文档章节

解决 Java 调用 Azure SDK 证书错误 javax.net.ssl.SSLHandshakeException

c
 chaobits
发布于 2017/09/08 15:17
字数 2175
阅读 15
收藏 0

Azure 作为微软的公有云平台,提供了非常丰富的 SDK 和 API 让开发人员可以非常方便的调用的各项服务,目前除了自家的 .NET、Java、Python、 nodeJS、Ruby,PHP 等语言都提供支持,详细的文档说明请参考:

https://azure.microsoft.com/en-us/documentation/

然而在使用过程中,以 Java 语言为例,在初始调用 Azure SDK/API 的时候大家会碰到类似下面的错误:

[WARN] ServiceBusContract - com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target <com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requestedtarget>com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:151)
at com.microsoft.windowsazure.services.servicebus.implementation.AuthorizationFilter.handle(AuthorizationFilter.java:39)
at com.microsoft.windowsazure.core.pipeline.jersey.ClientFilterRequestAdapter.handle(ClientFilterRequestAdapter.java:36)
at com.sun.jersey.api.client.Client.handle(Client.java:648)

其实这个错误并不是 Azure 的问题,如果大家搜一搜就知道,只要是你用 Java 去访问 https 的网站或者服务,都会碰到类似的错误,最根本的原因是 CNNIC 所颁发的证书并不被 JDK 所认可,其中原因大家应该懂得:)今年5月份,Google 和 Firefox 等多家互联网公司更是将直接拒绝接受 CNNIC 所颁发的证书:

https://threatpost.com/google-drops-trust-in-chinese-certificate-authority-cnnic/111974/

言归正传,如何解决这个问题?

1. 等待 Oracle/Google/Mozilla 等等组织信任 CNNIC,算了,洗洗睡吧

2. 使用 Java 的 TrustManager 忽略所有的 SSL 请求的证书,仅仅用于开发测试,限于篇幅不做介绍了

3. 导入目标网站的证书,然后在开始调用之前,指定 keystore 就 ok 了,本文介绍下该方法

在你的 IDE 环境中导入如下文件获取目标网站的证书,该程序是 Sun(已经被 Oracle 收了)的一位大牛写的,名字没有查到,我只是引用一下,不是我写的,对其贡献表示尊重:

package com.azurelabs.china.tools;

/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out
.println("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP + "lib"
+ SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf
.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] { tm }, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out
.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader = new BufferedReader(new InputStreamReader(
System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println(" " + (i + 1) + " Subject "
+ cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out
.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out
.println("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}

复制到你的IDE中,加上你的网站名字作为参数运行,如果是Azure,就使用www.windowsazure.cn作为参数,选择1,回车,就可以得到一个keystore文件:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.azurelabs.china.tools.InstallCert.main(InstallCert.java:104)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.azurelabs.china.tools.InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:200)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 17 more

Server sent 2 certificate(s):

1 Subject CN=support.windowsazure.cn, OU=Azure, O=Shanghai Blue Cloud Technology Co. Ltd, L=Shanghai, ST=Shanghai, C=CN
Issuer CN=WoSign Class 3 OV Server CA G2, O=WoSign CA Limited, C=CN
sha1 39 02 08 52 59 bf 47 97 2f eb f7 8f fc c9 03 ef 26 cb 21 dd
md5 83 28 58 28 51 b8 62 ed 36 e6 d0 70 15 99 a8 38

2 Subject CN=WoSign Class 3 OV Server CA G2, O=WoSign CA Limited, C=CN
Issuer CN=Certification Authority of WoSign, O=WoSign CA Limited, C=CN
sha1 2b 43 72 46 cc ba 25 15 9e b5 be a1 62 ac 60 18 dc bf f4 72
md5 5f a4 91 6a ab d3 c9 80 09 6c eb 00 31 34 fc 3d

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
Version: V3
Subject: CN=support.windowsazure.cn, OU=Azure, O=Shanghai Blue Cloud Technology Co. Ltd, L=Shanghai, ST=Shanghai, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
modulus: 24104532407647535108241621827688332263926906187163691939931462013874932504662453335625927986716086247633840840524051115
364996238391743503802118690155144909240897365990040793471910633352618274034556617076873608976668528804939183424686164227185431879
267461919749098227696743182875748132677719418665216178511515782485580061460364614666955611361304411692446552333333850501994838165
659760614012629638654246105220036245117410486536684224500173338204500619911544787890879820586922542656204188700978168997284623863
785685892268535250107770005916206905453265121667987788474107941942533485774966535690717314093662982801373356241
public exponent: 65537
Validity: [From: Tue Nov 24 19:32:28 CST 2015,
To: Fri Nov 24 19:32:28 CST 2017]
Issuer: CN=WoSign Class 3 OV Server CA G2, O=WoSign CA Limited, C=CN
SerialNumber: [ 6d899f54 35b4c5af f9f08f76 a88e0d33]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp1.wosign.com/ca6/server3
,
accessMethod: caIssuers
accessLocation: URIName: http://aia1.wosign.com/ca6.server3.cer
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F9 8B EC 04 38 6A 3F AA 06 C6 94 AD 73 95 2A B0 ....8j?.....s.*.
0010: C8 E6 B8 FB ....
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crls1.wosign.com/ca6-server3.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.36305.6.3.2.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1D 68 74 74 70 3A 2F 2F 77 77 77 2E 77 6F 73 ..http://www.wos
0010: 69 67 6E 2E 63 6F 6D 2F 70 6F 6C 69 63 79 2F ign.com/policy/

]] ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: support.windowsazure.cn
DNSName: www.windowsazure.cn
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 17 38 7A B7 4C 12 D9 0A 36 B5 C6 70 C3 DD DE B8 .8z.L...6..p....
0010: 46 AE 86 70 F..p
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 9B 9D DB 30 3E 69 B9 29 3C ED 98 98 AA 21 B0 DD ...0>i.)<....!..
0010: 0F AD 16 79 21 7D 7F 54 66 90 87 73 BF 1C 1A 8A ...y!..Tf..s....
0020: 4A 08 86 1A 31 AF 27 74 11 22 B5 4A 8B A0 23 4B J...1.'t.".J..#K
0030: BE 80 7D 51 35 96 D1 E9 2B 6F F6 3C AB E5 DF C8 ...Q5...+o.<....
0040: D7 B7 C4 63 D5 0E EC D8 AE 67 33 A6 C7 03 C1 51 ...c.....g3....Q
0050: F1 A5 4B 06 DC 37 B5 DB D2 B8 64 E9 E1 A3 8E C7 ..K..7....d.....
0060: B4 4A 96 D3 08 A7 E3 3D 64 61 13 24 6D 35 01 29 .J.....=da.$m5.)
0070: 64 F3 7D CE E2 56 8E 6A A2 E2 60 0D D8 D2 AD CF d....V.j..`.....
0080: FC 0E 5C 14 4B 6F F7 BE 71 1D 78 7A C7 09 5C 87 ..\.Ko..q.xz..\.
0090: 0F 38 AD 0D 94 19 E1 45 32 72 EA AB 78 4D 4C 67 .8.....E2r..xMLg
00A0: E8 4E 94 4B A7 28 35 3A 94 A6 97 CC 06 F0 68 74 .N.K.(5:......ht
00B0: 02 C0 D9 B3 4B 64 CD 7A 43 F0 8B B9 E8 CC 75 9A ....Kd.zC.....u.
00C0: 08 50 4F A1 CF 63 1D 80 7C 5A 8D 32 D1 09 B9 C3 .PO..c...Z.2....
00D0: B8 C0 B7 BE 6B 92 2B 80 B0 A4 8A 0E 19 16 41 42 ....k.+.......AB
00E0: 90 88 B4 CA E7 3B B5 F7 70 80 D7 10 37 41 DB 4D .....;..p...7A.M
00F0: 9E 2B 65 45 F1 CB 08 EA 83 1F 29 A1 E3 68 EA 9B .+eE......)..h..

]

Added certificate to keystore 'jssecacerts' using alias 'www.windowsazure.cn-1'

你在程序运行的当前目录会生成一个jssecacerts文件,你可以将它放到你的jre的lib\security目录,也可以放在任意位置,然后再你的程序调用API之前指定TrustStore的位置:

System.setProperty("javax.net.ssl.trustStore","E:\\DevSpace\\jssecacerts");

我的例子如下:

 

点击这里可以获得更优秀的阅读效果。

© 著作权归作者所有

共有 人打赏支持
c
粉丝 0
博文 3
码字总数 2175
作品 0
新加坡
PKIX path building failed: sun.security.provide...

在执行webservice的过程中,出现如下异常: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpat......

Java编程思想
2013/06/26
0
0
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

问题 前两天一个学弟在群里面问一个问题: 觉得挺有意思,就叫他把请求的URL给一下,然后我在机器上用命令测试了一把: 发现报了与ssl有关的错误,我推测可能与https证书有关。但是他的代码和...

那只是一股逆流
05/23
0
0
新的Eclipse插件CTP减轻Java开发人员进行Windows Azure开发时的负担

公告 :本博客为微软云计算中文博客 的镜像博客。 部分文章因为博客兼容性问题 ,会影响阅读体验 。如遇此情况,请访问 原博客。 在昨天的EclipseCon 2011大会上,Vijay Rajagopalan在他的演...

晨曦之光
2012/03/09
0
0
用 JNI 进行 Java 编程(1)

本教程是关于什么的? Java 本机接口(Java Native Interface (JNI))是一个本机编程接口,它是 Java 软件开发工具箱(Java Software Development Kit (SDK))的一部分。JNI 允许 Java 代码使...

Jerikc
2012/10/08
0
0
Interopability协同合作性 常见问题解答

公告:本博客为微软云计算中文博客的镜像博客。部分文章因为博客兼容性问题,会影响阅读体验。如遇此情况,请访问原博客。 在PDC09上会发布什么解决方案加速器?是谁构建的? PDC会议上, 我们...

晨曦之光
2012/03/09
0
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

InvalidKeyException: Illegal key size

Caused by: java.lang.RuntimeException: java.security.InvalidKeyException: Illegal key size 解决方案:去官方下载JCE无限制权限策略文件。 jdk 5: http://www.oracle.com/technetwork/j......

自由的开源
11分钟前
0
0
JAVA秒杀实现以及优化原理

秒杀与其他业务最大的区别在于:秒杀的瞬间, (1)系统的并发量会非常的大 (2)并发量大的同时,网络的流量也会瞬间变大。 关于(2),最常用的办法就是做页面静态化,也就是常说的前后端分...

小贱是个程序员
15分钟前
1
0
Spring Aop之Advisor解析

在上文Spring Aop之Target Source详解中,我们讲解了Spring是如何通过封装Target Source来达到对最终获取的目标bean进行封装的目的。其中我们讲解到,Spring Aop对目标bean进行代理是通过Ann...

爱宝贝丶
17分钟前
0
0
Java高级工程师面试阿里,阿里云,天猫,菜鸟,涉及到的知识点

前言: 分享 Java高级工程师面试阿里,阿里云,天猫,菜鸟,涉及到的知识点,文章有点长,但比较全面,阅读时间15分钟左右,干货满满。 一、HashMap的那些事 1.1、HashMap的实现原理 1.1.1、...

Java大蜗牛
42分钟前
2
0
nginx模块学习五 expires 浏览器缓存

缓存原理 语法 Syntax: expires [modified] time;expires epoch | max | off;Default: expires off;Context: http,server,location,if in location 例/etc/nginx/conf.d/default.con......

Romanceling
53分钟前
0
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

返回顶部
顶部