“无法在Camel组件测试中找到所请求目标的有效证书路径”
[英]“unable to find valid certification path to requested target” in Camel Component Test
问题描述
我正在尝试开发和测试骆驼端点。 我现在想测试SSL连接。 每当我运行测试(尝试进行相互SSL身份验证)时,我都会收到错误“无法找到所请求目标的有效证书路径”。 我的证书链对于客户端和服务器看起来像这样。 除了ID之外,两者都是相同的。 CA - > SubCA - > Client1(用作“客户端”) - > Client2(用作“服务器”)
我为客户端创建了一个PKCS12文件,并将一个导入的CA,SubCA和客户端证书创建到一个密钥库中:
keytool -keystore store.jks -importcert -alias ca -file test_ca_certs/rootca.cert
keytool -keystore store.jsk -importcert -alias subca -file test_ca_certs/subca.cert
keytool -v -importkeystore -srckeystore source.p12 -srcstoretype PKCS12 -destkeystore store.jsk -deststoretype JKS
所以说,我有一个客户端和服务器的商店只有客户端证书不同。 我试图避免使用不同的信任/密钥库,但这应该没问题,对吧?
几乎直接取自camel源示例,我在我的测试类中使用了这些方法:
private static SSLContextParameters defineClientSSLContextClientParameters() {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/source.jks").toString());
ksp.setPassword(PWD);
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyPassword(PWD);
kmp.setKeyStore(ksp);
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setKeyStore(ksp);
SSLContextServerParameters scsp = new SSLContextServerParameters();
scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setKeyManagers(kmp);
sslContextParameters.setTrustManagers(tmp);
sslContextParameters.setServerParameters(scsp);
return sslContextParameters;
}
private static SSLContextParameters defineServerSSLContextParameters() {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/target.jks").toString());
ksp.setPassword(PWD);
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyPassword(PWD);
kmp.setKeyStore(ksp);
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setKeyStore(ksp);
SSLContextServerParameters scsp = new SSLContextServerParameters();
scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setKeyManagers(kmp);
sslContextParameters.setTrustManagers(tmp);
sslContextParameters.setServerParameters(scsp);
return sslContextParameters;
}
@Override
protected RouteBuilder[] createRouteBuilders() throws Exception {
RouteBuilder[] rbs = new RouteBuilder[2];
// A protocol consumer
rbs[0] = new RouteBuilder() {
public void configure() {
// Needed to configure TLS on the client side
WsComponent wsComponent = (WsComponent) context.getComponent("protocolclient");
wsComponent.setSslContextParameters(defineClientSSLContextClientParameters());
from("direct:input").routeId("foo")
.log(">>> Message from direct to WebSocket Client : ${body}")
.to("protocolclient://localhost:9292/echo")
.log(">>> Message from WebSocket Client to server: ${body}");
}
};
// A protocol provider
rbs[1] = new RouteBuilder() {
public void configure() {
// Needed to configure TLS on the server side
WebsocketComponent websocketComponent = (WebsocketComponent) context.getComponent("protocolserver");
websocketComponent.setSslContextParameters(defineServerSSLContextParameters());
// This route is set to use TLS, referring to the parameters set above
from("protocolserver:localhost:9292/echo")
.log(">>> Message from WebSocket Server to mock: ${body}")
.to("mock:result");
}
};
return rbs;
}
为了完整性,这里是我用于生成客户端证书的配置文件:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
#default_keyfile = client.key
distinguished_name = client_distinguished_name
req_extensions = client_req_extensions
string_mask = utf8only
####################################################################
[ client_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Bayern
localityName = Locality Name (eg, city)
localityName_default = Muenchen
organizationName = Organization Name (eg, company)
organizationName_default = Company
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test Client X
emailAddress = Email Address
emailAddress_default = stuff@mail.de
####################################################################
[ connector_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage = clientAuth
subjectAltName = @alternate_names
[ alternate_names ]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = client.companyname.de
我做了一些明显的错误吗? 我很困惑:(
谢谢!
编辑:我添加了一些调试输出。 它应该是这样的吗?
keystore (...) has type [jks], and contains aliases [1].
