我在 Netbeans 8 上有以下 Java 程序 (Servlet),我在其中进行 HTTP GET 并发送一些安全凭证。我遇到了很多人都在讨论的最常见的错误。当我使用 HTTP 时,它曾经运行良好,但现在 URL 指向的服务器已经在 HTTPS 上。这是 Netbeans 的 Apache Tomcat 或 TomEE 日志上的错误:
============================================= ================================== 我的错误:
01-Oct-2014 14:00:08.497 SEVERE [http-apr-8080-exec-8] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [My_API_Call] in context with path [/testapi] threw exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:860)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1511)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at My_API_Call.sendHttpRequest(My_API_Call.java:129)
at My_API_Call.Group_GET(My_API_Call.java:82)
at My_API_Call.doGet(My_API_Call.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:618)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:136)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:526)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:655)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:277)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2381)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2370)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351)
... 39 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 45 more
============================================= =================================== 我的程序:
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLEncoder;
import java.sql.Date;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.crypto.Mac;
import org.apache.commons.codec.binary.Hex;
import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import org.json.JSONObject;
@WebServlet("/My_API_Call")
public class My_API_Call extends HttpServlet {
public My_API_Call() {
super();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
// Allocate a output writer to write the response message into the network socket
PrintWriter out = response.getWriter();
// Write the response message, in an HTML page
try {
out.println("<!DOCTYPE html>"); // HTML 5
out.println("<html><head>");
out.println("<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>");
out.println("<h3>JSON Response</h3>");
out.println(new Gson().toJson(API_GET()));
out.println("<head><title>My API Call</title></head>");
out.println("<body>");
// Tabulate the request information
out.println("</body></html>");
}
finally {
out.close(); // Always close the output writer
}
}
public static Object API_GET() throws IOException {
String accessKey = "myaccesskey";
String secretKey = "mysecretkey";
String uRLCppList = "https://myapichecking.mydomain.com/webservice/testinggroup/133";
String method = "GET";
java.util.Date currentTime = new java.util.Date();
SimpleDateFormat sdf = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z");
sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
String dateTimeString = sdf.format(currentTime);
String signature = generateSignature(method, secretKey, dateTimeString);
String authorization = accessKey + ":" + signature;
Map<String, String> params = new HashMap<String, String>();
String[] result = sendHttpRequest(uRLCppList, "POST", params, dateTimeString, authorization);
return result;
}
public static String[] sendHttpRequest(String requestUrl, String method, Map<String, String> params, String dateTimeString, String authorization) throws IOException {
List<String> response = new ArrayList<String>();
StringBuffer requestParams = new StringBuffer();
if (params != null && params.size() > 0) {
Iterator<String> paramIterator = params.keySet().iterator();
while (paramIterator.hasNext()) {
String key = paramIterator.next();
String value = params.get(key);
requestParams.append(URLEncoder.encode(key, "UTF-8"));
requestParams.append("=").append(URLEncoder.encode(value, "UTF-8"));
requestParams.append("&");
}
}
URL url = new URL(requestUrl);
URLConnection urlConn = url.openConnection();
urlConn.setRequestProperty("accept", "application/json");
urlConn.setRequestProperty("datetime", dateTimeString);
urlConn.setRequestProperty("authorization", authorization);
urlConn.setUseCaches(false);
// the request will return a response
urlConn.setDoInput(true);
if ("POST".equals(method)) {
// set request method to POST
urlConn.setDoOutput(true);
} else {
// set request method to GET
urlConn.setDoOutput(false);
}
if ("POST".equals(method) && params != null && params.size() > 0) {
OutputStreamWriter writer = new OutputStreamWriter(urlConn.getOutputStream());
writer.write(requestParams.toString());
writer.flush();
}
// reads response, store line by line in an array of Strings
BufferedReader reader = new BufferedReader(new InputStreamReader(urlConn.getInputStream()));
String line = "";
while ((line = reader.readLine()) != null) {
response.add(line);
}
reader.close();
return (String[]) response.toArray(new String[0]);
}
public static String generateSignature(String method, String secretKey, String dateTimeString) {
String cs = String.format("%s\n\n\n%s\n\n\n", method, dateTimeString);
String signature = createSignature(cs, secretKey);
return signature;
}
public static String createSignature(String stringIn, String scretKey) {
String fixedData = stringIn.replace('\n', (char)10);
// Calculate the hash of the information
String digest = hmacSha1(scretKey, fixedData);
return digest;
}
public static String hmacSha1(String key, String value) {
try {
// Get an hmac_sha1 key from the raw key bytes
byte[] keyBytes = key.getBytes("iso-8859-1");
SecretKeySpec signingKey = new SecretKeySpec(keyBytes, "HmacSHA1");
// Get an hmac_sha1 Mac instance and initialize with the signing key
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signingKey);
// Compute the hmac on input data bytes
byte[] rawHmac = mac.doFinal(value.getBytes("iso-8859-1"));
// Covert array of Hex bytes to a String
return Base64.encode(rawHmac);
//return new String(hexBytes, "UTF-8");
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
}
我已经提到了以下线程,但其中大多数都在谈论将证书安装到信任库中。而且我已经在上述 URL 所在的机器上安装了证书 指的是“https://myapichecking.mydomain.com/webservice/testinggroup/133”。例如,它指的是 IP XX.XX.X.XXX,所以我已经在那里安装了证书,但仍然出现相同的错误。
2) http://www.java-samples.com/showtutorial.php?tutorialid=210
知道我的 API 调用出了什么问题吗?
最佳答案
这里有很多地方可能出错。 SSL 问题可能很难准确找出,但这里有一些步骤供您尝试。希望其中之一能为您解决...
首先,远程服务器的证书是否有效?证书是否过期?它是否由知名的证书颁发机构 (CA) 签名?
如果远程服务器的证书不是由知名 CA 签名的,您确定该证书在您的信任库中吗?我用 keytool -list -v -keystore <truststore file name>查看您的信任库中有哪些证书。如果需要,您还可以将该信息通过管道输出到文件:keytool -list -v -keystore <truststore file name> > truststore.txt在终端中更容易阅读。
您确定您正在使用正确的信任库运行您的应用程序吗?除非您运行的是 java 附带的默认信任库,否则您将需要使用“-Djavax.net.ssl.trustStore=""-Djavax.net.ssl.trustStorePassword="changeit"' 虚拟机选项。
如果您的信任库中没有远程服务器证书,我建议使用名为 InstallCert 的 java 工具创建一个新的信任库,其中包含该证书。然后使用上面的虚拟机选项引用新的信任库。
安全说明:
不建议更改 java 附带的默认信任库。复制它,根据需要将证书添加到新副本,然后通过虚拟机选项引用新副本。
当接受自签名或由不为人知的 CA 签名的证书时,总是存在潜在的安全问题,只要知道您从谁/从哪里获取证书即可。
关于java - 即使在安装和验证证书后仍出现 SSL 握手错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26150888/