来自路径的JavasslHandshakeException不与任何信任锚点链接

laik7k3q  于 2021-07-08  发布在  Java
关注(0)|答案(0)|浏览(310)

继我的mqtt和ssl冒险之后,我在java环境中遇到了一个问题。
这次我用的是 OpenSSL 生成的证书并尝试将它们导入我的 java key store . 我犯了个错误 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors .
我仍在学习有关ssl/tls/certificates/java密钥库的更多信息。

客户端异常

当我运行应用程序时,我得到以下错误(从测试驱动)

acme.fooApp.mqtt.FooMqttException: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

    at acme.fooApp.mqtt.MqttConnection.connect(MqttConnection.java:53)
    at acme.fooApp.mqtt.BasicAuthenticationWithSSLConnections.will_successfully_send_a_message(BasicAuthenticationWithSSLConnections.java:30)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:675)
    at org.junit.jupiter.engine.execution.MethodInvocation.proceed(MethodInvocation.java:60)
    at org.junit.jupiter.engine.execution.InvocationInterceptorChain$ValidatingInvocation.proceed(InvocationInterceptorChain.java:125)
    at org.junit.jupiter.engine.extension.TimeoutExtension.intercept(TimeoutExtension.java:132)
    at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestableMethod(TimeoutExtension.java:124)
    at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestMethod(TimeoutExtension.java:74)
    at org.junit.jupiter.engine.execution.ExecutableInvoker$ReflectiveInterceptorCall.lambda$ofVoidMethod$0(ExecutableInvoker.java:115)
    at org.junit.jupiter.engine.execution.ExecutableInvoker.lambda$invoke$0(ExecutableInvoker.java:105)
    at org.junit.jupiter.engine.execution.InvocationInterceptorChain$InterceptedInvocation.proceed(InvocationInterceptorChain.java:104)
    at org.junit.jupiter.engine.execution.InvocationInterceptorChain.proceed(InvocationInterceptorChain.java:62)
    at org.junit.jupiter.engine.execution.InvocationInterceptorChain.chainAndInvoke(InvocationInterceptorChain.java:43)
    at org.junit.jupiter.engine.execution.InvocationInterceptorChain.invoke(InvocationInterceptorChain.java:35)
    at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:104)
    at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:98)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:202)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:198)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:135)
    at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:69)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:135)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:125)
    at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:135)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:123)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:122)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:80)
    at java.util.ArrayList.forEach(ArrayList.java:1257)
    at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:139)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:125)
    at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:135)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:123)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:122)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:80)
    at java.util.ArrayList.forEach(ArrayList.java:1257)
    at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$5(NodeTestTask.java:139)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$7(NodeTestTask.java:125)
    at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:135)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:123)
    at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:122)
    at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:80)
    at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32)
    at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
    at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51)
    at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:229)
    at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:197)
    at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:211)
    at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:191)
    at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128)
    at com.intellij.junit5.JUnit5IdeaTestRunner.startRunnerWithArgs(JUnit5IdeaTestRunner.java:71)
    at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
    at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:220)
    at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:53)
Caused by: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
    ... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 10 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:154)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
    ... 16 more

Process finished with exit code -1

mosquitto配置

port 1886

allow_anonymous false
password_file .\mosquitto-auth+ssl.pwd
acl_file .\mosquitto-auth+ssl.acl

# capath

cafile .\localhost_ca.crt

# PEM encoded server certificate.

certfile .\localhost_srv.crt

# PEM encoded keyfile.

keyfile .\localhost_srv.key

tls_version tlsv1.2

证书生成

我使用以下脚本生成所有内容-因此无需手动干预-无需输入-只需运行:


# Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Set-Location (Split-Path $MyInvocation.MyCommand.Path -Parent)
$env:Path = $env:Path + ";" + $env:JAVA_HOME + "\bin"
Clear-Host

$java_key_store_alias = "MYMACHINE"
$java_key_store_file = "MYMACHINE.jks"

# 

# create ca-key

# 

openssl genrsa -des3 -passout pass:password -out localhost_ca.key 2048

# 

# create ca-cert

# 

openssl req -new -x509 -days 3650 -key localhost_ca.key -out localhost_ca.crt -passin pass:password -subj "/C=GB/ST=Timbuktu/L=Timbuktu/O=acme/CN=localhost-CA"

# 

# create server-key

# 

openssl genrsa -out localhost_srv.key 2048

# 

# create server-csr

# 

openssl req -new -out localhost_srv.csr -key localhost_srv.key -passin pass:password -subj "/C=GB/ST=Timbuktu/L=Timbuktu/O=acme/CN=localhost"

# 

# create server-crt

# verify and sign: server-csr = ca-crt + ca-key

# 

openssl x509 -req -in localhost_srv.csr -CA localhost_ca.crt -CAkey localhost_ca.key -CAcreateserial -out localhost_srv.crt -passin pass:password -days 3650 

# 

# convert ca-cert to pfx/p12

# 

openssl pkcs12 -export -in localhost_ca.crt -inkey localhost_ca.key -out localhost_ca.p12 -passin pass:password -passout pass:password

# verify

write-host "Verifying..."
openssl verify -CAfile localhost_ca.crt localhost_srv.crt

# 

# 

# JAVA

# 

# 

# create a java keystore

Write-Host "Now the Java fun begins..."

if (Test-Path $java_key_store_file) {
   Remove-Item $java_key_store_file
}

keytool -genkey -alias $java_key_store_alias -keyalg RSA -keysize 2048 -keystore "$java_key_store_file" -dname "CN=localhost-CA, O=acme, L=Timbuktu, ST=Timbuktu, C=GB" -storepass password -keypass password -validity 2000

# import certificate

keytool -import -alias $java_key_store_alias -keystore $java_key_store_file -file localhost_ca.p12 -storepass password -keypass password

我不确定这是否正确。validate返回ok。

Generating RSA private key, 2048 bit long modulus (2 primes)
...........+++++
...........................................................................................+++++
e is 65537 (0x010001)
Can't load ./.rnd into RNG
9156:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:88:Filename=./.rnd
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
................................................................................................+++++
e is 65537 (0x010001)
Can't load ./.rnd into RNG
6580:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:88:Filename=./.rnd
Signature ok
subject=C = GB, ST = Timbuktu, L = Timbuktu, O = acme, CN = localhost
Getting CA Private Key
Verifying...
localhost_srv.crt: OK
Now the Java fun begins...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore MYMACHINE.jks -destkeystore MYMACHINE.jks -deststoretype pkcs12".
keytool error: java.security.cert.CertificateParsingException: signed fields invalid

客户端java代码

目前正在进行黑客攻击,抱歉:(

public static SSLSocketFactory forKeyStore(String filePath, String password) throws Exception {

        TrustManagerFactory defaultTMF;
        X509TrustManager customTM;
        X509TrustManager defaultTM;
        List<TrustManager> trustManagerList = new ArrayList<>();

        defaultTMF = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        defaultTMF.init((KeyStore) null);
        defaultTM = getTrustManagerFromFactory(defaultTMF);

        FileInputStream fileInputStream = new FileInputStream(filePath);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(fileInputStream, password.toCharArray());
        fileInputStream.close();

        TrustManagerFactory customTMF = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        customTMF.init(keyStore);

        customTM = getTrustManagerFromFactory(customTMF);

        X509TrustManager finalCustomTM = customTM;
        new X509TrustManager() {
            @Override
            public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                defaultTM.checkClientTrusted(x509Certificates, s);
            }

            @Override
            public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                try {
                    if (finalCustomTM == null) {
                        defaultTM.checkServerTrusted(x509Certificates, s);
                    } else {
                        finalCustomTM.checkServerTrusted(x509Certificates, s);
                    }
                } catch (CertificateException ex) {
                    defaultTM.checkServerTrusted(x509Certificates, s);
                }
            }

            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return defaultTM.getAcceptedIssuers();
            }
        };

        //trustManagerList.addAll(Arrays.asList(tmf.getTrustManagers()));
        trustManagerList.add(finalCustomTM);

        SSLContext context = SSLContext.getInstance("TLSv1.2");

        context.init(null, trustManagerList.toArray(new TrustManager[trustManagerList.size()]), null);

        return context.getSocketFactory();
    }

    private static X509TrustManager getTrustManagerFromFactory(TrustManagerFactory trustManagerFactory) {
        for (TrustManager tm : trustManagerFactory.getTrustManagers()) {
            if (tm instanceof X509TrustManager) {
                return (X509TrustManager) tm;
            }
        }
        return null;
    }

有什么好处?

所以目前我只将ca证书导入密钥库。
如果您对此有任何指导,我们将不胜感激。大量的谷歌搜索这些例外情况,并在这里没有产生任何喜悦。我会继续找的。每个人的情况都不一样。我看不出我在上述步骤中所犯的错误。
调试时,我注意到我的证书在 finalCustomTM 变量:

如果我使用 SSLSocketFactory.getDefault() 那么这仍然是上述相同错误的情况。
如果我在队伍里发表评论 trustManagerList.addAll(Arrays.asList(defaultTMF.getTrustManagers())); ,然后我得到一个不同的例外: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题