堆栈内存溢出
  简体   繁体   English

SSL 错误:在 java 中没有找到合适的证书而无需客户端身份验证继续

[英]SSL Error : no suitable certificate found continuing without client authentication in java

 原文  2020-07-10 22:12:02       java/ ssl/ ssl-certificate/ java-7

问题描述

I am facing issues with client certificate authentication using java (HttpUrlConnection, HttpClient apache)我在使用 java(HttpUrlConnection,HttpClient apache)时遇到客户端证书身份验证问题
I tried through curl it works: curl -v POST -H "Content-Type: application/json" --data Jsondata --cert-type P12 --cert path/to/certificat:password https://url -k我通过 curl 尝试了它的工作原理: curl -v POST -H "Content-Type: application/json" --data Jsondata --cert-type P12 --cert path/to/certificat:password https://url -k

But when i try to execute the some request using java, it gives: no suitable certificate found - continuing without client authentication但是当我尝试使用 java 执行某些请求时,它给出: no suitable certificate found - continuing without client authentication

code Java using HttpUrlConnection:代码 Java 使用 HttpUrlConnection:

                 KeyStore ks = KeyStore.getInstance("PKCS12");
                 FileInputStream fis = new FileInputStream(certificatPath);
                ks.load(fis, password.toCharArray());
                
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ks, password.toCharArray());

                SSLContext sslContext = SSLContext.getInstance("TLS");
                sslContext.init(kmf.getKeyManagers(), null, null);
                HttpsURLConnection postConnection = (HttpsURLConnection) url.openConnection();
               if (postConnection instanceof HttpsURLConnection) {
                    
                 ((HttpsURLConnection)postConnection).setSSLSocketFactory(sslContext.getSocketFactory());
               }

in ssl logs the keystore and trustore are loaded correctly在 ssl 日志中,密钥库和信任库已正确加载

***
found key for : aliasKey

***
***
trustStore is: javaHome\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore

but after "Server done" step, it gives message但在“服务器完成”步骤之后,它会给出消息

Warning: no suitable certificate found - continuing without client authentication

*** Certificate chain
<Empty>

I tested several solutions but I still have the same error message, even if the keystore is loaded with the same private key CN specified in certificate request我测试了几个解决方案,但我仍然有相同的错误消息,即使密钥库加载了证书请求中指定的相同私钥 CN

 *** CertificateRequest
 Cert Types: 
 RSA
 , 
 DSS
,
 ECDSA

Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), Unknown (hash:0x3, signature:0x3), SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
CN authorities ....

the some code works perfectly with another certificat in some format p12某些代码与某种格式的另一个证书完美配合 p12

1 个解决方案

解决方案1
 0 已采纳  2020-07-14 08:54:30

when i tested the solution proposed in link How I can tell alias of the wanted key-entry to SSLSocket before connecting?当我测试链接中提出的解决方案时, 如何在连接之前告诉 SSLSocket 所需密钥条目的别名? the problem is resolved:问题已解决:

 KeyStore ks = KeyStore.getInstance("PKCS12");
                FileInputStream fis = new FileInputStream(keystorePath);
                ks.load(fis, keystorePwd.toCharArray());
                
                KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                kmf.init(ks, keystorePwd.toCharArray());

                final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
                
                X509KeyManager km = new X509KeyManager() {
                    @Override
                    public String[] getClientAliases(String string, Principal[] prncpls) {
                      return  origKm.getClientAliases(string, prncpls);//To change body of generated methods, choose Tools | Templates.
                    }

                    @Override
                    public String chooseClientAlias(String[] strings, Principal[] prncpls, Socket socket) {
                        return certificatAlias; //To change body of generated methods, choose Tools | Templates.
                    }

                    @Override
                    public String[] getServerAliases(String string, Principal[] prncpls) {
                        return origKm.getServerAliases(string, prncpls); //To change body of generated methods, choose Tools | Templates.
                    }

                    @Override
                    public String chooseServerAlias(String string, Principal[] prncpls, Socket socket) {
                        return origKm.chooseServerAlias(string, prncpls, socket);//To change body of generated methods, choose Tools | Templates.
                    }

                    @Override
                    public PrivateKey getPrivateKey(String string) {
                        System.out.println(".getPrivateKey() :"+string) ;
                         return origKm.getPrivateKey(string);
                    }

                    @Override
                    public X509Certificate[] getCertificateChain(String string) {
                        System.out.println(".etCertificateChain :"+string) ;
                         return origKm.getCertificateChain(string);
                       
                    }
            };
            

            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(new KeyManager[] { km }, null, null);
``

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 警告:未找到合适的证书 - 无需客户端身份验证即可继续 - Warning: no suitable certificate found - continuing without client authentication SSL 找不到合适的证书 - SSL no suitable certificate found 在没有证书的SSL握手中添加客户端身份验证 - Adding client authentication in SSL handshake without certificate 带有SSL身份验证的Java SOAP客户端:错误证书 - Java SOAP Client with SSL authentication : bad certificate SSL客户端身份验证-即使我的客户端证书与“证书颁发机构”中的列表匹配,也找不到合适的证书 - SSL Client Authentiction - no suitable certificate found even though my client certificate matches to the list in 'Cert Authorities' Java - 使用客户端证书身份验证时取消Ssl流 - Java - Ssl stream is cancelled when using client certificate authentication 使用Java2se HTML单元的SSL客户端证书认证 - SSL client certificate authentication with Java2se html-unit 在 Java 中选择 SSL 客户端证书 - Choosing SSL client certificate in Java 具有SSL客户端身份验证的Java RMI:获取客户端x509证书 - Java RMI with SSL client authentication: obtain client x509Certificate 使用运行时Android / Java上提供的客户端证书进行TLS / SSL客户端身份验证 - TLS/SSL client authentication using a client certificate which comes available at runtime Android/Java
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM