SSL套接字帮助-javax.net.SSL.SSLHandshakeException:收到致命警报:证书\u未知
我在使用SSL套接字建立客户机-服务器套接字连接时遇到问题。我仍在学习SSL加密以及处理证书和密钥库。我有一个客户端和服务器应用程序,它们应该按如下方式相互连接: 服务器-sslreverewseechoer.javaSSL套接字帮助-javax.net.SSL.SSLHandshakeException:收到致命警报:证书\u未知,java,sockets,ssl,ssl-certificate,bouncycastle,Java,Sockets,Ssl,Ssl Certificate,Bouncycastle,我在使用SSL套接字建立客户机-服务器套接字连接时遇到问题。我仍在学习SSL加密以及处理证书和密钥库。我有一个客户端和服务器应用程序,它们应该按如下方式相互连接: 服务器-sslreverewseechoer.java import java.io.*; import java.net.*; import java.security.*; import javax.net.ssl.*; import org.bouncycastle.jce.provider.BouncyCastleProvid
import java.io.*;
import java.net.*;
import java.security.*;
import javax.net.ssl.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class SSLReverseEchoer {
public static void main(String[] args) {
String ksName = "sslkeystore.jks";
String keystorePass = "sslkeystorepassword";
char ksPass[] = keystorePass.toCharArray();
int sslPort = 9099;
Security.addProvider(new BouncyCastleProvider());
File file = new File(ksName);
String absPath = file.getAbsolutePath();
System.setProperty("javax.net.ssl.keyStore", absPath);
System.setProperty("javax.net.ssl.keyStorePassword", "sslkeystorepassword");
try {
//Get keystore w/ password
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(ksName), ksPass);
//Trust Manager
TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, ksPass);
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
SSLServerSocket s = (SSLServerSocket) ssf.createServerSocket(sslPort);
printServerSocketInfo(s);
//WAIT FOR CONNECTION TODO ADD THREAD for NIO
SSLSocket c = (SSLSocket) s.accept();
printSocketInfo(c);
BufferedWriter w = new BufferedWriter(new OutputStreamWriter(
c.getOutputStream()));
BufferedReader r = new BufferedReader(new InputStreamReader(
c.getInputStream()));
String m = "Welcome to SSL Reverse Echo Server."+
" Please type in some words.";
w.write(m,0,m.length());
w.newLine();
w.flush();
while ((m=r.readLine())!= null) {
if (m.equals(".")) break;
char[] a = m.toCharArray();
int n = a.length;
for (int i=0; i<n/2; i++) {
char t = a[i];
a[i] = a[n-1-i];
a[n-i-1] = t;
}
w.write(a,0,n);
w.newLine();
w.flush();
}
w.close();
r.close();
c.close();
s.close();
} catch (Exception e) {
e.printStackTrace();
}
}
private static void printSocketInfo(SSLSocket s) {
System.out.println("Socket class: "+s.getClass());
System.out.println(" Remote address = "
+s.getInetAddress().toString());
System.out.println(" Remote port = "+s.getPort());
System.out.println(" Local socket address = "
+s.getLocalSocketAddress().toString());
System.out.println(" Local address = "
+s.getLocalAddress().toString());
System.out.println(" Local port = "+s.getLocalPort());
System.out.println(" Need client authentication = "
+s.getNeedClientAuth());
SSLSession ss = s.getSession();
System.out.println(" Cipher suite = "+ss.getCipherSuite());
System.out.println(" Protocol = "+ss.getProtocol());
}
private static void printServerSocketInfo(SSLServerSocket s) {
System.out.println("Server socket class: "+s.getClass());
System.out.println(" Socket address = "
+s.getInetAddress().toString());
System.out.println(" Socket port = "
+s.getLocalPort());
System.out.println(" Need client authentication = "
+s.getNeedClientAuth());
System.out.println(" Want client authentication = "
+s.getWantClientAuth());
System.out.println(" Use client mode = "
+s.getUseClientMode());
}
}
我执行服务器,它开始在指定的端口上侦听,但是当执行客户端时,我会得到以下堆栈跟踪
服务器输出
Server socket class: class sun.security.ssl.SSLServerSocketImpl
Socket address = 0.0.0.0/0.0.0.0
Socket port = 9099
Need client authentication = false
Want client authentication = false
Use client mode = false
Socket class: class sun.security.ssl.SSLSocketImpl
Remote address = /127.0.0.1
Remote port = 62145
Local socket address = /127.0.0.1:9099
Local address = /127.0.0.1
Local port = 9099
Need client authentication = false
Cipher suite = SSL_NULL_WITH_NULL_NULL
Protocol = NONE
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1541)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
at java.io.BufferedWriter.flush(BufferedWriter.java:254)
at com.example.SSLReverseEchoer.main(SSLReverseEchoer.java:60)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2267)
at com.example.SSLReverseEchoer.printSocketInfo(SSLReverseEchoer.java:94)
at com.example.SSLReverseEchoer.main(SSLReverseEchoer.java:49)
客户端输出
Socket class: class sun.security.ssl.SSLSocketImpl
Remote address = localhost/127.0.0.1
Remote port = 9099
Local socket address = /127.0.0.1:62145
Local address = /127.0.0.1
Local port = 62145
Need client authentication = false
Cipher suite = SSL_NULL_WITH_NULL_NULL
Protocol = NONE
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1541)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1399)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at com.example.SSLSocketClient.main(SSLSocketClient.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2267)
at com.example.SSLSocketClient.printSocketInfo(SSLSocketClient.java:55)
at com.example.SSLSocketClient.main(SSLSocketClient.java:22)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 15 more
我使用keystore通过以下参数生成sslkeystore.jks和X509_certificate.cer:
生成sslkeystore.jks
keytool -genkey -keyalg RSA -alias sslsocket -keystore sslkeystore.jks -storepass sslkeystorepassword -validity 365 -keysize 2048
What is your first and last name?
[Unknown]: Gandalf
What is the name of your organizational unit?
[Unknown]: Wizardry
What is the name of your organization?
[Unknown]: Arnock
What is the name of your City or Locality?
[Unknown]: Minas Tirith
What is the name of your State or Province?
[Unknown]: Gondor
What is the two-letter country code for this unit?
[Unknown]: GD
Is CN=Gandalf, OU=Wizardry, O=Arnock, L=Minas Tirith, ST=Gondor, C=GD correct?
[no]: yes
Enter key password for <sslsocket>
(RETURN if same as keystore password):
keytool-genkey-keyalg RSA-alias sslsocket-keystore sslkeystore.jks-storepass sslkeystorepassword-validity 365-keysize 2048
你的名字和姓氏是什么?
[未知]:甘道夫
您的组织单位名称是什么?
[未知]:巫术
你的组织名称是什么?
[未知]:阿诺克
你所在的城市或地区叫什么名字?
[未知]:米纳斯提利斯
你所在的州或省叫什么名字?
[未知]:刚铎
这个单位的两个字母的国家代码是什么?
[未知]:GD
CN=Gandalf,OU=巫师,O=Arnock,L=Minas Tirith,ST=Gondor,C=GD正确吗?
[否]:是的
输入的密钥密码
(如果与密钥库密码相同,则返回):
出口证书。cer
keytool -export -alias sslsocket -keystore sslkeystore.jks -rfc -file X509_certificate.cer
Enter keystore password:
Certificate stored in file <X509_certificate.cer>
keytool-export-alias sslsocket-keystore sslkeystore.jks-rfc-file X509\u certificate.cer
输入密钥库密码:
存储在文件中的证书
对这里的问题有什么建议吗
我在这里试图实现的是在具有公钥和私钥的套接字上进行非对称加密。*.jks不是持有公钥,*.cer不是持有私钥吗?如果是这种情况,我是否需要在客户端中添加其他内容来使用私钥,还是在握手过程中将私钥提供给客户端
任何帮助都将不胜感激 你把它倒过来了。 公钥加密,或非对称加密,是使用密钥对的任何加密系统:可以广泛传播的公钥[在数学上]与只有所有者知道的私钥配对 SSL/TLS服务器将其私钥保持为私有;它是分发给其他人,特别是客户的公钥。但正如wp所说 公钥和它的“所有者”之间的绑定必须是正确的,否则算法可能运行得很好,但在实践中却完全不安全。[…]将公钥与其所有者关联通常是通过实现公钥基础设施的协议来完成的–这些协议允许通过引用分层证书颁发机构(例如X.509)形式的可信第三方来正式验证关联的有效性[…] 虽然PKC通常有其他选项,但SSL/TLS通常(在Java中总是)使用X.509证书。一个证书对于一方,这里的服务器包含该方的公钥,该方的身份(对于SSL/TLS服务器,通常是DNS名称,有时是服务器的多个名称),以及一些您可以忽略的其他信息,通常由一个签名 通常,reliers(客户端)已经安装了著名CA(如Verisign、GoDaddy等)的“根”证书副本,可能还有更多本地CA(如您的雇主或州政府),服务器只需在SSL/TLS握手中发送自己的证书,以及CA提供的任何所需的“链”或中间证书;客户端可以使用预安装的根证书副本验证证书。(对于Java客户端,请参见下文。) 但是,如果您不愿意或没有资格从真正的CA获取证书,SSL/TLS协议可以使用服务器自己签名的证书,称为自签名证书。在这种情况下,由于客户端无法先验地知道特定证书是服务器的正确证书,而不是冒名顶替者创建的伪造证书,因此需要将服务器的自签名证书放入客户端的信任库中。一般来说,您需要将证书从服务器安全地复制到客户端,但由于您显然是在单个主机上进行测试,因此问题大大简化了 具体来说,在Java中:
,或其过时的同义词keytool-genkeypair
,在文件中创建密钥对,默认情况下为JKS文件,带有自签名(默认)证书-genkey
(或keytool-exportcert
)将证书(包含公钥和名称)复制到一个文件中,您在这里将该文件命名为-export
。由于您没有获得真正的CA证书,因此这是自签名证书,您需要将其放入/每个客户端的信任库中X509\u certificate.cer
- 显式1:使用
将证书放入密钥库文件(通常是JKS),将密钥库读入内存,然后使用它初始化keytool-importcert
然后初始化TrustManager
然后初始化SSLContext
。这与服务器代码类似,只是没有SSLSocketFactory
部分,并且使用KeyManager
类而不是SSLSocket
类SSLServerSocket
- 显式2:使用
类型的X.509
从文件中读取(仅读取)证书,在内存中创建密钥库(无密钥库文件)并将证书放入其中,然后按照显式1中的操作进行。 如果你不知道CertificateFactory
keytool -export -alias sslsocket -keystore sslkeystore.jks -rfc -file X509_certificate.cer Enter keystore password: Certificate stored in file <X509_certificate.cer>