`
fireflyjava
  • 浏览: 187907 次
  • 性别: Icon_minigender_1
  • 来自: 深圳
社区版块
存档分类
最新评论

SSL双向认证Java实现 - CertPath证书链

    博客分类:
  • SSL
阅读更多

双向验证中, 如果服务端证书过期更新了,客户端的信任证书都得一一的更新。所以利用证书链来解决这个问题。

而一般服务端证书和客户端证书都是有独立的CA中心签发的, 本例子有两个CA中心(S03RootCA服务端CA和C03RootCA客户端CA)来模拟证书链的信任关系。本例的关系如下, S: Server, C: Client

S03RootCA
  |
  |----S03CA1
              |---Server1


C03RootCA
  |
  |----C03CA1
              |---Client1


1. 生成服务器端CA证书链Cert Path


1.1 生成服务器端的根证书S03RootCA
1.1.1 创建密钥
    openssl genrsa -des3 -out S03RootCA.key 2048
1.1.1 利用CA密钥自签署CA证书
    openssl req -config S03RootCA.cnf -new -x509 -days 3650 -key S03RootCA.key -out S03RootCA.crt
   
1.2 生成服务器端的二级CA证书S03CA1
1.2.1 创建密钥
    openssl genrsa -des3 -out S03CA1.key 2048
1.2.2 生成Certificate Signing Request(CSR)
    openssl req -config S03CA1.cnf -new -key S03CA1.key -out S03CA1.csr
   
1.3 生成的csr文件交给CA(S03RootCA)签名后形成自己服务端二级证书
    openssl ca -config S03RootCA.cnf -keyfile S03RootCA.key -cert S03RootCA.crt -in S03CA1.csr -out S03CA1.crt -days 3650

 

 

2. 生成客户端CA证书链Cert Path


2.1 生成客户端的根证书C03RootCA
2.1.1 创建密钥
    openssl genrsa -des3 -out C03RootCA.key 1024
2.1.1 利用CA密钥自签署CA证书
    openssl req -config C03RootCA.cnf -new -x509 -days 3650 -key C03RootCA.key -out C03RootCA.crt
   
2.2 生成客户端的二级CA证书C03CA1
2.2.1 创建密钥
    openssl genrsa -des3 -out C03CA1.key 1024
2.2.2 生成Certificate Signing Request(CSR)
    openssl req -config C03CA1.cnf -new -key C03CA1.key -out C03CA1.csr
   
2.3 生成的csr文件交给CA(C03RootCA)签名后形成客户端二级证书
    openssl ca -config C03RootCA.cnf -keyfile C03RootCA.key -cert C03RootCA.crt -in C03CA1.csr -out C03CA1.crt -days 3650

 

(以上步骤已经将服务端CA和客户端CA创建)

3. 利用Keytool生成服务器端的keystore文件并在CA中心签名

3.1 以jks格式生成服务器端包含Public key和Private Key的keystore文件,keypass与storepass务必要一样,因为在tomcat server.xml中只配置一个password.
    keytool -genkey -alias Server1 -keystore Server1Keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN = server1.firefly.com,OU =Server1,O = Firefly,L = ShenZhen,C = CN"

3.2 生成Certificate Signing Request(CSR)
    keytool -certreq -alias Server1 -keystore Server1Keystore.jks -file Server1.csr

3.3 将Server1.csr到服务器端CA中心(S03CA1)去签名
    openssl ca -config S03CA1.cnf -keyfile S03CA1.key -cert S03CA1.crt -in Server1.csr -out Server1FromCA.crt -days 3650

3.4 格式化Server1FromCA.crt,否则用keytool import的时候会出现error:invalid DER-encoded certificate data
    openssl x509 -in Server1FromCA.crt -out Server1FromCA.der -outform DER

3.5 将经过CA签名的Server1FromCA.der导入keystore中

3.5.1 格式化根证书S03RootCA, 并导入keystore.
    openssl x509 -in S03RootCA.crt -out S03RootCA.der -outform DER
    keytool -import -alias S03RootCA -keystore Server1Keystore.jks -file S03RootCA.der
3.5.2 格式化CA二级证书S03CA1, 并导入keystore.
    openssl x509 -in S03CA1.crt -out S03CA1.der -outform DER
    keytool -import -alias S03CA1 -keystore Server1Keystore.jks -file S03CA1.der
3.5.3 将经过CA签名后的Server1FromCA.der导入keystore.(别名必须与KeyEntry的一样,在导入之前必须先导入CA的根证书和二级证书)
     keytool -import -alias Server1 -keystore Server1Keystore.jks -file Server1FromCA.der


