java代码中请求https链接的时候,可能会报下面这个错误文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
原因是没有证书。在浏览器中直接使用url访问是可以的,应该是浏览器之前就保存过对应的.cer证书。文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
解决方法有两种,从目标机器获得有效证书或者忽略证书信任问题。文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
一、获得目标机器有效证书文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
1、编译安装证书程序 javac InstallCert.java(代码如下)文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
*
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : (c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = ();
} else {
("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (() == false) {
char SEP = File.separatorchar;
File dir = new File(("") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (() == false) {
file = new File(dir, "cacerts");
}
}
("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = (());
(in, passphrase);
();
SSLContext context = ("TLS");
TrustManagerFactory tmf =
(());
(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) ()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
(null, new TrustManager[]{
tm
}
, null);
SSLSocketFactory factory = ();
("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) (host, port);
(10000);
try {
("Starting SSL handshake...");
();
();
();
("No errors, certificate is already trusted");
}
catch (SSLException e) {
();
();
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader());
();
("Server sent " + chain.length + " certificate(s):");
();
MessageDigest sha1 = ("SHA1");
MessageDigest md5 = ("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
(" " + (i + 1) + " Subject " + ());
(" Issuer " + ());
(());
(" sha1 " + toHexString(()));
(());
(" md5 " + toHexString(()));
();
}
("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = ().trim();
int k;
try {
k = (() == 0) ? 0 : (line) - 1;
}
catch (NumberFormatException e) {
("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
(out, passphrase);
();
();
(cert);
();
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder( * 3);
for (int b : bytes) {
b &= 0xff;
(HEXDIGITS[b >> 4]);
(HEXDIGITS[b & 15]);
(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}2、运行安装证书程序生成证书文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
java InstallCert my.hoolai.com文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
例如:java InstalCert smtp.zhangsan.com:465 admin如果不加参数password和host的端口号,上面的获取证书程序中默认给的端口号是:443,密码是:changeit文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
3、根据运行提示信息,输入1,回车,在当前目录下生成名为: jssecacerts 的证书文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
将证书放置到$JAVA_HOME/jre/lib/security目录下, 切记该JDK的jre是工程所用的环境!!!文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
或者:文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
("", "你的jssecacerts证书路径");文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
可以更改密码,在security目录下运行命令文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
keytool -storepasswd -new xxxcom -keystore cacerts文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
就可以修改密码,修改后使用命令文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
keytool -list -v -keystore cacerts文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
查看文件的信息,会提示需要密码才能查看,如果输入密码与修改后的密码匹配,说明修改成功了。文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
PS:至此这种方式可以成功使用ssl了,另外再补充一下,根据刚才生成的文件jssecacerts,可以生成cer文件,文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
命令如下文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
keytool -export -alias xxx.com-1 -keystore jssecacerts -rfc -file xxx.cer文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
如上,之前的工具类中默认命名别名是加上"-1"。使用InstallCert设置的密码需要跟cacerts文件中的密码一致,文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
如果修改过密码,就需要修改InstallCert类中对应的密码字符串,否则会有下面这个异常:文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
java.security.UnrecoverableKeyException: Password verification failed文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
二、忽略证书信任问题文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
源码:文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
一定要注意需要在connection创建之前调用文章里所述的方法,像这个样子:文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html
trustAllHttpsCertificates();
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
return true;
}
};
(hv);
connection = (HttpURLConnection) ();好吧,两种方法都试过有效。文章源自菜鸟学院-https://www.cainiaoxueyuan.com/bc/11705.html