java 如何获取PKIX路径构建失败的原因异常

hm2xizp9  于 2023-05-12  发布在  Java
关注(0)|答案(1)|浏览(205)

bounty还有4天到期。回答此问题可获得+100声望奖励。Paralife希望引起更多关注这个问题。

我得到了众所周知的PKIX path building failed异常,为了找到根本原因,我必须启用java.security.debug =certpath并查看日志。在我的情况下,原因是
certpath:SunCertPathBuilder.depthFirstSearchForward():最终验证失败:java.security.cert.CertPathValidatorException:证书未指定OCSP响应程序
但是我的问题是我不能通过编程的方式找到上面的根本原因,因为抛出的异常(见下文)在sun.security.validator包中,我不能导入,即使我可以导入,我也不确定它是否包含任何对根本原因的引用(如果我错了,请纠正我)。
使用Java 17
相关代码为:

PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, null);
params.addCertStore(intermediateCAcertStore);
params.addCertPathChecker((PKIXCertPathChecker) CertPathValidator.getInstance("PKIX").getRevocationChecker());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(new CertPathTrustManagerParameters(params));
X509TrustManager tm = (X509TrustManager) tmf.getTrustManagers()[0];
tm.checkClientTrusted(new X509Certificate[]{ targetCert }), "RSA");

其抛出:

Exception in thread "main" sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
  at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
  at java.base/sun.security.validator.Validator.validate(Validator.java:264)
  at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:242)
  at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:107)
  at com.example.TrustManagerTest.test1(TrustManagerTest.java:98)
  at com.example.TrustManagerTest.main(TrustManagerTest.java:54)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
  at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
  at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 6 more

所以我没有办法看到真实的的原因是OCSP检查,除非我在日志中启用安全调试和搜索。但是我想通过编程的方式发现它并处理它,或者至少以某种方式获得
java.security.cert.CertPathValidatorException:证书未指定OCSP响应程序
消息并显示它。
有什么建议吗?

7cwmlq89

7cwmlq891#

sun.security.validator.ValidatorException异常不提供对CertPathValidatorException或其消息的直接访问。
但是,您可以捕获ValidatorException并检查其原因以确定它是否是CertPathBuilderException。如果是,那么您可以捕获其原因并检查它是否是CertPathValidatorException。如果是,您可以使用getMessage()方法访问它的消息。

try {
    // your code that throws the ValidatorException
} catch (ValidatorException e) {
    Throwable cause = e.getCause();
    if (cause instanceof CertPathBuilderException) {
        CertPathBuilderException cpbe = (CertPathBuilderException) cause;
        Throwable cpbeCause = cpbe.getCause();
        if (cpbeCause instanceof CertPathValidatorException) {
            CertPathValidatorException cpve = (CertPathValidatorException) cpbeCause;
            String message = cpve.getMessage();
            // handle or display the message here
        }
    }
}

捕获异常并检查其原因可能不是最优雅的解决方案,但它应该允许您访问您感兴趣的底层CertPathValidatorException消息

相关问题