4. 利用Keytool生成客户端的keystore文件并在CA中心签名

4.1 以jks格式生成服务器端包含Public key和Private Key的keystore文件.
    keytool -genkey -alias Client1 -keystore Client1Keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN = client1.firefly.com,OU =Client1,O = Firefly,L = ShenZhen,C = CN"

4.2 生成Certificate Signing Request(CSR)
    keytool -certreq -alias Client1 -keystore Client1Keystore.jks -file Client1.csr

4.3 将Client1.csr到服务器端CA中心(C03CA1)去签名
    openssl ca -config C03CA1.cnf -keyfile C03CA1.key -cert C03CA1.crt -in Client1.csr -out Client1FromCA.crt -days 3650

4.4 格式化Client1FromCA.crt,否则用keytool import的时候会出现error:invalid DER-encoded certificate data
    openssl x509 -in Client1FromCA.crt -out Client1FromCA.der -outform DER

4.5 将经过CA签名的Server1FromCA.der导入keystore中

4.5.1 格式化根证书C03RootCA, 并导入keystore.
    openssl x509 -in C03RootCA.crt -out C03RootCA.der -outform DER
    keytool -import -alias C03RootCA -keystore Client1Keystore.jks -file C03RootCA.der
4.5.2 格式化CA二级证书C03CA1, 并导入keystore.
    openssl x509 -in C03CA1.crt -out C03CA1.der -outform DER
    keytool -import -alias C03CA1 -keystore Client1Keystore.jks -file C03CA1.der
4.5.3 将经过CA签名后的Server1FromCA.der导入keystore.(别名必须与KeyEntry的一样,在导入之前必须先导入CA的根证书和二级证书)
     keytool -import -alias Client1 -keystore Client1Keystore.jks -file Client1FromCA.der

5. 客户端和服务器端建立信任关系


5.1 将客户端的(S03RootCA.der,C03CA1.der,Client1FromCA.der)发送给服务端Server1,并导入服务端的truststore。  

   keytool -import -alias C03CA1 -keystore Server1Truststore.jks -storepass 123456 -file C03CA1.der

5.2 将服务端的(S03RootCA.der,S03CA1.der,Server1FromCA.der)发送给客户端Client1,并导入客户端的truststore,一般客户端会信任服务端的根证书或二级证书。这样服务器端证书更新了, 无需更新客户的truststore。
    keytool -import -alias S03RootCA -keystore Client1Truststore.jks -storepass 123456 -file S03RootCA.der

 

服务器端: Server1Keystore.jks   Server1Truststore.jks
 客户端:   Client1Keystore.jks   Client1Truststore.jks

 

6 在tomcat 服务器配置server.xml

<Connector port="8443" 
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS" 
                keystoreFile="keys/Server1Keystore.jks" keystorePass="123456" 
    		truststoreFile="keys/Server1Truststore.jks" truststorePass="123456"/>
   

 

7 客户端代码

package com.ssl;

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.URLEncoder;

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/**
 * java ClientCertPathTest Client1Truststore.jks 123456 Client1Keystore.jks 123456 192.168.1.123 8443 dummy.txt
 */
/**
 * @author Kevin Li
 * 
 */
public class ClientCertPathTest {

	public static void main(String args[]) {
		if (args.length != 7) {
			System.out
					.println("Usage: java ClientCertPathTest <trustStore_file> <password> <keyStore_file> <password> <IP> <port> <DummyFile>");
			System.exit(1);
		}

		try {
			System.setProperty("javax.net.ssl.trustStore", args[0]);
			System.setProperty("javax.net.ssl.trustStorePassword", args[1]);
			System.setProperty("javax.net.ssl.keyStore", args[2]);
			System.setProperty("javax.net.ssl.keyStorePassword", args[3]);

			String ip = args[4];
			int port = Integer.parseInt(args[5]);
			String dummyPath = args[6];

			System.out.println("TrustStore:" + args[0]);
			System.out.println("KeyStore:" + args[2]);
			System.out.println("IP:" + args[4] + ":" + args[5]);
			System.out.println("--------------------");
			
		
			SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory
					.getDefault();
			SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(ip,
					port);// 
			sslsocket.startHandshake();
			PrintWriter printwriter = new PrintWriter(new BufferedWriter(
					new OutputStreamWriter(sslsocket.getOutputStream())));			

