Java 11 怎么可能验证中间证书在 cacerts 中不可用的证书?
[英]How is is possible that Java 11 validates a certificate whom intermediate certificate isn't avalaible in cacerts?
问题描述
I don't have to fix something that doesn't work, but I try to understand why something works, because I think it should not work.
我不必修复不起作用的东西,但我试图理解为什么某些东西起作用,因为我认为它不应该起作用。
I'm using OpenJDK11 / Ubuntu 16.04.我正在使用 OpenJDK11/Ubuntu 16.04。 I make an HTTPS call.我打了一个 HTTPS 调用。 The SSL handshake succeeds. SSL 握手成功。
The cert chain contains 3 certs:证书链包含 3 个证书:
- API certificate of course.当然是API证书。 Issued by an intermediate CA (issuer = CN = DigiCert TLS RSA SHA256 2020 CA1,O = DigiCert Inc,C = US)由中间 CA 颁发(颁发者 = CN = DigiCert TLS RSA SHA256 2020 CA1,O = DigiCert Inc,C = US)
- Intermediate CA certificate.中级 CA 证书。 Issued by a root CA (issuer = CN = DigiCert Global Root CA,OU = www.digicert.com,O = DigiCert Inc,C = US)由根 CA 颁发(颁发者 = CN = DigiCert Global Root CA,OU = www.digicert.com,O = DigiCert Inc,C = US)
- Root certificate根证书
The second certificate is not available in the cacert keystore in use (default keystore under lib/security folder).第二个证书在正在使用的 cacert 密钥库中不可用(lib/security 文件夹下的默认密钥库)。 This sounds quite normal as the cert was issued in April 2021, while the JRE was released on January 2021 (openjdk version "11.0.10" 2021-01-19)这听起来很正常,因为证书是在 2021 年 4 月发布的,而 JRE 是在 2021 年 1 月发布的(openjdk 版本“11.0.10”2021-01-19)
Why can this handshake succeed?为什么这次握手能成功? In my mind, as Java doesn't know the second certificate, it can not validate the API certificate.在我看来,由于 Java 不知道第二个证书,因此无法验证 API 证书。
1 个解决方案
解决方案1
-1 已采纳 2021-12-06 13:18:26
The intermediate certificate is sent by the server.中间证书由服务器发送。
I thought, but it was an error, that the JVM had to get the intermediate certificate into the trusttore in order to read his public key and validate the site certificate, it was a mistake.我想,但这是一个错误,JVM 必须将中间证书放入信任库才能读取他的公钥并验证站点证书,这是一个错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.