[英]SSL Error : no suitable certificate found continuing without client authentication in java
I am facing issues with client certificate authentication using java (HttpUrlConnection, HttpClient apache)我在使用 java(HttpUrlConnection,HttpClient apache)时遇到客户端证书身份验证问题
I tried through curl it works: curl -v POST -H "Content-Type: application/json" --data Jsondata --cert-type P12 --cert path/to/certificat:password https://url -k
我通过 curl 尝试了它的工作原理: curl -v POST -H "Content-Type: application/json" --data Jsondata --cert-type P12 --cert path/to/certificat:password https://url -k
But when i try to execute the some request using java, it gives: no suitable certificate found - continuing without client authentication
但是当我尝试使用 java 执行某些请求时,它给出: no suitable certificate found - continuing without client authentication
code Java using HttpUrlConnection:代码 Java 使用 HttpUrlConnection:
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(certificatPath);
ks.load(fis, password.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);
HttpsURLConnection postConnection = (HttpsURLConnection) url.openConnection();
if (postConnection instanceof HttpsURLConnection) {
((HttpsURLConnection)postConnection).setSSLSocketFactory(sslContext.getSocketFactory());
}
in ssl logs the keystore and trustore are loaded correctly在 ssl 日志中,密钥库和信任库已正确加载
***
found key for : aliasKey
***
***
trustStore is: javaHome\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
but after "Server done" step, it gives message但在“服务器完成”步骤之后,它会给出消息
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
I tested several solutions but I still have the same error message, even if the keystore is loaded with the same private key CN specified in certificate request我测试了几个解决方案,但我仍然有相同的错误消息,即使密钥库加载了证书请求中指定的相同私钥 CN
*** CertificateRequest
Cert Types:
RSA
,
DSS
,
ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), Unknown (hash:0x3, signature:0x3), SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
CN authorities ....
the some code works perfectly with another certificat in some format p12某些代码与某种格式的另一个证书完美配合 p12
when i tested the solution proposed in link How I can tell alias of the wanted key-entry to SSLSocket before connecting?当我测试链接中提出的解决方案时, 如何在连接之前告诉 SSLSocket 所需密钥条目的别名? the problem is resolved:问题已解决:
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(keystorePath);
ks.load(fis, keystorePwd.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keystorePwd.toCharArray());
final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
@Override
public String[] getClientAliases(String string, Principal[] prncpls) {
return origKm.getClientAliases(string, prncpls);//To change body of generated methods, choose Tools | Templates.
}
@Override
public String chooseClientAlias(String[] strings, Principal[] prncpls, Socket socket) {
return certificatAlias; //To change body of generated methods, choose Tools | Templates.
}
@Override
public String[] getServerAliases(String string, Principal[] prncpls) {
return origKm.getServerAliases(string, prncpls); //To change body of generated methods, choose Tools | Templates.
}
@Override
public String chooseServerAlias(String string, Principal[] prncpls, Socket socket) {
return origKm.chooseServerAlias(string, prncpls, socket);//To change body of generated methods, choose Tools | Templates.
}
@Override
public PrivateKey getPrivateKey(String string) {
System.out.println(".getPrivateKey() :"+string) ;
return origKm.getPrivateKey(string);
}
@Override
public X509Certificate[] getCertificateChain(String string) {
System.out.println(".etCertificateChain :"+string) ;
return origKm.getCertificateChain(string);
}
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);
``
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.