			String requestStr = readFile(dummyPath);			

			System.out.println("Wating from  response---");
			requestStr = URLEncoder.encode(requestStr);

			printwriter.write("POST " + "/"
					+ " HTTP/1.0\r\n");
			printwriter
					.write("Content-Length: " + requestStr.length() + "\r\n");
			printwriter
					.write("Content-Type: application/x-www-form-urlencoded\r\n");
			printwriter.write("\r\n");
			printwriter.write(requestStr);

			printwriter.println();
			printwriter.flush();
			BufferedReader bufferedreader = new BufferedReader(
					new InputStreamReader(sslsocket.getInputStream()));
			String s = null;
			while ((s = bufferedreader.readLine()) != null)
				System.out.println(s);

			bufferedreader.close();
			printwriter.close();
			sslsocket.close();
			

		} catch (Exception exception) {
			exception.printStackTrace();
		}
	}

	private static String readFile(String path) throws Exception {

		File inFile = new File(path);
		FileReader fr = new FileReader(inFile);
		BufferedReader br = new BufferedReader(fr);
		StringBuffer sb = new StringBuffer();
		String eachLine = br.readLine();

		while (eachLine != null) {
			sb.append(eachLine);			
			eachLine = br.readLine();
		}
		br.close();
		fr.close();
		return sb.toString();
	}

}

 

备注:

当证书签发超过两级时,在IE中查看证书是会出现如下

“因为证书路径中的证书颁发机构似乎没有颁发证书的权限或不能被用作终端实体证书,证书无效”
在Firefox中
Error code: sec_error_path_len_constraint_invalid
Certificate path length constraint is invalid.

SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID      -8155     Certificate path length constraint is invalid.

 

证书->详细信息->基本限制
Subject Type=CA
Path Length Constraint=0  如果为0,将会出现如上问题。

 

解决方法:

在.cnf中修改 path length

[ v3_ca ]
basicConstraints        = critical, CA:true, pathlen:4

 

 

 

附录:

 

# =================================================
# OpenSSL configuration file
# =================================================

#RANDFILE         = $ENV::SSLDIR/.rnd

[ ca ]
default_ca       = CA_default

[ CA_default ]
#dir              = $ENV::SSLDIR
dir		=G:/study/ssl/sm
#dir		=c:/likun/study/ssl/sm
certs            = $dir/certs
new_certs_dir    = $dir/newcerts
crl_dir          = $dir/crl
database         = $dir/index.txt
private_key      = $dir/private/ca.key
certificate      = $dir/ca.crt
serial           = $dir/serial
crl              = $dir/crl.pem
RANDFILE         = $dir/private/.rand
default_days     = 365
default_crl_days = 30
default_md       = md5 

preserve         = no
policy           = policy_anything
name_opt         = ca_default
cert_opt         = ca_default
x509_extensions         = v3_ca



[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
localityName            = Locality Name (eg, city)
localityName_default    = ShenZhen
organizationName        = Organization Name (eg, company)
organizationName_default     =Firefly
commonName              = Common Name (eg, YOUR name)
commonName_default      = S03RootCA
commonName_max          = 64
emailAddress            = Email Address
emailAddress_default    = CAadmin@firefly.com
emailAddress_max        = 64

[ usr_cert ]
basicConstraints        = CA:FALSE
# nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints        = CA:FALSE
nsCertType              = server
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment               = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints        = CA:FALSE
nsCertType              = client
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
nsComment               = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints        = critical, CA:true, pathlen:4
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
nsComment               = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
nsComment               = "OpenSSL generated CRL"

 

# =================================================
# OpenSSL configuration file
# =================================================

#RANDFILE         = $ENV::SSLDIR/.rnd

[ ca ]
default_ca       = CA_default

[ CA_default ]
#dir              = $ENV::SSLDIR
dir		=G:/study/ssl/sm
#dir		=c:/likun/study/ssl/sm
certs            = $dir/certs
new_certs_dir    = $dir/newcerts
crl_dir          = $dir/crl
database         = $dir/index.txt
private_key      = $dir/private/ca.key
certificate      = $dir/ca.crt
serial           = $dir/serial
crl              = $dir/crl.pem
RANDFILE         = $dir/private/.rand
default_days     = 365
default_crl_days = 30
default_md       = sha1
preserve         = no
policy           = policy_anything
name_opt         = ca_default
cert_opt         = ca_default


