我正在使用 ssl 建立肥皂连接,证书 (pfx) 是动态的,因此使用 pfx 证书生成密钥库。证书存储在 AWS S3 中并被下载以验证是否需要生成新客户端。
负责生成密钥库以验证它是否为有效证书的方法如下:
private void configureConduit(final Client client, final InputStream keyStoreStream, final char[] password, final String bucketName, final String keyName)
throws InternalException {
final HTTPConduit conduit = (HTTPConduit) client.getConduit();
final TLSClientParameters params = new TLSClientParameters();
params.setDisableCNCheck(this.disableCNCheck);
final KeyManagerFactory keyManagerFactory = this.getKeyMangerFactory(keyStoreStream, password);
params.setKeyManagers(keyManagerFactory.getKeyManagers());
final TrustManagerFactory trustManagerFactory = this.getTrustManagerFactory(bucketName, keyName);
params.setTrustManagers(trustManagerFactory.getTrustManagers());
params.setCipherSuites(SUPPORTED_CIPHER_SUITES);
conduit.setTlsClientParameters(params);
}
KeyManagerFactory 方法:
private KeyManagerFactory getKeyMangerFactory(final InputStream keyStoreStream, final char[] password) throws InternalException {
try {
log.info("get KeyManagers from keyStoreStream {}", keyStoreStream);
final KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(keyStoreStream, password);
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keystore, password);
return keyManagerFactory;
} catch (GeneralSecurityException | IOException e) {
log.debug("Could not build TrustManagers {}", e);
throw new InternalException("Could not build KeyManagers", e);
}
}
TrustStoreFactory 方法:
private TrustManagerFactory getTrustManagerFactory(final String bucketName, final String jksFilePath) throws InternalException {
S3Object s3Object = null;
try {
log.info("get TrustManagers from bucketName {} in S3 and jksFilePath {} ", bucketName, jksFilePath);
s3Object = this.s3Client.getObject(bucketName,jksFilePath);
final InputStream keystoreStream = s3Object.getObjectContent();
final KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(keystoreStream, this.trustManagerPassword);
final TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
factory.init(keystore);
return factory;
} catch (GeneralSecurityException | IOException e) {
log.error("Could not build TrustManagers {}", e);
throw new InternalException("Could not build TrustManagers", e);
} finally {
if(s3Object != null){
try {
s3Object.close();
} catch (IOException e) {
log.warn("Error when we try to close s3 object {}", e);
}
}
}
}
在发出请求时,会返回以下异常:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 76 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
知道会发生什么吗?
如果我以前加载它,为什么它在密钥库中找不到我的证书?