https请求通过curl，但通过java失败

github上有人问了我一个关于我的图书馆的问题。这个库提供了一些工厂类来轻松地创建sslcontext。我确保不共享库的详细信息，只共享普通java代码和我使用的附加库。我试着调试它，也试着重新格式化证书，但它不工作。我得到的例外是：

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

javatrustmanager基本上是说我收到了服务器的证书，我刚刚检查了您的可信证书列表，但找不到匹配的证书。所以我不信任这个服务器，因此我停止了这个请求。当我调试它时，我可以理解为什么trustmanager抛出异常，因为根本没有与服务器相同的匹配证书。但是，当我使用与curl相同的文件时，它可以工作，所以我不太确定证书和密钥材料是否有问题，或者javassl实现有一些限制，或者我没有正确配置它。。。我希望有人能向我解释为什么java失败而curl通过的行为不同。
客户端的私钥内容：

客户端的证书链内容：

可信证书，ca

因此，下面的curl命令将成功执行，并为我提供正确的响应主体：

curl --cacert ca.pem --key client-key.pem --cert client-cert.pem https://prod.idrix.eu/secure/

要在java中加载这些文件，我使用bouncy castle，下面是解析它、将其加载到trustmanager、keymanager、创建sslcontext和执行请求的完整片段：

import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringReader;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Objects;
import java.util.stream.Collectors;

public class App {

    private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
    private static final JcaPEMKeyConverter KEY_CONVERTER = new JcaPEMKeyConverter().setProvider(BOUNCY_CASTLE_PROVIDER);
    private static final JcaX509CertificateConverter CERTIFICATE_CONVERTER = new JcaX509CertificateConverter().setProvider(BOUNCY_CASTLE_PROVIDER);

    public static void main(String[] args) throws Exception {
        String clientKeyContent = App.getContent(App.class.getClassLoader().getResourceAsStream("client-key.pem"));
        String clientCertificateChainContent = App.getContent(App.class.getClassLoader().getResourceAsStream("client-cert.pem"));
        String caCertificateContent = App.getContent(App.class.getClassLoader().getResourceAsStream("ca.pem"));

        Reader reader = new StringReader(clientKeyContent);
        PEMParser pemParser = new PEMParser(reader);
        Object object = pemParser.readObject();

        PrivateKeyInfo privateKeyInfo = ((PEMKeyPair) object).getPrivateKeyInfo();
        PrivateKey clientKey = KEY_CONVERTER.getPrivateKey(privateKeyInfo);
        reader.close();
        pemParser.close();

        reader = new StringReader(clientCertificateChainContent);
        pemParser = new PEMParser(reader);

        object = pemParser.readObject();
        X509Certificate clientCertificateChain = CERTIFICATE_CONVERTER.getCertificate((X509CertificateHolder) object);
        reader.close();
        pemParser.close();

        reader = new StringReader(caCertificateContent);
        pemParser = new PEMParser(reader);

        object = pemParser.readObject();
        X509Certificate caCertificate = CERTIFICATE_CONVERTER.getCertificate((X509CertificateHolder) object);
        reader.close();
        pemParser.close();

        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, "password".toCharArray());
        keyStore.setKeyEntry("client", clientKey, "".toCharArray(), new Certificate[]{clientCertificateChain});
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, "".toCharArray());

        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null, "password".toCharArray());
        trustStore.setCertificateEntry("ca", caCertificate);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

        HttpClient httpClient = HttpClient.newBuilder()
                .sslContext(sslContext)
                .build();

        HttpRequest request = HttpRequest.newBuilder()
                .GET()
                .uri(URI.create("https://prod.idrix.eu/secure/"))
                .build();

        HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
        System.out.println(response.body());
    }

    public static String getContent(InputStream inputStream) throws IOException {
        try (InputStreamReader inputStreamReader = new InputStreamReader(Objects.requireNonNull(inputStream), StandardCharsets.UTF_8);
             BufferedReader bufferedReader = new BufferedReader(inputStreamReader)) {

            return bufferedReader.lines()
                    .collect(Collectors.joining(System.lineSeparator()));
        }
    }

}

我使用的是java 11和bouncy castle，请参见下面的特定工件id：

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
    <version>1.68</version>
</dependency>

所以我不清楚为什么curl命令可以工作，而java中的设置失败。我有没有弄错什么，任何帮助都太好了！我尽量提供细节。私钥是一个测试密钥，所以在这里共享它不会造成伤害。

https请求通过curl，但通过java失败

暂无答案！

相关问题

热门标签

最新问答