = (HttpURLConnection) url.openConnection();
                }

                setHeaders(httpUrlConnection, headers);    

                inputStream = httpUrlConnection.getInputStream();
            }

            in = new BufferedReader(new InputStreamReader(inputStream));

            String inputLine;
            while ((inputLine = in.readLine()) != null) {
                result.append(inputLine);
            }

the code is almost the same 代码几乎一样

with GET request I have no problem, but with SOAP request httpsUrlConnection.connect(); 使用GET请求,我没有问题,但是使用SOAP请求httpsUrlConnection.connect(); throws PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 抛出PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效证书路径

1 个解决方案

解决方案1
 0 已采纳  2013-03-05 07:11:05

Here is howto create ssl context for HTTPS connection. 这是如何为HTTPS连接创建ssl上下文。 

        SSLSocketFactory socketFactory = createSSLContext().getSocketFactory();

        HttpsURLConnection connection = (HttpsURLConnection) (url).openConnection();
        connection.setSSLSocketFactory(socketFactory);

And method to create SSL context. 和创建SSL上下文的方法。 Note, it load root server certificate from .pem file (x509 format) and client certificate from .p12 (pkcs12 format). 请注意,它从.pem文件(x509格式)加载根服务器证书,并从.p12(pkcs12格式)加载客户端证书。 If server don't required client certificate, pass null for key managers. 如果服务器不需要客户端证书,请为密钥管理器传递null。 If server sertificate issued by authority, which already in $JRE_HOME/lib/security/cacerts, pass null as trust managers. 如果已由$ JRE_HOME / lib / security / cacerts中的授权机构颁发的服务器证书,则将null作为信任管理器传递。

And one more note: in .pem file you should store root certificate in PKIX path of server certificate. 还有一点说明:在.pem文件中,您应该将根证书存储在服务器证书的PKIX路径中。 For example, github.com That site has PKIX path CN = github.com -> CN = DigiCert High Assurance EV CA-1 -> CN = DigiCert High Assurance EV Root CA -> CN = GTE CyberTrust Global Root . 例如,github.com该站点具有PKIX路径CN = github.com > CN = DigiCert High Assurance EV CA-1 > CN = DigiCert High Assurance EV Root CA > CN = GTE CyberTrust Global Root So you store GTE CyberTrust Global Root 因此,您可以存储GTE CyberTrust Global Root 

private final SSLContext createSSLContext()
            throws NoSuchAlgorithmException, KeyStoreException,
            CertificateException, IOException,
            UnrecoverableKeyException, KeyManagementException {


        KeyStore keyStore = KeyStore.getInstance("PKCS12");

        FileInputStream fis = null;
        try {
            fis = new FileInputStream(new File(Config.getString(Config.KEYSTORE_PATH)));
        } catch (Exception ex) {
            throw new IOException("not found keystore file: " Config.getString(Config.KEYSTORE_PATH), ex);
        }
        try{
            keyStore.load(fis, Config.getString(Config.KEYSTORE_PASSWORD).toCharArray());
        }finally {
            IOUtils.closeQuietly(fis);
        }
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        FileInputStream in = new FileInputStream(Config.getString(Config.HTTPS_SERVER_CERT));
        KeyStore trustStore = KeyStore.getInstance("JKS");
        trustStore.load(null);
        try {
            X509Certificate cacert = (X509Certificate) cf.generateCertificate(in);
            trustStore.setCertificateEntry("alias", cacert);
        } finally {
            IOUtils.closeQuietly(in);
        }

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(trustStore);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(keyStore, Config.getString(Config.KEYSTORE_PASSWORD).toCharArray());

        SSLContext sslContext = SSLContext.getInstance("SSL");
        sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
        return sslContext;
    }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PKIX路径构建失败: - PKIX path building failed: Java HTTPComponents SOAP请求,SSLHandshake异常(PKIX路径构建失败) - Java HTTPComponents SOAP request, SSLHandshake exception (PKIX path building failed) 在Centos 7中PKIX路径构建失败 - PKIX path building failed in Centos 7 PKIX 路径构建在 Eclipse 中失败 - PKIX path building failed in Eclipse SSLHandshakeException:PKIX 路径构建失败 - SSLHandshakeException: PKIX path building failed Soap 客户端,TLS 1.2 连接 - PKIX 路径构建失败 - 尽管 cacerts 包含证书 - Soap client, TLS 1.2 connection - PKIX path building failed - despite of cacerts contains certificates Maven构建问题:PKIX路径构建失败 - Maven build issue: PKIX path building failed PKIX路径构建失败:wso2 oauth - PKIX path building failed: wso2 oauth Java:HttpsUrlConnection-PKIX路径构建失败 - Java: HttpsUrlConnection - PKIX path building failed Javamail 和 gmail,得到“PKIX 路径构建失败” - Javamail and gmail, getting "PKIX path building failed"
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM