无法找到请求目标的有效证书路径 - 签名证书
[英]unable to find valid certification path to requested target - signed cert
问题描述
I am working on a code that connects to slack through a proxy which act as a MITM and replaces slack cert with its own self signed cert.
我正在研究一个代码,它通过充当 MITM 的代理连接到 slack,并用它自己的自签名证书替换 slack 证书。 I added proxy's cert into a trust store and configured my RestTemplate to use the trust store:我将代理的证书添加到信任库中并将我的 RestTemplate 配置为使用信任库:
def sslContext = new SslContextBuilder().withTrustStore(trustStoreResource, trustStorePassword).build()
def proxy = proxyEnabled ? new HttpHost(proxyHost, proxyPort) : null
def httpClient = HttpClients.custom().setProxy(proxy).setSSLContext(sslContext).build()
def result = new RestTemplate(new HttpComponentsClientHttpRequestFactory(httpClient))
That works fine.那很好用。 However, on my local I don't go through the proxy and connect to slack directly.但是,在我的本地我不通过代理 go 直接连接到 slack。 In other words, the httpClient in the above code would be configured with SSLContext but not proxy.换句话说,上面代码中的 httpClient 将配置 SSLContext 而不是代理。 I was expecting this to be fine since Slack's cert is signed with a valid root CA but my code fails to verify Slack's cert.我期待这会很好,因为 Slack 的证书是用有效的根 CA 签名的,但我的代码无法验证 Slack 的证书。
I am assuming this is because my trustore but I am confused as why this is happening.我假设这是因为我的委托人,但我很困惑为什么会这样。 Is it happening because root CAs are not imported in my trustsore?发生这种情况是因为根 CA 未导入到我的信任库中吗? If so, how would I do that without having to maintain the root CAs?如果是这样,我该怎么做而不必维护根 CA?
I understand that locally I can refrain from setting up a trust store but I would like to avoid adding branches in the code if possible.我知道在本地我可以避免设置信任库,但我想尽可能避免在代码中添加分支。
1 个解决方案
解决方案1
0 2020-05-15 20:22:01
What I finally ended up doing was to use the implementation in https://gist.github.com/JensRantil/9b7fecb3647ecf1e3076 to combine system's default trust store with mine and then used the following class to build my SSL context.我最终做的是使用https://gist.github.com/JensRantil/9b7fecb3647ecf1e3076中的实现将系统的默认信任库与我的相结合,然后使用以下 class 构建我的 SSL 上下文。 It's a shame HttpClient doesn't offer this but there might be a good reason for it.遗憾的是 HttpClient 没有提供这个,但可能有一个很好的理由。
import org.springframework.core.io.Resource
import javax.net.ssl.KeyManager
import javax.net.ssl.KeyManagerFactory
import javax.net.ssl.SSLContext
import javax.net.ssl.TrustManager
import java.security.KeyStore
class SslContextBuilder {
private KeyManager[] keyManagers = []
private TrustManager[] trustManagers = []
SslContextBuilder withKeyStore(Resource resource, String password) {
def keyStore = KeyStore.getInstance('JKS')
keyStore.load(resource.getInputStream(), password.chars)
KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmfactory.init(keyStore, password.chars)
KeyManager[] kms = kmfactory.getKeyManagers()
keyManagers += kms ? kms : []
this
}
SslContextBuilder withTrustStore(Resource resource, String password) {
def trustStore = KeyStore.getInstance('JKS')
trustStore.load(resource.getInputStream(), password.chars)
def tss = CompositeX509TrustManager.getTrustManagers(trustStore)
trustManagers += tss ? tss : []
this
}
SSLContext build() {
def sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null)
sslContext
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.