堆栈内存溢出
  简体   繁体   English

PKIXValidator 无法解析证书

[英]Certificate cannot be resolved by PKIXValidator

 原文  2021-09-25 00:00:31       java/ ssl/ connection/ certificate

问题描述

I am facing an issue where a TLS certificate (wildcard cert) is not resolved to a valid root cert in Java. Browsers (Firefox, Chrome) resolve it to be valid but not Java driven programs.我面临一个问题,即 TLS 证书(通配符证书)未解析为 Java 中的有效根证书。浏览器(Firefox、Chrome)将其解析为有效但不是 Java 驱动程序。 We use a wildcart cert in our case.在我们的案例中,我们使用 wildcart 证书。

certpath: Constraints: ...
...

...

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at org.llorllale.youtrack.api.DefaultProjects.get(DefaultProjects.java:80)
    at com.company.youtrack.Main.main(Main.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
    ... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 31 more

EDIT I am running a YouTrack server inside our company.network, not accessible from the inte.net.编辑我在我们的 company.network 中运行一个 YouTrack 服务器,无法从 inte.net 访问。 I configured the immediate certificate chain including the root certificate.我配置了包括根证书在内的直接证书链。 But sadly the root certificate itself is not returned (tested it with openssl s_client).但遗憾的是根证书本身没有返回(用 openssl s_client 测试过)。

I also like to mention that the server certificate is a wildcard certificate.我还想提一下,服务器证书是通配符证书。 I do not really know if that could lead to problems during verification...我真的不知道这是否会导致验证过程中出现问题......

EDIT编辑

I know it is not best practice to return the self-signed root.我知道返回自签名根不是最佳做法。 Although I found comments throughout my research by people that state that sometimes it is necessary.尽管我在整个研究过程中发现人们的评论 state 有时这是必要的。 I don't really know why it is necesssary to be sure... I analyzed code in PKIXValidator and it seemed to me that the validator is resolving the chain until it receives a cert whereby the issuer is equal to the subject.我真的不知道为什么有必要确定......我分析了 PKIXValidator 中的代码,在我看来,验证器正在解析链,直到它收到证书,发行者等于主题。 My problem is (as I analyzed with openssl s_client) that the server only returns the server cert and the 1st intermediate cert.我的问题是(正如我用 openssl s_client 分析的那样)服务器只返回服务器证书和第一个中间证书。 But there's a 2nd intermediate cert and a root in addition.但是还有一个第二个中间证书和一个根。 I filed a bug at youtrack.我在 youtrack 提交了一个错误。 See https://youtrack.jetbrains.com/issue/JT-66316 .请参阅https://youtrack.jetbrains.com/issue/JT-66316 There are comments which I did not made publicly available because of internals.由于内部原因,有些评论我没有公开。 When I resolved the issue, I will report the solution here.当我解决这个问题时,我会在这里报告解决方案。 In the meanwhile I like to leave the issue open here.与此同时,我想把这个问题留在这里。

1 个解决方案

解决方案1
 0 已采纳  2021-09-26 05:06:01

Browsers use certificate AIA information while Java/Linux do not (by default).浏览器使用证书 AIA 信息,而 Java/Linux 不使用(默认情况下)。 Your server in question may be configured to provide the certificate but not the certificates up to a trust anchor recognized by your Java application.您的相关服务器可能配置为提供证书,但不提供证书,直到您的 Java 应用程序识别的信任锚为止。 openssl (s_client) or https://certcheckerapp.com/ can help you see what the server is actually returning. openssl (s_client) 或https://certcheckerapp.com/可以帮助您查看服务器实际返回的内容。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用带有BouncyCastleFipsProvider的PKIXValidator进行服务器证书验证? - Using PKIXValidator with BouncyCastleFipsProvider for server certificate validation? 无法解析/无法解析为类型 - Cannot be resolved / Cannot be resolved to a type ApplicationPropertiesAccess无法解析为一种类型 - ApplicationPropertiesAccess cannot be resolved to a type 地穴无法解决 - Crypt cannot be resolved 休息无法解析为类型 - Rest Cannot be resolved to a type 无法解决或不是字段 - Cannot be resolved or it's not a field “变量”无法解析为变量 - 'variable' cannot be resolved to a variable “无法解析为类型” - “Cannot be resolved to a type” .length无法解析或不是字段 - .length cannot be resolved or is not a field 无法解析为类型? - Cannot be resolved to a type?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM