具有相互身份驗證的 Https 請求通過 curl 但因 java 失敗
[英]Https request with mutual authentication passes with curl but fails with java
問題描述
github 上有人問我一個關於我的圖書館的問題。 這個庫提供了一些工廠類來輕松創建 sslcontext。 我確保不共享庫的詳細信息,只共享普通的 java 代碼和我使用的附加庫。 我嘗試調試它並嘗試重新格式化證書,但它不起作用。 我得到的例外是:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java 信任管理器基本上是說我收到了服務器的證書,我剛剛檢查了您的受信任證書列表,但找不到匹配的證書。 所以我不信任這個服務器,因此我停止了這個請求。 當我調試它時,我可以理解為什么信任管理器會拋出異常,因為根本沒有與服務器相同的匹配證書。 但是,當我將相同的文件與 curl 一起使用時,它可以工作,所以我不太確定證書和密鑰材料是否存在問題,或者 java ZF9D5C16A7F42203F8C195432354A 可能存在一些限制或未正確配置它......我希望有人可以向我解釋為什么它在 java 中失敗並在 curl 中通過的行為差異。
客戶端的私鑰內容:
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCw9Of6paN76eY7MApVZrPLt3Ss9rYOSkUHqw9ls8ewxLqlfk/S
7tdQ6g1+fa4HnKeSXRRrBv7RNlnwRPzBIha5QSwVSraT079xnEP/MGlZ+lyS4Kad
xv/m96jJXk9w8GaHY8OiwfJqcTolVKVEzDKVDIxp3noYfCRVW4RDm0FMJwIDAQAB
AoGARQMOYbMtogrjblva+9l071MZ3sbM05/lcgslkx1dGLRwslAjo3jgYj8ViipL
r85JkAxbBS6SPFd9FfZhuJSp1WnXAP63GHB8NUb+hqrFqDxLuNsFQ1Q04+0FDlJw
+YUD7QZWwXy28clt9arEIoPeikOmePDQF7FGuU6f0+aNxAECQQDcWFfTDLvAMPNX
T6WsuYYIs+1mYYxImElsaTfm36Ro9C+2atVnxnqY6JFhWh6Sn+7dNiWS4vsbH1uZ
7EiQKpoBAkEAzZc5jxmfG/5f8uKQh49ORTaIOSyivd/L60rVNcdRyukFrFPTb/Ey
o2LsvDzDclfdGdhehkEAdX+Biksz0gfWJwJAIvuvreVWpbPf3pvZnOuzmQwgA+I2
6IutFJY79t7I9pTWQmsByMEdU8uQ0VkCg5r6zIo9Ou3omizHWU/HUYRCAQJAJXmN
SmJXOFkT0EgwJCWhFMit6A4U1Bt5JjiLyLO+WwhCunjFL8B9hH7BvEYvMiaF7PId
uMcceE53pGe02HIJPQJAXuCB+O0zqnSci3dP5cH724qNbRMvH0IvI6PFK8RIEd7I
d+HKKVGXhPC1mMhIbAqydxmTCDewsSH9rlghhTvqIg==
-----END RSA PRIVATE KEY-----
客戶端的證書鏈內容:
-----BEGIN CERTIFICATE-----
MIICXDCCAcUCAQEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCSUUxEDAOBgNV
BAgMB0RvbmVnYWwxFDASBgNVBAcMC0xldHRlcmtlbm55MRQwEgYDVQQDDAt0cGVh
cnNvbi5pZTEjMCEGCSqGSIb3DQEJARYUcm9vdGNlcnRAdHBlYXJzb24uaWUwHhcN
MjEwMTA4MDE1MDUzWhcNMjIwMTA4MDE1MDUzWjB9MQswCQYDVQQGEwJJRTEQMA4G
A1UECAwHRG9uZWdhbDEUMBIGA1UEBwwLTGV0dGVya2VubnkxHzAdBgNVBAMMFmNs
aWVudGNlcnQudHBlYXJzb24uaWUxJTAjBgkqhkiG9w0BCQEWFmNsaWVudGNlcnRA
dHBlYXJzb24uaWUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALD05/qlo3vp
5jswClVms8u3dKz2tg5KRQerD2Wzx7DEuqV+T9Lu11DqDX59rgecp5JdFGsG/tE2
WfBE/MEiFrlBLBVKtpPTv3GcQ/8waVn6XJLgpp3G/+b3qMleT3DwZodjw6LB8mpx
OiVUpUTMMpUMjGneehh8JFVbhEObQUwnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA
bwGc1UM0qhKrJdjhXiXcVcf+ebyQKJHe3wXX3ffdw7Y7Gg9CjbD21kdlTVlSJrLT
hC5k01NChPDScK0C5CUPjEtHCt/G4sEPy+R1tXAmOBMnJXHqHQ/gsk1xe2TXZTep
uX5Al1vhtY7iVOnxsoRt2rdvYLRhpvf+7qbrchlQtXE=
-----END CERTIFICATE-----
受信任的證書,ca
-----BEGIN CERTIFICATE-----
MIICVzCCAcACCQCr1Uz2zH5PwzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJJ
RTEQMA4GA1UECAwHRG9uZWdhbDEUMBIGA1UEBwwLTGV0dGVya2VubnkxFDASBgNV
