- 浏览: 187333 次
- 性别:
- 来自: 深圳
文章分类
最新评论
-
hayoouch:
很好,赞!!!
SSL双向认证Java实现 Tomcat篇 -
springdata:
springmvc相关demo源代码下载地址:http://w ...
在spring MVC中配置多个视图 -
冷静:
javax.net.ssl.SSLException: hos ...
SSL双向认证Java实现 Tomcat篇 -
浅绘墨漠:
你好。按照你的方法进行了试验,出现的错误就是hostname ...
SSL双向认证Java实现 Tomcat篇 -
fpplzw:
...
通过Filter实现二级域名和URLRewrite
双向验证中, 如果服务端证书过期更新了,客户端的信任证书都得一一的更新。所以利用证书链来解决这个问题。
而一般服务端证书和客户端证书都是有独立的CA中心签发的, 本例子有两个CA中心(S03RootCA服务端CA和C03RootCA客户端CA)来模拟证书链的信任关系。本例的关系如下, S: Server, C: Client
S03RootCA
|
|----S03CA1
|---Server1
C03RootCA
|
|----C03CA1
|---Client1
1. 生成服务器端CA证书链Cert Path
1.1 生成服务器端的根证书S03RootCA
1.1.1 创建密钥
openssl genrsa -des3 -out S03RootCA.key 2048
1.1.1 利用CA密钥自签署CA证书
openssl req -config S03RootCA.cnf -new -x509 -days 3650 -key S03RootCA.key -out S03RootCA.crt
1.2 生成服务器端的二级CA证书S03CA1
1.2.1 创建密钥
openssl genrsa -des3 -out S03CA1.key 2048
1.2.2 生成Certificate Signing Request(CSR)
openssl req -config S03CA1.cnf -new -key S03CA1.key -out S03CA1.csr
1.3 生成的csr文件交给CA(S03RootCA)签名后形成自己服务端二级证书
openssl ca -config S03RootCA.cnf -keyfile S03RootCA.key -cert S03RootCA.crt -in S03CA1.csr -out S03CA1.crt -days 3650
2. 生成客户端CA证书链Cert Path
2.1 生成客户端的根证书C03RootCA
2.1.1 创建密钥
openssl genrsa -des3 -out C03RootCA.key 1024
2.1.1 利用CA密钥自签署CA证书
openssl req -config C03RootCA.cnf -new -x509 -days 3650 -key C03RootCA.key -out C03RootCA.crt
2.2 生成客户端的二级CA证书C03CA1
2.2.1 创建密钥
openssl genrsa -des3 -out C03CA1.key 1024
2.2.2 生成Certificate Signing Request(CSR)
openssl req -config C03CA1.cnf -new -key C03CA1.key -out C03CA1.csr
2.3 生成的csr文件交给CA(C03RootCA)签名后形成客户端二级证书
openssl ca -config C03RootCA.cnf -keyfile C03RootCA.key -cert C03RootCA.crt -in C03CA1.csr -out C03CA1.crt -days 3650
(以上步骤已经将服务端CA和客户端CA创建)
3. 利用Keytool生成服务器端的keystore文件并在CA中心签名
3.1 以jks格式生成服务器端包含Public key和Private Key的keystore文件,keypass与storepass务必要一样,因为在tomcat server.xml中只配置一个password.
keytool -genkey -alias Server1 -keystore Server1Keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA -keysize 512 -validity 365 -v -dname "CN = server1.firefly.com,OU =Server1,O = Firefly,L = ShenZhen,C = CN"
3.2 生成Certificate Signing Request(CSR)
keytool -certreq -alias Server1 -keystore Server1Keystore.jks -file Server1.csr
3.3 将Server1.csr到服务器端CA中心(S03CA1)去签名
openssl ca -config S03CA1.cnf -keyfile S03CA1.key -cert S03CA1.crt -in Server1.csr -out Server1FromCA.crt -days 3650
3.4 格式化Server1FromCA.crt,否则用keytool import的时候会出现error:invalid DER-encoded certificate data
openssl x509 -in Server1FromCA.crt -out Server1FromCA.der -outform DER
3.5 将经过CA签名的Server1FromCA.der导入keystore中
3.5.1 格式化根证书S03RootCA, 并导入keystore.
openssl x509 -in S03RootCA.crt -out S03RootCA.der -outform DER
keytool -import -alias S03RootCA -keystore Server1Keystore.jks -file S03RootCA.der
3.5.2 格式化CA二级证书S03CA1, 并导入keystore.
openssl x509 -in S03CA1.crt -out S03CA1.der -outform DER
keytool -import -alias S03CA1 -keystore Server1Keystore.jks -file S03CA1.der
3.5.3 将经过CA签名后的Server1FromCA.der导入keystore.(别名必须与KeyEntry的一样,在导入之前必须先导入CA的根证书和二级证书)
keytool -import -alias Server1 -keystore Server1Keystore.jks -file Server1FromCA.der
4. 利用Keytool生成客户端的keystore文件并在CA中心签名
4.1 以jks格式生成服务器端包含Public key和Private Key的keystore文件.
keytool -genkey -alias Client1 -keystore Client1Keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA -keysize 512 -validity 365 -v -dname "CN = client1.firefly.com,OU =Client1,O = Firefly,L = ShenZhen,C = CN"
4.2 生成Certificate Signing Request(CSR)
keytool -certreq -alias Client1 -keystore Client1Keystore.jks -file Client1.csr
4.3 将Client1.csr到服务器端CA中心(C03CA1)去签名
openssl ca -config C03CA1.cnf -keyfile C03CA1.key -cert C03CA1.crt -in Client1.csr -out Client1FromCA.crt -days 3650
4.4 格式化Client1FromCA.crt,否则用keytool import的时候会出现error:invalid DER-encoded certificate data
openssl x509 -in Client1FromCA.crt -out Client1FromCA.der -outform DER
4.5 将经过CA签名的Server1FromCA.der导入keystore中
4.5.1 格式化根证书C03RootCA, 并导入keystore.
openssl x509 -in C03RootCA.crt -out C03RootCA.der -outform DER
keytool -import -alias C03RootCA -keystore Client1Keystore.jks -file C03RootCA.der
4.5.2 格式化CA二级证书C03CA1, 并导入keystore.
openssl x509 -in C03CA1.crt -out C03CA1.der -outform DER
keytool -import -alias C03CA1 -keystore Client1Keystore.jks -file C03CA1.der
4.5.3 将经过CA签名后的Server1FromCA.der导入keystore.(别名必须与KeyEntry的一样,在导入之前必须先导入CA的根证书和二级证书)
keytool -import -alias Client1 -keystore Client1Keystore.jks -file Client1FromCA.der
5. 客户端和服务器端建立信任关系
5.1 将客户端的(S03RootCA.der,C03CA1.der,Client1FromCA.der)发送给服务端Server1,并导入服务端的truststore。
keytool -import -alias C03CA1 -keystore Server1Truststore.jks -storepass 123456 -file C03CA1.der
5.2 将服务端的(S03RootCA.der,S03CA1.der,Server1FromCA.der)发送给客户端Client1,并导入客户端的truststore,一般客户端会信任服务端的根证书或二级证书。这样服务器端证书更新了, 无需更新客户的truststore。
keytool -import -alias S03RootCA -keystore Client1Truststore.jks -storepass 123456 -file S03RootCA.der
服务器端: Server1Keystore.jks Server1Truststore.jks
客户端: Client1Keystore.jks Client1Truststore.jks
6 在tomcat 服务器配置server.xml
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="keys/Server1Keystore.jks" keystorePass="123456" truststoreFile="keys/Server1Truststore.jks" truststorePass="123456"/>
7 客户端代码
package com.ssl; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.File; import java.io.FileReader; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.net.URLEncoder; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; /** * java ClientCertPathTest Client1Truststore.jks 123456 Client1Keystore.jks 123456 192.168.1.123 8443 dummy.txt */ /** * @author Kevin Li * */ public class ClientCertPathTest { public static void main(String args[]) { if (args.length != 7) { System.out .println("Usage: java ClientCertPathTest <trustStore_file> <password> <keyStore_file> <password> <IP> <port> <DummyFile>"); System.exit(1); } try { System.setProperty("javax.net.ssl.trustStore", args[0]); System.setProperty("javax.net.ssl.trustStorePassword", args[1]); System.setProperty("javax.net.ssl.keyStore", args[2]); System.setProperty("javax.net.ssl.keyStorePassword", args[3]); String ip = args[4]; int port = Integer.parseInt(args[5]); String dummyPath = args[6]; System.out.println("TrustStore:" + args[0]); System.out.println("KeyStore:" + args[2]); System.out.println("IP:" + args[4] + ":" + args[5]); System.out.println("--------------------"); SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory .getDefault(); SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(ip, port);// sslsocket.startHandshake(); PrintWriter printwriter = new PrintWriter(new BufferedWriter( new OutputStreamWriter(sslsocket.getOutputStream()))); String requestStr = readFile(dummyPath); System.out.println("Wating from response---"); requestStr = URLEncoder.encode(requestStr); printwriter.write("POST " + "/" + " HTTP/1.0\r\n"); printwriter .write("Content-Length: " + requestStr.length() + "\r\n"); printwriter .write("Content-Type: application/x-www-form-urlencoded\r\n"); printwriter.write("\r\n"); printwriter.write(requestStr); printwriter.println(); printwriter.flush(); BufferedReader bufferedreader = new BufferedReader( new InputStreamReader(sslsocket.getInputStream())); String s = null; while ((s = bufferedreader.readLine()) != null) System.out.println(s); bufferedreader.close(); printwriter.close(); sslsocket.close(); } catch (Exception exception) { exception.printStackTrace(); } } private static String readFile(String path) throws Exception { File inFile = new File(path); FileReader fr = new FileReader(inFile); BufferedReader br = new BufferedReader(fr); StringBuffer sb = new StringBuffer(); String eachLine = br.readLine(); while (eachLine != null) { sb.append(eachLine); eachLine = br.readLine(); } br.close(); fr.close(); return sb.toString(); } }
备注:
当证书签发超过两级时,在IE中查看证书是会出现如下
“因为证书路径中的证书颁发机构似乎没有颁发证书的权限或不能被用作终端实体证书,证书无效”
在Firefox中
Error code: sec_error_path_len_constraint_invalid
Certificate path length constraint is invalid.
SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID -8155 Certificate path length constraint is invalid.
证书->详细信息->基本限制
Subject Type=CA
Path Length Constraint=0 如果为0,将会出现如上问题。
解决方法:
在.cnf中修改 path length
[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:4
附录:
# ================================================= # OpenSSL configuration file # ================================================= #RANDFILE = $ENV::SSLDIR/.rnd [ ca ] default_ca = CA_default [ CA_default ] #dir = $ENV::SSLDIR dir =G:/study/ssl/sm #dir =c:/likun/study/ssl/sm certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index.txt private_key = $dir/private/ca.key certificate = $dir/ca.crt serial = $dir/serial crl = $dir/crl.pem RANDFILE = $dir/private/.rand default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything name_opt = ca_default cert_opt = ca_default x509_extensions = v3_ca [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) localityName_default = ShenZhen organizationName = Organization Name (eg, company) organizationName_default =Firefly commonName = Common Name (eg, YOUR name) commonName_default = S03RootCA commonName_max = 64 emailAddress = Email Address emailAddress_default = CAadmin@firefly.com emailAddress_max = 64 [ usr_cert ] basicConstraints = CA:FALSE # nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem [ ssl_server ] basicConstraints = CA:FALSE nsCertType = server keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, nsSGC, msSGC nsComment = "OpenSSL Certificate for SSL Web Server" [ ssl_client ] basicConstraints = CA:FALSE nsCertType = client keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth nsComment = "OpenSSL Certificate for SSL Client" [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] basicConstraints = critical, CA:true, pathlen:4 nsCertType = sslCA keyUsage = cRLSign, keyCertSign extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" [ crl_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL generated CRL"
# ================================================= # OpenSSL configuration file # ================================================= #RANDFILE = $ENV::SSLDIR/.rnd [ ca ] default_ca = CA_default [ CA_default ] #dir = $ENV::SSLDIR dir =G:/study/ssl/sm #dir =c:/likun/study/ssl/sm certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index.txt private_key = $dir/private/ca.key certificate = $dir/ca.crt serial = $dir/serial crl = $dir/crl.pem RANDFILE = $dir/private/.rand default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_anything name_opt = ca_default cert_opt = ca_default [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) localityName_default = ShenZhen organizationName = Organization Name (eg, company) organizationName_default =Firefly commonName = Common Name (eg, YOUR name) commonName_default = S03CA1 commonName_max = 64 [ usr_cert ] basicConstraints = CA:FALSE # nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem [ ssl_server ] basicConstraints = CA:FALSE nsCertType = server keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, nsSGC, msSGC nsComment = "OpenSSL Certificate for SSL Web Server" [ ssl_client ] basicConstraints = CA:FALSE nsCertType = client keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth nsComment = "OpenSSL Certificate for SSL Client" [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] basicConstraints = critical, CA:true, pathlen:4 nsCertType = sslCA keyUsage = cRLSign, keyCertSign extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" [ crl_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL generated CRL"
# ================================================= # OpenSSL configuration file # ================================================= #RANDFILE = $ENV::SSLDIR/.rnd [ ca ] default_ca = CA_default [ CA_default ] #dir = $ENV::SSLDIR dir =G:/study/ssl/sm #dir =c:/likun/study/ssl/sm certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index.txt private_key = $dir/private/ca.key certificate = $dir/ca.crt serial = $dir/serial crl = $dir/crl.pem RANDFILE = $dir/private/.rand default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything name_opt = ca_default cert_opt = ca_default x509_extensions = v3_ca [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) localityName_default = ShenZhen organizationName = Organization Name (eg, company) organizationName_default =Firefly commonName = Common Name (eg, YOUR name) commonName_default = C03RootCA commonName_max = 64 emailAddress = Email Address emailAddress_default = CAadmin@firefly.com emailAddress_max = 64 [ usr_cert ] basicConstraints = CA:FALSE # nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem [ ssl_server ] basicConstraints = CA:FALSE nsCertType = server keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, nsSGC, msSGC nsComment = "OpenSSL Certificate for SSL Web Server" [ ssl_client ] basicConstraints = CA:FALSE nsCertType = client keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth nsComment = "OpenSSL Certificate for SSL Client" [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] basicConstraints = critical, CA:true, pathlen:4 nsCertType = sslCA keyUsage = cRLSign, keyCertSign extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" [ crl_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL generated CRL"
# ================================================= # OpenSSL configuration file # ================================================= #RANDFILE = $ENV::SSLDIR/.rnd [ ca ] default_ca = CA_default [ CA_default ] #dir = $ENV::SSLDIR dir =G:/study/ssl/sm #dir =c:/likun/study/ssl/sm certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index.txt private_key = $dir/private/ca.key certificate = $dir/ca.crt serial = $dir/serial crl = $dir/crl.pem RANDFILE = $dir/private/.rand default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_anything name_opt = ca_default cert_opt = ca_default [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) localityName_default = ShenZhen organizationName = Organization Name (eg, company) organizationName_default =Firefly commonName = Common Name (eg, YOUR name) commonName_default = C03CA1 commonName_max = 64 [ usr_cert ] basicConstraints = CA:FALSE # nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem [ ssl_server ] basicConstraints = CA:FALSE nsCertType = server keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, nsSGC, msSGC nsComment = "OpenSSL Certificate for SSL Web Server" [ ssl_client ] basicConstraints = CA:FALSE nsCertType = client keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth nsComment = "OpenSSL Certificate for SSL Client" [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] basicConstraints = critical, CA:true, pathlen:4 nsCertType = sslCA keyUsage = cRLSign, keyCertSign extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" [ crl_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL generated CRL"
发表评论
文章已被作者锁定,不允许评论。
-
JKS convert to PFX
2011-02-20 23:05 1425package com.ssl; import java ... -
SSL双向认证Java实现 Tomcat篇
2010-05-15 19:50 9563双向验证,在客户机连接服务器时,客户机验证服务器的证书,服务器 ... -
SSL单向认证Java实现 Tomcat篇
2010-05-15 18:47 10189单向验证,客户机只验证服务器的证书,服务器不验证客户机的证书。 ... -
openssl.cnf - OpenSSL configuration file directive
2008-03-29 10:32 4901openssl.cnf 下载 # ============ ... -
openssl简明使用手册
2008-03-29 10:22 6174简要介绍了使用openssl来 ...
相关推荐
1. **禁用SSL验证**:在Java代码中,我们可以设置`java.security.properties`文件,关闭SSL证书检查。这可以通过以下代码实现: ```java System.setProperty("java.security.properties", "path/to/your/security....
具体错误信息sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target指出Java虚拟机(JVM)无法找到一个可信的路径来验证服务器提供的SSL/TLS...
- **CertPath API**:用于处理数字证书链的新API。 - **Java Authentication and Authorization Service (JAAS)**:用于实现访问控制的服务。 以上内容涵盖了Java安全手册指南的主要知识点,为Java开发者提供了丰富...
在Java中,`java.security.cert.Certificate`接口代表了这样的证书,而`java.security.cert.CertPath`类则用于处理证书路径,通常用于验证证书链的完整性和有效性。`java.security.cert.CertificateFactory`则用来从...
5. **证书与证书链**:Java的`java.security.cert`包提供了证书和证书链的相关类,如`Certificate`和`CertPath`,它们用于存储和验证公钥信息以及颁发者的身份。 6. **安全性提供者**:Java的安全框架允许第三方...
JAAS 允许开发者实现复杂的认证和授权机制,从而确保安全通信。 结论 Java 安全性编程概念是非常重要的,Java 平台提供了多种支持安全编程的特性和库扩展,如 JCE、JSSE、CertPath API 和 JAAS 等。学习这些概念和...
这些包提供了处理证书所需的所有基本功能,包括读取证书、构建证书链、验证证书等。 #### 2. 创建`CertificateFactory`实例 首先,我们需要创建一个`CertificateFactory`实例,用于处理X.509格式的证书: ```java...
HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find ...
本文将详细介绍与 Visual Studio 2010 相关的认证路径(CertPath),这些认证路径旨在帮助 IT 专业人士通过学习和掌握 Microsoft .NET Framework 4 的开发技能来提升其职业水平。这些认证包括针对不同技术领域的专业...
在Java加密程序源代码中,还可能涉及到证书和证书链的概念,这通常用于验证公钥的合法性。java.security.cert包提供了Certificate类和CertPath类,用于处理数字证书。此外,KeyStore类用于存储用户的密钥和证书,它...
3. **自签名证书**:如果服务器使用的是自签名证书,或者证书链不完整,老版本的Android可能无法正确验证其有效性。 4. **日期或时间不准确**:设备上的日期和时间设置不正确可能导致证书验证失败,因为证书的有效...
这个错误表明Java在尝试建立SSL/TLS连接时无法验证服务器提供的证书。这通常是由于缺少正确的中间证书或根证书,或者这些证书没有正确安装在Java环境中。 #### 二、HTTPS与证书验证原理 **1. HTTPS简介** HTTPS...
Gradle“信任所有”插件 这个插件的诞生是为了一种快速而肮脏的方式,通过带有自...处理这种情况的常用 Java 方法是下载站点证书,将其导入密钥库并通过-Djavax.net.ssl.trustStore=... JVM 选项使用该密钥库。 有时
在Java中,`java.security.cert.Certificate` 类代表数字证书,`java.security.cert.CertPath` 类用于处理证书路径验证,确保证书链的完整性和有效性。 在Java开发中,理解并掌握这些加密技术至关重要。例如,你...
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;...
例如,`java.security.cert.CertificateRevocationList`接口和`java.security.cert.CertPath`类是处理CRL的核心组件。 这个"JAVA版证书吊销列表CRL解析工具"是一个专门用于检索CRL中证书序列号的实用程序。它的功能...
### Java安全编程要点 #### 一、Java安全编程概述 Java作为一种广泛使用的编程语言,在设计之初就考虑到了安全因素,其内置了许多安全机制。然而,即便是这样一种安全的语言,如果开发者忽视了一些重要的安全实践...