那些遇到过的问题

Java KeychainStore 在 Mac OS X 上不提供证书

Tom*_*ski 6 java macos ssl certificate truststore

在研究与 Jib 相关的问题时,我发现 Java KeychainStore 没有为我在 Mac OS X 上的 Java 进程提供证书,并且它无法验证任何公共网站(以及我的带有自签名证书的私人网站)的 TLS/SSL也)。

这是我如何测试它的示例:

$ cat <<EOF > A.java
public class A {
  public static void main(String[] args) throws Exception {
    new java.net.URL("https://google.com/").openStream().close();
  }
}
EOF
Run Code Online (Sandbox Code Playgroud)

结果如下:

$ java -Djavax.net.ssl.trustStoreType=KeychainStore A.java
Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1144)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1055)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
    at java.base/java.net.URL.openStream(URL.java:1140)
    at A.main(A.java:3)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1144)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1055)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
    at java.base/java.net.URL.openStream(URL.java:1140)
    at A.main(A.java:3)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at jdk.compiler/com.sun.tools.javac.launcher.Main.execute(Main.java:404)
    at jdk.compiler/com.sun.tools.javac.launcher.Main.run(Main.java:179)
    at jdk.compiler/com.sun.tools.javac.launcher.Main.main(Main.java:119)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 30 more
Run Code Online (Sandbox Code Playgroud)

任何线索为什么这不起作用?我错过了什么?

附注。关于我的环境的一些信息(我也尝试过 Java 11):

$ echo $JAVA_HOME
/Library/Java/JavaVirtualMachines/adoptopenjdk-14.0.1.jdk/Contents/Home

$ java -version
openjdk version "14.0.1" 2020-04-14
OpenJDK Runtime Environment AdoptOpenJDK (build 14.0.1+7)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 14.0.1+7, mixed mode, sharing)
Run Code Online (Sandbox Code Playgroud)

小智 2

KeychainStore只允许您访问当前用户的钥匙串。这不包括像在Windows-ROOTWindows 计算机上那样安装在计算机上的根证书。据我所知,没有简单的方法可以解决这个问题。您可以实现自己的KeyStore,通过本机代码或命令提取证书。请参阅(Java) 在 Mac OS X 上以编程方式访问“系统根目录”下的 SSL 证书

归档时间:

查看次数:

353 次

最近记录:

5 年,3 月 前
如何设置Java VM以使用Mac OS X处理的根证书(truststore) 14
(Java) 在 Mac OS X 上的“系统根目录”下以编程方式访问 SSL 证书 6
如何在 Mac 上使用 Java 中的 ssl 证书 1
更多相关链接
相关归档
Spring Boot和多个外部配置文件 110
如何更改默认的python版本? 90
java.util.Random有多好? 47
从逗号分隔的字符串中删除尾随逗号 45
将PyCharm导向Python 3.3解释器? 19
你如何在Xcode 6,Mac OS X Yosemite或Mavericks中修复"代码对象未在子组件中签名:"? 16
Mac/iPhone:有没有办法在不使用Objective-C的情况下获取线程标识符? 13
Android Central Keystore 9
当存在新的API时,构建向后兼容的OS X应用程序? 8
浏览器可以通过SSL/TLS连接到代理吗? 4
难疑归档
避免!= null语句 3904
grep一个文件,但显示几个周围的行? 3277
如何检查字符串是否包含特定单词? 2663
我怎么知道通过jQuery选择了哪个单选按钮? 2583
ListView中的图像延迟加载 1881
查看未发布的Git提交 1649
使用*args和**kwargs 1367
无法绑定到'ngModel',因为它不是'input'的已知属性 1173
如何撤消'git reset'? 1172
如何在Java中创建通用数组? 1045