堆栈内存溢出
  繁体   English   中英

签名算法的算法约束检查失败:SHA256WithRSAEncryption

[英]Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption

 原文  2021-01-10 22:35:33       java/ security/ ssl/ webserver/ pki

问题描述

有时,当服务器尝试使用 https 连接其他服务时,我一直注意到以下错误。 要采取什么措施来解决这个问题。 有趣的是,它只发生在少数服务器上。

{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    ....
    ....
at com.xyz.rest.XyzService.call(XyzService.java:1239)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
    at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
    ... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 33 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
    at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertO(Unknown Source)
    at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
    ... 39 more

2 个解决方案

解决方案1
 1 已采纳  2021-02-17 16:35:26

谢谢大家,但我找到了这个问题的答案。 Had an older version of bouncy castle jar, after upgrading the the jar bcprov-jdk15on-1.58.jar, the "Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption" error is no longer occurring.

解决方案2
 0  2021-02-13 22:35:07

请查看受影响服务器中与 TLS 相关的 java 配置,SDK 使用安全属性jdk.certpath.disabledAlgorithmsjdk.tls.disabledAlgorithm在 TLS 协议协商期间禁用算法,并且可能已禁用SHA256WithRSAEncryption

您可以在 Java 安装的<install_dir>/jre/lib/security/java.security文件中找到这些属性的值。

请考虑阅读这篇相关文章,它适用于 IBM SDK 8,但对于其他 SDK 版本和供应商,描述的行为应该相同或非常相似。

此外,在受影响的服务器中运行程序时,请考虑启用值为certpathalljava.security.debug环境属性:

-Djava.security.debug=certpath

它将为您提供有关正在发生的事情以及 Java 抱怨该算法的原因的指导和有价值的信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 签名算法 SHA256withRSA 在 Java 中失败 签名算法的算法约束检查失败:MD5withRSA HMAC-SHA256 签名计算算法 使用prime256v1和SHA256withECDSA算法的BouncyCastle ECDSA签名验证失败 java CertPathValidatorException:签名算法:MD2withRSA的算法约束检查失败 SHA256withECDSA签名算法的输出格式是什么? 使用secp256r1曲线和SHA256算法生成ECDSA签名 - BouncyCastle 使用 Java 的 SHA256withDSA 的 X509Certificate 中错误的验证签名算法 如何在 java SHA 256 算法中使用客户端数字签名 Hash 给定数据 Auth0:使用算法签名时无法生成令牌的签名:SHA256withECDSA
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM