Java 信任存储中的根证书是否足以建立连接?
truststore中的根证书是否足以建立与网站的连接?如果是这样,只是为了测试,我已经将google的根证书导入到我创建的新信任库中,并指向该信任库。尽管如此,我还是得到了以下例外。Java 信任存储中的根证书是否足以建立连接?,java,ssl,httpsurlconnection,Java,Ssl,Httpsurlconnection,truststore中的根证书是否足以建立与网站的连接?如果是这样,只是为了测试,我已经将google的根证书导入到我创建的新信任库中,并指向该信任库。尽管如此,我还是得到了以下例外。 javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径生成失败:sun.security.provider.certpath.SunCertPathBuilderException:找不到请求目标的有
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径生成失败:sun.security.provider.certpath.SunCertPathBuilderException:找不到请求目标的有效证书路径但是,如果我尝试使用默认的java信任存储连接到google,那么它就可以正常工作。有人能帮我吗?TIA。我刚刚尝试为google.com构建一个https get请求。已加载全局签名证书。谷歌的证书是由这个CA签署的,所以ssl握手应该通过。下面是我使用的代码,它是有效的
@Test
public void callGoogleWithRootCA() throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, KeyManagementException {
String trustStorePath = "keystores-for-unit-tests/truststore.jks";
String trustStorePassword = "secret";
KeyStore trustStore;
try(InputStream keystoreInputStream = this.getClass().getClassLoader().getResourceAsStream(trustStorePath)) {
if (isNull(keystoreInputStream)) {
throw new RuntimeException(String.format("Could not find the keystore file with the given location %s", trustStorePath));
}
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(keystoreInputStream, trustStorePassword.toCharArray());
trustStore = keystore;
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://www.google.com").openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());
connection.setRequestMethod("GET");
String responseBody = IOUtils.toString(connection.getInputStream(), StandardCharsets.UTF_8);
int responseCode = connection.getResponseCode();
assertThat(responseCode).isEqualTo(200);
}
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----
javax.net.ssl|DEBUG|01|main|2019-12-02 01:29:04.529 CET|CertificateMessage.java:358|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "75 20 46 4B 8D AC DC 10 08 00 00 00 00 1D 8A 52",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=GTS CA 1O1, O=Google Trust Services, C=US",
"not before" : "2019-11-05 08:46:45.000 CET",
"not after" : "2020-01-28 08:46:45.000 CET",
"subject" : "CN=www.google.com, O=Google LLC, L=Mountain View, ST=California, C=US",
"subject public key" : "EC",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.pki.goog/gts1o1
,
accessMethod: caIssuers
accessLocation: URIName: http://pki.goog/gsr2/GTS1O1.crt
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 98 D1 F8 6E 10 EB CF 9B EC 60 9F 18 90 1B A0 EB ...n.....`......
0010: 7D 09 FD 2B ...+
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.pki.goog/GTS1O1.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.3]
[] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: www.google.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 63 55 73 A0 9D C3 D5 FA 3C 1A 17 EA 0B 72 AB EF cUs.....<....r..
0010: D3 15 15 BB ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "01 E3 B4 9A A1 8D 8A A9 81 25 69 50 B8",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2",
"not before" : "2017-06-15 02:00:42.000 CEST",
"not after" : "2021-12-15 01:00:42.000 CET",
"subject" : "CN=GTS CA 1O1, O=Google Trust Services, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.pki.goog/gsr2
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-.
0010: DC 19 86 2E ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.pki.goog/gsr2/gsr2.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 70 6B 69 2E 67 6F ..https://pki.go
0010: 6F 67 2F 72 65 70 6F 73 69 74 6F 72 79 2F og/repository/
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 98 D1 F8 6E 10 EB CF 9B EC 60 9F 18 90 1B A0 EB ...n.....`......
0010: 7D 09 FD 2B ...+
]
]
}
]}
]
)
javax.net.ssl|DEBUG|01|main|2019-12-02 01:29:04.566 CET|X509TrustManagerImpl.java:242|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "04 00 00 00 00 01 0F 86 26 E6 0D",
"signature algorithm": "SHA1withRSA",
"issuer" : "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2",
"not before" : "2006-12-15 09:00:00.000 CET",
"not after" : "2021-12-15 09:00:00.000 CET",
"subject" : "CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-.
0010: DC 19 86 2E ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.net/root-r2.crl]
]]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-.
0010: DC 19 86 2E ....
]
]
}
]}
)
javax.net.ssl | DEBUG | 01 | main | 2019-12-02 01:29:04.529 CET | CertificateMessage.java:358 |使用服务器证书握手消息(
“证书”:[
“证书”:{
“版本”:“v3”,
“序列号”:“75 20 46 4B 8D AC DC 10 08 00 00 1D 8A 52”,
“签名算法”:“SHA256withRSA”,
“发卡机构”:“CN=GTS CA 1O1,O=Google Trust Services,C=US”,
“不在之前”:“2019-11-05 08:46:45.000 CET”,
“不在之后”:“欧洲中部时间2020-01-28 08:46:45.000”,
“主题”:“CN=www.google.com,O=google LLC,L=Mountain View,ST=California,C=US”,
“主体公钥”:“EC”,
“扩展”:[
{
目标:1.3.6.1.4.1.11129.2.4.2临界性=错误
},
{
目标:1.3.6.1.5.5.7.1.1临界性=错误
权威信息访问[
[
访问方法:ocsp
访问位置:小便器名称:http://ocsp.pki.goog/gts1o1
,
访问方法:caIssuers
访问位置:小便器名称:http://pki.goog/gsr2/GTS1O1.crt
]
]
},
{
目标:2.5.29.35关键性=错误
AuthorityKeyIdentifier[
键标识符[
0000:98 D1 F8 6E 10 EB CF 9B EC 60 9F 18 90 1B A0 EB…n。。。。。。
0010:7D 09 FD 2B+
]
]
},
{
ObjectId:2.5.29.19临界性=真实
基本约束:[
CA:错
路径:未定义
]
},
{
目标:2.5.29.31临界性=错误
CRL分布点[
[分配点:
[小便器:http://crl.pki.goog/GTS1O1.crl]
]]
},
{
目标:2.5.29.32临界性=错误
证书政策[
[认证政策:[2.23.140.1.2.2]
[] ]
[证书政策:[1.3.6.1.4.1.11129.2.5.3]
[] ]
]
},
{
目标:2.5.29.37临界性=错误
扩展键用法[
服务器身份验证
]
},
{
ObjectId:2.5.29.15临界性=真实
密钥用法[
数字签名
]
},
{
目标:2.5.29.17关键性=错误
SubjectAlternativeName[
DNSName:www.google.com
]
},
{
目标:2.5.29.14关键性=错误
SubjectKeyIdentifier[
键标识符[
0000:63 55 73 A0 9D C3 D5 FA 3C 1A 17 EA 0B 72 AB EF cUs…..以下是有关其工作原理的更详细答案:
在TLS握手过程中,服务器发送形成链的证书列表。在TLS 1.2中,解释为:
这是一个序列(链)证书的。发件人的证书必须位于列表的第一位。以下每个证书都必须直接对其前面的证书进行认证。由于证书验证要求独立分发根密钥,因此可以在assu下从链中省略指定根证书颁发机构的自签名证书提示远程端必须已经拥有它,以便在任何情况下验证它
证书的根始终是自签名的,对于全局接受的根CA(证书颁发机构),证书存储在客户端平台(即Mozilla、MacOS、Java、Android、Windows等)中。因此服务器无需发送此证书
该RFC还提到:
实现负责验证证书的完整性,通常应支持证书吊销消息。应始终验证证书,以确保受信任的证书颁发机构(CA)正确签名。应非常小心地选择和添加受信任的CA。用户应能够查看有关证书和根CA的信息
换句话说,平台实现将遍历证书链并不断验证证书,直到找到信任存储中的证书为止。信任存储中存在的任何证书都不会被验证,并将被假定为受信任的证书
TLS 1.3中提到了这一点:
实现负责验证证书的完整性,通常应支持证书吊销消息。如果应用程序配置文件中没有特定指示,则应始终验证证书,以确保受信任的证书颁发机构(CA)正确签名。应非常小心地选择和添加信任锚。用户应能够查看有关证书和信任锚的信息
它还说:
证书上的签名