[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
localityName            = Locality Name (eg, city)
localityName_default    = ShenZhen
organizationName        = Organization Name (eg, company)
organizationName_default     =Firefly
commonName              = Common Name (eg, YOUR name)
commonName_default      = S03CA1
commonName_max          = 64

[ usr_cert ]
basicConstraints        = CA:FALSE
# nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints        = CA:FALSE
nsCertType              = server
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment               = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints        = CA:FALSE
nsCertType              = client
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
nsComment               = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints        = critical, CA:true, pathlen:4
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
nsComment               = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
nsComment               = "OpenSSL generated CRL"

 

# =================================================
# OpenSSL configuration file
# =================================================

#RANDFILE         = $ENV::SSLDIR/.rnd

[ ca ]
default_ca       = CA_default

[ CA_default ]
#dir              = $ENV::SSLDIR
dir		=G:/study/ssl/sm
#dir		=c:/likun/study/ssl/sm
certs            = $dir/certs
new_certs_dir    = $dir/newcerts
crl_dir          = $dir/crl
database         = $dir/index.txt
private_key      = $dir/private/ca.key
certificate      = $dir/ca.crt
serial           = $dir/serial
crl              = $dir/crl.pem
RANDFILE         = $dir/private/.rand
default_days     = 365
default_crl_days = 30
default_md       = md5 

preserve         = no
policy           = policy_anything
name_opt         = ca_default
cert_opt         = ca_default
x509_extensions  = v3_ca



[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
localityName            = Locality Name (eg, city)
localityName_default    = ShenZhen
organizationName        = Organization Name (eg, company)
organizationName_default     =Firefly
commonName              = Common Name (eg, YOUR name)
commonName_default      = C03RootCA
commonName_max          = 64
emailAddress            = Email Address
emailAddress_default    = CAadmin@firefly.com
emailAddress_max        = 64

[ usr_cert ]
basicConstraints        = CA:FALSE
# nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints        = CA:FALSE
nsCertType              = server
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment               = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints        = CA:FALSE
nsCertType              = client
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
nsComment               = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints        = critical, CA:true, pathlen:4
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
nsComment               = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
nsComment               = "OpenSSL generated CRL"

 

# =================================================
# OpenSSL configuration file
# =================================================

#RANDFILE         = $ENV::SSLDIR/.rnd

[ ca ]
default_ca       = CA_default

[ CA_default ]
#dir              = $ENV::SSLDIR
dir		=G:/study/ssl/sm
#dir		=c:/likun/study/ssl/sm
certs            = $dir/certs
new_certs_dir    = $dir/newcerts
crl_dir          = $dir/crl
database         = $dir/index.txt
private_key      = $dir/private/ca.key
certificate      = $dir/ca.crt
serial           = $dir/serial
crl              = $dir/crl.pem
RANDFILE         = $dir/private/.rand
default_days     = 365
default_crl_days = 30
default_md       = sha1
preserve         = no
policy           = policy_anything
name_opt         = ca_default
cert_opt         = ca_default


[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
localityName            = Locality Name (eg, city)
localityName_default    = ShenZhen
organizationName        = Organization Name (eg, company)
organizationName_default     =Firefly
commonName              = Common Name (eg, YOUR name)
commonName_default      = C03CA1
commonName_max          = 64

[ usr_cert ]
basicConstraints        = CA:FALSE
# nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints        = CA:FALSE
nsCertType              = server
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment               = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints        = CA:FALSE
nsCertType              = client
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
nsComment               = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints        = critical, CA:true, pathlen:4
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
nsComment               = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
nsComment               = "OpenSSL generated CRL"

 

 

 

分享到:
评论
发表评论

文章已被作者锁定,不允许评论。

相关推荐

    JAVA修改AD域密码_免证书

    1. **禁用SSL验证**:在Java代码中,我们可以设置`java.security.properties`文件,关闭SSL证书检查。这可以通过以下代码实现: ```java System.setProperty("java.security.properties", "path/to/your/security....

    验证证书unable to find valid certification path to requested target

    具体错误信息sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target指出Java虚拟机(JVM)无法找到一个可信的路径来验证服务器提供的SSL/TLS...

    java安全手册指南

    - **CertPath API**:用于处理数字证书链的新API。 - **Java Authentication and Authorization Service (JAAS)**:用于实现访问控制的服务。 以上内容涵盖了Java安全手册指南的主要知识点,为Java开发者提供了丰富...

    Java 数字签名、数字证书生成源码.rar

    在Java中,`java.security.cert.Certificate`接口代表了这样的证书,而`java.security.cert.CertPath`类则用于处理证书路径,通常用于验证证书链的完整性和有效性。`java.security.cert.CertificateFactory`则用来从...

    网络安全资源程序:网络安全签名程序,采用java实现,效率高功能强大

    5. **证书与证书链**:Java的`java.security.cert`包提供了证书和证书链的相关类,如`Certificate`和`CertPath`,它们用于存储和验证公钥信息以及颁发者的身份。 6. **安全性提供者**:Java的安全框架允许第三方...

    Java安全性.docx

    JAAS 允许开发者实现复杂的认证和授权机制,从而确保安全通信。 结论 Java 安全性编程概念是非常重要的,Java 平台提供了多种支持安全编程的特性和库扩展,如 JCE、JSSE、CertPath API 和 JAAS 等。学习这些概念和...

    validate certificate in java

    这些包提供了处理证书所需的所有基本功能,包括读取证书、构建证书链、验证证书等。 #### 2. 创建`CertificateFactory`实例 首先,我们需要创建一个`CertificateFactory`实例,用于处理X.509格式的证书: ```java...

    InstallCert.java工具及使用方法.zip

    HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find ...

    VisualStudio2010_CertPath

    本文将详细介绍与 Visual Studio 2010 相关的认证路径(CertPath),这些认证路径旨在帮助 IT 专业人士通过学习和掌握 Microsoft .NET Framework 4 的开发技能来提升其职业水平。这些认证包括针对不同技术领域的专业...

    一个java加密程序源代码

    在Java加密程序源代码中,还可能涉及到证书和证书链的概念,这通常用于验证公钥的合法性。java.security.cert包提供了Certificate类和CertPath类,用于处理数字证书。此外,KeyStore类用于存储用户的密钥和证书,它...

    https解决SSLHandshakeException问题.zip

    3. **自签名证书**:如果服务器使用的是自签名证书,或者证书链不完整,老版本的Android可能无法正确验证其有效性。 4. **日期或时间不准确**:设备上的日期和时间设置不正确可能导致证书验证失败,因为证书的有效...

    gradle-trust-all:一个用于禁用 SSL 证书验证的 gradle 插件

    Gradle“信任所有”插件 这个插件的诞生是为了一种快速而肮脏的方式,通过带有自...处理这种情况的常用 Java 方法是下载站点证书,将其导入密钥库并通过-Djavax.net.ssl.trustStore=... JVM 选项使用该密钥库。 有时

    PKIX path building failed解决java获取https的时遇到的证书问题

    这个错误表明Java在尝试建立SSL/TLS连接时无法验证服务器提供的证书。这通常是由于缺少正确的中间证书或根证书,或者这些证书没有正确安装在Java环境中。 #### 二、HTTPS与证书验证原理 **1. HTTPS简介** HTTPS...

    Java加密技术(技巧与实例) pdf.rar

    在Java中,`java.security.cert.Certificate` 类代表数字证书,`java.security.cert.CertPath` 类用于处理证书路径验证,确保证书链的完整性和有效性。 在Java开发中,理解并掌握这些加密技术至关重要。例如,你...

    Import gmail SMTP certificate to Websphere server

    javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;...

    JAVA版证书吊销列表CRL解析工具

    例如,`java.security.cert.CertificateRevocationList`接口和`java.security.cert.CertPath`类是处理CRL的核心组件。 这个"JAVA版证书吊销列表CRL解析工具"是一个专门用于检索CRL中证书序列号的实用程序。它的功能...

    Java 安全编程 .pdf

    ### Java安全编程要点 #### 一、Java安全编程概述 Java作为一种广泛使用的编程语言,在设计之初就考虑到了安全因素,其内置了许多安全机制。然而,即便是这样一种安全的语言,如果开发者忽视了一些重要的安全实践...

    关于IDEA2020.1新建项目maven PKIX 报错问题解决方法

    为了解决这个问题,需要忽略证书验证,我们可以通过设置IDEA中的VM options来实现。 解决方法是直接忽略证书验证,在IDEA中设置两个地方: 一、Settings --&gt; Build, Execution, Deployment --&gt; Build Tools --&gt; ...

Global site tag (gtag.js) - Google Analytics