BAMMC3RwZWFyc29uLmllMSMwIQYJKoZIhvcNAQkBFhRyb290Y2VydEB0cGVhcnNv
bi5pZTAeFw0yMTAxMDgwMTQ0NDRaFw0yMjAxMDgwMTQ0NDRaMHAxCzAJBgNVBAYT
AklFMRAwDgYDVQQIDAdEb25lZ2FsMRQwEgYDVQQHDAtMZXR0ZXJrZW5ueTEUMBIG
A1UEAwwLdHBlYXJzb24uaWUxIzAhBgkqhkiG9w0BCQEWFHJvb3RjZXJ0QHRwZWFy
c29uLmllMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ0E9LXa/6XNzm1CZ3
lHLez768tSAmrQ0qYFCiyrGhnfe+xJJAf7BSWRAUQmM7ULRj89NVMor7GyBYH1mq
1r9dI23i3KM8ZAeBN+32eifOH/TqE2QKLm2ORqBzNXsl1QTriXLR4aIs8bYUH6JP
9qGE24ncqeO1/Ry6o2DxQWEkLQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADq/CDEC
TwmegkvOMTH7mlWWgaoVWgBU6mtUjm2fJtQOFDewicQlxa2jF3LwDwb94J5vu6Kc
NAZwLWE70+pWhhcsXWc0rbA1Ayv1xkyi8LPWqqmCbz14R2tEDuPZJxKvS0DkGKqy
De4sdJsOo2GWhYsmY6HiOPElt5ndzI5NRZ6s
-----END CERTIFICATE-----
因此,以下 curl 命令將成功執行並為我提供正確的響應正文:
curl --cacert ca.pem --key client-key.pem --cert client-cert.pem https://prod.idrix.eu/secure/
為了在 Java 中加載這些文件,我使用 Bouncy Castle,下面是解析它的完整片段,將其加載到 TrustManager、KeyManager、創建 SSLContext 並執行請求:
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringReader;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Objects;
import java.util.stream.Collectors;
public class App {
private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
private static final JcaPEMKeyConverter KEY_CONVERTER = new JcaPEMKeyConverter().setProvider(BOUNCY_CASTLE_PROVIDER);
private static final JcaX509CertificateConverter CERTIFICATE_CONVERTER = new JcaX509CertificateConverter().setProvider(BOUNCY_CASTLE_PROVIDER);
public static void main(String[] args) throws Exception {
String clientKeyContent = App.getContent(App.class.getClassLoader().getResourceAsStream("client-key.pem"));
String clientCertificateChainContent = App.getContent(App.class.getClassLoader().getResourceAsStream("client-cert.pem"));
String caCertificateContent = App.getContent(App.class.getClassLoader().getResourceAsStream("ca.pem"));
Reader reader = new StringReader(clientKeyContent);
PEMParser pemParser = new PEMParser(reader);
Object object = pemParser.readObject();
PrivateKeyInfo privateKeyInfo = ((PEMKeyPair) object).getPrivateKeyInfo();
PrivateKey clientKey = KEY_CONVERTER.getPrivateKey(privateKeyInfo);
reader.close();
pemParser.close();
reader = new StringReader(clientCertificateChainContent);
pemParser = new PEMParser(reader);
object = pemParser.readObject();
X509Certificate clientCertificateChain = CERTIFICATE_CONVERTER.getCertificate((X509CertificateHolder) object);
reader.close();
pemParser.close();
reader = new StringReader(caCertificateContent);
pemParser = new PEMParser(reader);
object = pemParser.readObject();
X509Certificate caCertificate = CERTIFICATE_CONVERTER.getCertificate((X509CertificateHolder) object);
reader.close();
pemParser.close();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, "password".toCharArray());
keyStore.setKeyEntry("client", clientKey, "".toCharArray(), new Certificate[]{clientCertificateChain});
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "".toCharArray());
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, "password".toCharArray());
trustStore.setCertificateEntry("ca", caCertificate);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
HttpClient httpClient = HttpClient.newBuilder()
.sslContext(sslContext)
.build();
HttpRequest request = HttpRequest.newBuilder()
.GET()
.uri(URI.create("https://prod.idrix.eu/secure/"))
.build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
public static String getContent(InputStream inputStream) throws IOException {
try (InputStreamReader inputStreamReader = new InputStreamReader(Objects.requireNonNull(inputStream), StandardCharsets.UTF_8);
BufferedReader bufferedReader = new BufferedReader(inputStreamReader)) {
return bufferedReader.lines()
.collect(Collectors.joining(System.lineSeparator()));
}
}
}
我正在使用 Java 11 和 Bouncy Castle,具體的 artifact-id 見下文:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.68</version>
</dependency>
所以對我來說,不清楚為什么 curl 命令有效並且 java 中的設置失敗。 我是否配置錯誤,任何幫助都會很棒。 我試圖提供盡可能多的細節。 私鑰是一個測試密鑰,所以在這里分享它不會有害。
1 個解決方案
解決方案1
1 已采納 2021-01-23 10:16:02
我發現了問題所在,因此我想與其他有共同點的人分享。
看起來在 mac os x curl 上默認使用系統受信任的證書,而在 java 方面並非如此。 我不確定 curl 與其他操作系統的行為是什么。 https://prod.idrix.eu/secure/有一個由DST Root CA X3簽名的證書我禁用了這個並重新運行與我最初問題中描述的完全相同的設置,curl Z5E056C500A1C47BADEZ 請求也失敗了,就像它一樣失敗在 java 側。
我從鑰匙串中禁用了它,如下所示:
設置https ssl連接的客戶端請求超時(相互認證)
[英]set client request time out for https ssl connection(mutual authentication)
Curl請求https端點工作但java客戶端請求失敗,錯誤為'javax.net.ssl.SSLHandshakeException'
[英]Curl Request to https endoint working but java client request fails with Error 'javax.net.ssl.SSLHandshakeException'
帶有Authentication頭的Java Jersey HTTPS GET請求
[英]Java Jersey HTTPS GET request with Authentication header
在Tomcat 7和request.getUserPrincipal()上進行相互身份驗證
[英]Mutual Authentication on Tomcat 7 and request.getUserPrincipal()
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Java HTTPS服務器:相互SSL身份驗證
設置https ssl連接的客戶端請求超時(相互認證)
Curl請求https端點工作但java客戶端請求失敗,錯誤為'javax.net.ssl.SSLHandshakeException'
Spark Java相互認證
Grpc Java SSL相互認證
帶有Authentication頭的Java Jersey HTTPS GET請求
Java / JMeter HTTP請求失敗,但curl起作用
POST請求在cURL中成功,但在Java中失敗
Java請求中的HTTPS SSL GET失敗
在Tomcat 7和request.getUserPrincipal()上進行相互身份驗證
相關標簽