证书未知错误-Java是否使用trustStore
[英]Certificate unknown error — Is trustStore used by Java
问题描述
With JDK 1.4.2, my server side code attempts but fails to connect to a Google URL via Https (for reCAPTCHA verification). 
使用JDK 1.4.2时,我的服务器端代码会尝试但无法通过Https连接到Google URL(用于reCAPTCHA验证)。 It appears that the handshake process fails when it reaches the GeoTrust certificate in the chain, with a fatal alert certificate_unknown . 握手过程在到达链中的GeoTrust证书时出现失败,并带有致命警报certificate_unknown 。 I've used keytool to verify that a valid geotrust certificate is in the trust store. 我已使用keytool来验证信任存储区中是否存在有效的geotrust证书。 The certificate on the client side is self-signed, generated by keytool. 客户端上的证书是自签名的,由keytool生成。 It doesn't appear to be involved yet to the point of this error. 到目前为止,似乎还没有涉及到此错误。 My questions are: 我的问题是:
- Is the JDK version too old for this? JDK版本是否太旧了?
- How can I be sure that the trust store is being used. 如何确定正在使用信任库。 The debug output doesn't have any indicator in that respect. 调试输出在这方面没有任何指示符。 I set the trust store location explicitly in my code just to be sure. 为了确保安全,我在代码中明确设置了信任存储位置。
I'd appreciate any insight on how to get this to work. 我将对如何使它起作用的任何见解表示赞赏。 Thanks. 谢谢。
Part of My Code: 我的代码的一部分:
System.setProperty("javax.net.debug", "all");
debug.println(" -- java home: " + System.getProperty("java.home"));
System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home") + "/lib/security/cacerts");
debug.println(" -- javax.net.ssl.trustStore: " + System.getProperty("javax.net.ssl.trustStore"));
System.setProperty("javax.net.ssl.keyStore", System.getProperty("java.home") + "/lib/security/sl-test.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
URL u = new URL(VERIFY_URL);
HttpsURLConnection urlConn = (HttpsURLConnection)u.openConnection();
debug.println(" -- set params");
urlConn.setRequestMethod("POST");
urlConn.setDoOutput(true);
String params = "secret=" + secretKey + "&response=" + answer + "remoteip=" + remoteIP;
debug.println(" -- write");
DataOutputStream wr = new DataOutputStream(urlConn.getOutputStream());
wr.writeBytes(params);
wr.flush();
...
Debug Output: 调试输出:
11/1/16 6:29:59 AM, Debug: -- java home: /usr/local/j2sdk1.4.2_13/jre
11/1/16 6:29:59 AM, Debug: -- javax.net.ssl.trustStore: /usr/local/j2sdk1.4.2_13/jre/lib/security/cacerts
11/1/16 6:29:59 AM, Debug: -- set params
11/1/16 6:29:59 AM, Debug: -- write
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 45, 37, 131, 243, 221, 171, 180, 252, 49, 49, 23, 95, 184, 46, 27, 142, 123, 251, 231, 191, 36, 237, 192, 105, 13, 131, 247, 18 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
thread-pool-26, WRITE: TLSv1 Handshake, length = 73
thread-pool-26, WRITE: SSLv2 client hello message, length = 98
thread-pool-26, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 197, 41, 29, 25, 107, 127, 2, 82, 166, 216, 201, 197, 71, 86, 192, 136, 13, 41, 74, 115, 11, 230, 3, 56, 247, 142, 3, 84 }
Session ID: {98, 65, 244, 32, 10, 29, 122, 200, 236, 125, 14, 230, 208, 25, 47, 42, 248, 37, 243, 170, 183, 55, 207, 106, 178, 32, 136, 84, 11, 199, 209, 223}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created: [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
thread-pool-26, READ: TLSv1 Handshake, length = 3081
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
930c0073 cd6105e6 7f838615 e1ec7f03 b6c37090 6768877d 5ca8d3dc f859a602
744ccd31 bff5a67d 15ea0e5a c556191c d7749342 43635694 31377d0f 5a2ac2a7
dc49f4e0 ca19a1f4 d7f41943 e2ce56fc 7638ffa0 e70cef9c 2396e05e b4638987
bb238f06 a0c8b826 05de9310 e717ede8 6e2cfcb1 fab5cea5 9c98a0bd 712a1639
e7dfce2b e6757238 38b995b9 ceb7f73d 944377dd f1ed7fe3 4b881e9f 2b9da8d8
2083552b 07f951f7 ac186edf d3f92d84 47caec93 b5bf34fc 324e7856 af4343b3
c3be2f41 c826cbe5 61eeb2da db22e0e2 b0a61e14 78b3a266 2dd33c38 56b5a28f
615c5e7f 8b75f708 49816aae 09e807b2 a0ecf8e2 632bfe64 03ed38c0 1425c90f
Validity: [From: Wed Oct 26 03:08:50 PDT 2016,
To: Wed Jan 18 01:56:00 PST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 1311feb2 5eb90fa0]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 5C 30 5A 30 2B 06 08 2B 06 01 05 05 07 30 02 .\0Z0+..+.....0.
0010: 86 1F 68 74 74 70 3A 2F 2F 70 6B 69 2E 67 6F 6F ..http://pki.goo
0020: 67 6C 65 2E 63 6F 6D 2F 47 49 41 47 32 2E 63 72 gle.com/GIAG2.cr
0030: 74 30 2B 06 08 2B 06 01 05 05 07 30 01 86 1F 68 t0+..+.....0...h
0040: 74 74 70 3A 2F 2F 63 6C 69 65 6E 74 73 31 2E 67 ttp://clients1.g
0050: 6F 6F 67 6C 65 2E 63 6F 6D 2F 6F 63 73 70 oogle.com/ocsp
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 C0 2B 4A D4 81 93 09 DD 23 15 24 87 95 D4 6A ..+J.....#.$...j
0010: AB 70 CE B3 .p..
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: www.google.com]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 22 09 AA 59 92 54 50 BF C8 C5 4C 6A DC F5 86 D1 "..Y.TP...Lj....
0010: F8 F3 2A CF C1 72 CB AE 12 A7 3E 0A 88 8E 3D FF ..*..r....>...=.
0020: E3 14 B5 EB E6 EB 36 45 BD E3 86 D9 61 26 21 55 ......6E....a&!U
0030: 1D 6F 28 D9 23 F2 75 13 47 15 C4 ED DF 1A 52 59 .o(.#.u.G.....RY
0040: 36 95 80 17 D4 89 18 8D BC 32 0F FF D8 FA 5E 64 6........2....^d
0050: FA 79 1E B4 60 E1 71 41 8D 7A E7 B8 FF C3 3B 21 .y..`.qA.z....;!
0060: CA 45 62 5B B4 BD 31 F1 7A 74 D2 51 2A 11 98 42 .Eb[..1.zt.Q*..B
0070: 1D 14 F1 1F 44 D9 0B 50 B6 C4 52 4F 79 89 03 47 ....D..P..ROy..G
0080: 96 89 33 E3 FF 21 DF 9D 66 B8 FC 9C 01 86 9C 12 ..3..!..f.......
0090: 4E 86 E1 34 79 4B 27 F9 FE 98 C9 CC 40 A3 15 29 N..4yK'.....@..)
00A0: 4A F6 4B F3 1A 2F E4 F4 B6 8A 97 80 A6 53 70 27 J.K../.......Sp'
00B0: FD 29 B1 6E 6D 5A D2 B6 DE 7A A8 FC C4 1F 54 9C .).nmZ...z....T.
00C0: DB E3 8A 36 96 13 D9 10 11 95 11 F9 8B EF 7B 87 ...6............
00D0: 7E 70 54 B6 06 1B 16 65 91 7A 4D DA C1 17 DE E7 .pT....e.zM.....
00E0: 0D 57 F1 8A 98 BE C8 E7 3E 82 7A 14 C7 B7 3F 7A .W......>.z...?z
00F0: 7F E4 0C 6D 8B 62 E5 4A 94 23 FD 2A 5D A2 4D 4F ...m.b.J.#.*].MO
]
chain [1] = [
[
Version: V3
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
9c2a0477 5cd85091 3a06a382 e0d85048 bc893ff1 19701a88 467ee08f c5f189ce
21ee5afe 610db732 4489a074 0b534f55 a4ce8262 95eeeb59 5fc6e105 8012c45e
943fbc5b 4838f453 f724e6fb 91e915c4 cff4530d f44afc9f 54de7dbe a06b6f87
c0d0501f 28300340 da087351 6c7fff3a 3ca73706 8ebd4b11 04eb7d24 dee6f9fc
3171fb94 d560f32e 4aaf42d2 cbeac46a 1ab2cc53 dd154b8b 1fc81961 1fcd9da8
3e632b84 35696584 c819c546 22f85395 bee3804a 10c62aec ba972011 c7399910
04a0f061 7a95258c 4e5275e2 b6ed08ca 14fcce22 6ab34ecf 46039797 037ec0b1
de7baf45 33cfba3e 71b7def4 2525c20d 35899d9d fb0e1179 891e37c5 af8e7269
Validity: [From: Tue Mar 31 17:00:00 PDT 2015,
To: Sun Dec 31 15:59:59 PST 2017]
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
SerialNumber: [ 023a92]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 22 30 20 30 1E 06 08 2B 06 01 05 05 07 30 01 ."0 0...+.....0.
0010: 86 12 68 74 74 70 3A 2F 2F 67 2E 73 79 6D 63 64 ..http://g.symcd
0020: 2E 63 6F 6D .com
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://g.symcb.com/crls/gtglobal.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................
0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....
0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..
]
chain [2] = [
[
Version: V3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
dacc1863 30fdf417 231a567e 5bdf3c6c 38e471b7 7891d4bc a1d84cf8 a843b603
e94d2107 0888da58 2f663929 bd05788b 9d38e805 b76a7e71 a4e6c460 a6b0ef80
e489280f 9e25d6ed 83f3ada6 91c798c9 42183514 9dad9846 922e4fca f18743c1
1695572d 50ef892d 807a57ad f2ee5f6b d2008db9 14f81415 35d9c046 a37b72c8
91bfc955 2bcdd097 3e9c2664 ccdfce83 1971ca4e e6d4d57b a919cd55 dec8ecd2
5e3853e5 5c4f8c2d fe502336 fc66e6cb 8ea43919 00b79502 39910b0e fe382ed1
1d059af6 4d3e6f0f 071daf2c 1e8f6039 e2fa3653 1339d45e 262bdb3d a814bd32
eb180328 520471e5 ab333de1 38bb0736 84629c79 ea1630f4 5fc02be8 716be4f9
Validity: [From: Mon May 20 21:00:00 PDT 2002,
To: Mon Aug 20 21:00:00 PDT 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 12bbe6]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.geotrust.com/crls/secureca.crl]
]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou
0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.
]
***
thread-pool-26, SEND TLSv1 ALERT: fatal, description = certificate_unknown
thread-pool-26, WRITE: TLSv1 Alert, length = 2
thread-pool-26, called closeSocket()
thread-pool-26, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Critical: ReCaptcha.verify(), error: Exception while contacting verification site, exception: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Debug: ReCaptcha.verify(), success ? false
1 个解决方案
解决方案1
1 已采纳 2016-11-01 14:36:29
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: 1.2.840.113549.1.1.11 , OID = 1.2.840.113549.1.1.11
... sun.security.validator.ValidatorException: Certificate signature validation failed
The problem is not a missing CA in the trust store but that the signature can not be validated. 问题不在于信任存储中缺少CA,而是无法验证签名。 The algorithm 1.2.840.113549.1.1.11 refers to sha256WithRSAEncryption and it looks like your application does not understand this one. 算法1.2.840.113549.1.1.11引用sha256WithRSAEncryption ,看来您的应用程序不理解这一点。
While this this signature algorithms was added with JDK 1.4.2 there are other reports with exactly the same JDK version and with the same problem. 在JDK 1.4.2中添加了此签名算法后,还有其他报告具有完全相同的JDK版本和相同的问题。 The recommendation seems to be to use BouncyCastle if upgrade to a later Java version is not possible. 如果无法升级到更高的Java版本,则建议使用BouncyCastle。 See Certificate signature validation failed for more information. 有关更多信息,请参阅证书签名验证失败 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
java-trustStore的路径找不到可信证书错误 - java - path to trustStore No trusted certificate found error
向Java信任库和Sslhandshake添加证书 - Adding certificate to Java truststore and Sslhandshake
Java - 使用系统TrustStore验证证书 - Java - verifying certificate with system TrustStore
从truststore验证Java中的证书链 - Validating certificate chain in Java from truststore
Kubernate Pod:如何将证书导入 Java 信任库? - Kubernate Pod : How to import Certificate into Java Truststore?
在Java中配置Keystore和TrustStore时出错 - Error in configuration of Keystore , TrustStore in java
Java TLS Socket 证书_未知错误 - Java TLS Socket certificate_unknown error
如果有很多密钥库和信任库,将使用哪个密钥和证书? - Which key and certificate from keystore and truststore is used when there are many?
更新 - 在Java信任库中续订自签名CA证书 - Updating-Renewing self-signed CA certificate in java truststore
不信任[myserver.mydomain.com]的Java信任库根证书 - Java truststore root certificate not trusted of [myserver.mydomain.com]
相关标签