bounty还有4天到期。回答此问题可获得+100声望奖励。Paralife希望引起更多关注这个问题。
我得到了众所周知的PKIX path building failed
异常,为了找到根本原因,我必须启用java.security.debug =certpath并查看日志。在我的情况下,原因是
certpath:SunCertPathBuilder.depthFirstSearchForward():最终验证失败:java.security.cert.CertPathValidatorException:证书未指定OCSP响应程序
但是我的问题是我不能通过编程的方式找到上面的根本原因,因为抛出的异常(见下文)在sun.security.validator包中,我不能导入,即使我可以导入,我也不确定它是否包含任何对根本原因的引用(如果我错了,请纠正我)。
使用Java 17
相关代码为:
PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, null);
params.addCertStore(intermediateCAcertStore);
params.addCertPathChecker((PKIXCertPathChecker) CertPathValidator.getInstance("PKIX").getRevocationChecker());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(new CertPathTrustManagerParameters(params));
X509TrustManager tm = (X509TrustManager) tmf.getTrustManagers()[0];
tm.checkClientTrusted(new X509Certificate[]{ targetCert }), "RSA");
其抛出:
Exception in thread "main" sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:242)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:107)
at com.example.TrustManagerTest.test1(TrustManagerTest.java:98)
at com.example.TrustManagerTest.main(TrustManagerTest.java:54)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 6 more
所以我没有办法看到真实的的原因是OCSP检查,除非我在日志中启用安全调试和搜索。但是我想通过编程的方式发现它并处理它,或者至少以某种方式获得
java.security.cert.CertPathValidatorException:证书未指定OCSP响应程序
消息并显示它。
有什么建议吗?
1条答案
按热度按时间7cwmlq891#
sun.security.validator.ValidatorException
异常不提供对CertPathValidatorException
或其消息的直接访问。但是,您可以捕获
ValidatorException
并检查其原因以确定它是否是CertPathBuilderException
。如果是,那么您可以捕获其原因并检查它是否是CertPathValidatorException
。如果是,您可以使用getMessage()
方法访问它的消息。捕获异常并检查其原因可能不是最优雅的解决方案,但它应该允许您访问您感兴趣的底层
CertPathValidatorException
消息