继我的mqtt和ssl冒险之后,我在java环境中遇到了一个问题。
这次我用的是 OpenSSL 生成的证书并尝试将它们导入我的 java key store . 我犯了个错误 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors .
我仍在学习有关ssl/tls/certificates/java密钥库的更多信息。
客户端异常
当我运行应用程序时,我得到以下错误(从测试驱动)
acme.fooApp.mqtt.FooMqttException: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at acme.fooApp.mqtt.MqttConnection.connect(MqttConnection.java:53)
at acme.fooApp.mqtt.BasicAuthenticationWithSSLConnections.will_successfully_send_a_message(BasicAuthenticationWithSSLConnections.java:30)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:675)
at org.junit.jupiter.engine.execution.MethodInvocation.proceed(MethodInvocation.java:60)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain$ValidatingInvocation.proceed(InvocationInterceptorChain.java:125)
at org.junit.jupiter.engine.extension.TimeoutExtension.intercept(TimeoutExtension.java:132)
at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestableMethod(TimeoutExtension.java:124)
at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestMethod(TimeoutExtension.java:74)
at org.junit.jupiter.engine.execution.ExecutableInvoker$ReflectiveInterceptorCall.lambda$ofVoidMethod$0(ExecutableInvoker.java:115)
at org.junit.jupiter.engine.execution.ExecutableInvoker.lambda$invoke$0(ExecutableInvoker.java:105)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain$InterceptedInvocation.proceed(InvocationInterceptorChain.java:104)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain.proceed(InvocationInterceptorChain.java:62)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain.chainAndInvoke(InvocationInterceptorChain.java:43)
at org.junit.jupiter.engine.execution.InvocationInterceptorChain.invoke(InvocationInterceptorChain.java:35)
at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:104)
at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:98)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:202)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:198)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:135)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:69)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:135)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:125)
at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:135)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:123)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:122)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:80)
at java.util.ArrayList.forEach(ArrayList.java:1257)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:139)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:125)
at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:135)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:123)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:122)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:80)
at java.util.ArrayList.forEach(ArrayList.java:1257)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:139)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:125)
at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:135)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:123)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:122)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:80)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:229)
at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:197)
at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:211)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:191)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128)
at com.intellij.junit5.JUnit5IdeaTestRunner.startRunnerWithArgs(JUnit5IdeaTestRunner.java:71)
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:220)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:53)
Caused by: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 10 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:154)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 16 more
Process finished with exit code -1mosquitto配置
port 1886
allow_anonymous false
password_file .\mosquitto-auth+ssl.pwd
acl_file .\mosquitto-auth+ssl.acl
# capath
cafile .\localhost_ca.crt
# PEM encoded server certificate.
certfile .\localhost_srv.crt
# PEM encoded keyfile.
keyfile .\localhost_srv.key
tls_version tlsv1.2证书生成
我使用以下脚本生成所有内容-因此无需手动干预-无需输入-只需运行:
# Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Set-Location (Split-Path $MyInvocation.MyCommand.Path -Parent)
$env:Path = $env:Path + ";" + $env:JAVA_HOME + "\bin"
Clear-Host
$java_key_store_alias = "MYMACHINE"
$java_key_store_file = "MYMACHINE.jks"
#
# create ca-key
#
openssl genrsa -des3 -passout pass:password -out localhost_ca.key 2048
#
# create ca-cert
#
openssl req -new -x509 -days 3650 -key localhost_ca.key -out localhost_ca.crt -passin pass:password -subj "/C=GB/ST=Timbuktu/L=Timbuktu/O=acme/CN=localhost-CA"
#
# create server-key
#
openssl genrsa -out localhost_srv.key 2048
#
# create server-csr
#
openssl req -new -out localhost_srv.csr -key localhost_srv.key -passin pass:password -subj "/C=GB/ST=Timbuktu/L=Timbuktu/O=acme/CN=localhost"
#
# create server-crt
# verify and sign: server-csr = ca-crt + ca-key
#
openssl x509 -req -in localhost_srv.csr -CA localhost_ca.crt -CAkey localhost_ca.key -CAcreateserial -out localhost_srv.crt -passin pass:password -days 3650
#
# convert ca-cert to pfx/p12
#
openssl pkcs12 -export -in localhost_ca.crt -inkey localhost_ca.key -out localhost_ca.p12 -passin pass:password -passout pass:password
# verify
write-host "Verifying..."
openssl verify -CAfile localhost_ca.crt localhost_srv.crt
#
#
# JAVA
#
#
# create a java keystore
Write-Host "Now the Java fun begins..."
if (Test-Path $java_key_store_file) {
Remove-Item $java_key_store_file
}
keytool -genkey -alias $java_key_store_alias -keyalg RSA -keysize 2048 -keystore "$java_key_store_file" -dname "CN=localhost-CA, O=acme, L=Timbuktu, ST=Timbuktu, C=GB" -storepass password -keypass password -validity 2000
# import certificate
keytool -import -alias $java_key_store_alias -keystore $java_key_store_file -file localhost_ca.p12 -storepass password -keypass password我不确定这是否正确。validate返回ok。
Generating RSA private key, 2048 bit long modulus (2 primes)
...........+++++
...........................................................................................+++++
e is 65537 (0x010001)
Can't load ./.rnd into RNG
9156:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:88:Filename=./.rnd
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
................................................................................................+++++
e is 65537 (0x010001)
Can't load ./.rnd into RNG
6580:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:88:Filename=./.rnd
Signature ok
subject=C = GB, ST = Timbuktu, L = Timbuktu, O = acme, CN = localhost
Getting CA Private Key
Verifying...
localhost_srv.crt: OK
Now the Java fun begins...
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore MYMACHINE.jks -destkeystore MYMACHINE.jks -deststoretype pkcs12".
keytool error: java.security.cert.CertificateParsingException: signed fields invalid客户端java代码
目前正在进行黑客攻击,抱歉:(
public static SSLSocketFactory forKeyStore(String filePath, String password) throws Exception {
TrustManagerFactory defaultTMF;
X509TrustManager customTM;
X509TrustManager defaultTM;
List<TrustManager> trustManagerList = new ArrayList<>();
defaultTMF = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
defaultTMF.init((KeyStore) null);
defaultTM = getTrustManagerFromFactory(defaultTMF);
FileInputStream fileInputStream = new FileInputStream(filePath);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(fileInputStream, password.toCharArray());
fileInputStream.close();
TrustManagerFactory customTMF = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
customTMF.init(keyStore);
customTM = getTrustManagerFromFactory(customTMF);
X509TrustManager finalCustomTM = customTM;
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
defaultTM.checkClientTrusted(x509Certificates, s);
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
try {
if (finalCustomTM == null) {
defaultTM.checkServerTrusted(x509Certificates, s);
} else {
finalCustomTM.checkServerTrusted(x509Certificates, s);
}
} catch (CertificateException ex) {
defaultTM.checkServerTrusted(x509Certificates, s);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return defaultTM.getAcceptedIssuers();
}
};
//trustManagerList.addAll(Arrays.asList(tmf.getTrustManagers()));
trustManagerList.add(finalCustomTM);
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, trustManagerList.toArray(new TrustManager[trustManagerList.size()]), null);
return context.getSocketFactory();
}
private static X509TrustManager getTrustManagerFromFactory(TrustManagerFactory trustManagerFactory) {
for (TrustManager tm : trustManagerFactory.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
return (X509TrustManager) tm;
}
}
return null;
}有什么好处?
所以目前我只将ca证书导入密钥库。
如果您对此有任何指导,我们将不胜感激。大量的谷歌搜索这些例外情况,并在这里没有产生任何喜悦。我会继续找的。每个人的情况都不一样。我看不出我在上述步骤中所犯的错误。
调试时,我注意到我的证书在 finalCustomTM 变量:
如果我使用 SSLSocketFactory.getDefault() 那么这仍然是上述相同错误的情况。
如果我在队伍里发表评论 trustManagerList.addAll(Arrays.asList(defaultTMF.getTrustManagers())); ,然后我得到一个不同的例外: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
暂无答案!
目前还没有任何答案,快来回答吧!