0

我希望 Java 应用程序使用 EJBCA 库连接到 Web 服务,但它会引发异常。您会看到以下 void 方法尝试连接到 Ejbca

protected void connectToEjbca() {
   
    LOG.info("Establishing Ejbca conecction");
   
    String trustStore = CONFIG.getProperty("truststore");
    String trustStorePassword = CONFIG.getProperty("truststore.password");
    String keyStoreType = CONFIG.getProperty("keystore.type");
    String keyStore = CONFIG.getProperty("keystore");
    String keyStorePassword = CONFIG.getProperty("keystore.password");
    String ejbcaUrl = CONFIG.getProperty("url");
   
    try{
        CryptoProviderTools.installBCProvider();
        KeyManager[] kms = this.getKeyManagers(keyStore, keyStorePassword);
        TrustManager[] tms = this.getTrustManagers(trustStore, trustStorePassword);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(kms, tms, null);
             
        HostnameVerifier hv = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) { return true; }
        };
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
                    
        QName qname = new QName("http://ws.protocol.core.ejbca.org/", "EjbcaWSService");
        EjbcaWSService service = new EjbcaWSService(new URL(ejbcaUrl),qname);
        ws = service.getEjbcaWSPort();
        connect = true;
        LOG.info("EJBCA connection was successfully");
    }catch(Exception ex){
        LOG.info("Error in EJBCA connection: " + ex.getLocalizedMessage());
        connect = false;
        ex.printStackTrace();
    }
}

代码执行失败: EjbcaWSService service = new EjbcaWSService(new URL(ejbcaUrl),qname);

例外情况说:

org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

根据config.properties:

url=https:\//192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl
truststore=E:\\admin_test.jks
keystore=E:\\admin_test.p12
keystore.type=PKCS12

密码变量没问题。

此外,我将 admin_test.p12 证书导入到 firefox,浏览器很好地显示了页面https://192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl 。

此外,我将 admin_test.p12 证书导入 Windows 证书管理器。然后。我导出为 X.509 证书 (admin_test.cert)。之后,我通过 KeyStore Explorer 创建了一个 JKS 文件并导入了 admin_test.cert。

config.properties 中引用了这两个文件 admin_test.cert 和 admin_test.p12

所以 url https://192.168.1.30:443/ejbca/ejbcaws/ejbcaws?wsdl由 firefox 工作,但 java 应用程序没有。

我怀疑问题出在我认为生成不好的 jks 文件中。

我能做些什么?

4

1 回答 1

1

I think you are right. Your error message is "unable to find valid certification path to requested target", which tells that the client can not find the CA certificate as trusted to verify the TLS connection. This is a pure TLS connection establishment issue. truststore must contain the CA certificate of the server certificate chain, and nothing else.

于 2021-02-23T07:53:43.853 回答