***
found key for : 1
chain [0] = [
[
Version: V3
Subject: CN=cnname, OU=ouname, O=oname, L=location, ST=bavaria, C=DE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 2999...
public exponent: 65537
Validity: [From: Wed Oct 19 10:16:33 CEST 2016,
To: Fri Oct 19 10:16:33 CEST 2018]
Issuer: CN=My SubCA 2016, O=organization, C=DE
SerialNumber: [ 01]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://someurl
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 58 DD 29 BF F2 31 7B 34 3F F2 7D B5 1F 2B 7D A3 X.)..1.4?....+..
0010: EB 71 EC 62 .q.b
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.someurl.crl]
]]
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
]
[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[7]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
DNSName: 127.0.0.1
]
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F8 8E 73 ED 12 6A 61 2D A0 7F 15 F9 9D 84 BD BF ..s..ja-........
0010: 5E 96 B6 FF ^...
]
]
]
Algorithm: [SHA256withRSA]
Signature:
...
]
***
...
12:32:55.621 [main] TRACE org.apache.camel.util.jsse.TrustManagersParameters - Creating TrustManager[] from TrustManagersParameters [TrustManagerType [keyStore=KeyStoreParameters [type=null, password=********, provider=null, resource=file:/home/gbrost/GIT/karaf-policy-platform/camel-ids/target/test-classes/jsse/source-truststore.jks, getContext()=null], provider=null, algorithm=null, getContext()=null]]
---
12:32:55.644 [main] DEBUG org.apache.camel.util.jsse.JsseParameters - Opened resource [file:/home/gbrost/GIT/karaf-policy-platform/camel-ids/target/test-classes/jsse/source-truststore.jks] as a URL.
...
keystore has type [jks], and contains aliases [ca, subca].
adding as trusted cert:
Subject: CN=my Root CA 2016, O=organization, C=DE
Issuer: CN=my Root CA 2016, O=organization, C=DE
Algorithm: RSA; Serial number: 0xfc8239c0355555c1
Valid from Wed Oct 19 10:14:36 CEST 2016 until Tue Oct 14 10:14:36 CEST 2036
adding as trusted cert:
Subject: CN=my SubCA 2016, O=Fraunhofer, C=DE
Issuer: CN=my Root CA 2016, O=Fraunhofer, C=DE
Algorithm: RSA; Serial number: 0x1
Valid from Wed Oct 19 10:14:38 CEST 2016 until Thu Oct 17 10:14:38 CEST 2024
12:32:55.649 [main] DEBUG org.apache.camel.util.jsse.TrustManagersParameters - TrustManager[] [[sun.security.ssl.X509TrustManagerImpl@6b5176f2]], initialized from TrustManagerFactory [javax.net.ssl.TrustManagerFactory@209775a9].
12:32:56.099 [main] DEBUG org.apache.camel.util.jsse.SSLContextParameters -
...
1 个解决方案
解决方案1
0 已采纳 2016-10-24 07:44:09
我终于找到了解决方案。 我只将调试设置为SSL。 这是我的错。 我需要将调试输出设置为“all”。 然后我可以看到此错误消息:
引发者:sun.security.validator.ValidatorException:扩展密钥用法不允许用于TLS服务器身份验证
这更加具体。 为了解决这个问题,我确实需要将扩展密钥用法更改为:
keyUsage = digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage = clientAuth, serverAuth
非常感谢你!
HTTPS4组件配置,用于将SSLcontext与密钥库文件一起使用,仍然无法找到到请求目标的有效证书路径
[英]HTTPS4 Component configuration for using SSLcontext with keystore file, stil unable to find valid certification path to requested target
SunCertPathBuilderException:无法找到所请求目标的有效证书路径
[英]SunCertPathBuilderException: unable to find valid certification path to requested target`
无法找到请求目标的有效认证路径 - 链接到 github
[英]unable to find valid certification path to requested target - link to github
SunCertPathBuilderException:无法找到到请求目标的有效证书路径
[英]SunCertPathBuilderException: unable to find valid certification path to requested target
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
无法找到到请求目标的有效证书路径
无法找到到请求目标的有效证书路径
HTTPS4组件配置,用于将SSLcontext与密钥库文件一起使用,仍然无法找到到请求目标的有效证书路径
gradlew 无法找到请求目标的有效认证路径
突然“无法找到到请求目标的有效认证路径”
SunCertPathBuilderException:无法找到所请求目标的有效证书路径
LibGDX:找不到到请求目标的有效认证路径
临时 - 无法找到到所请求目标的有效认证路径
无法找到请求目标的有效认证路径 - 链接到 github
SunCertPathBuilderException:无法找到到请求目标的有效证书路径
相关标签