证书链未传输到服务器
Certificate chain not transported to server
我用这个方法将客户端证书注册到服务器证书中。
/**
* Links the user's certificate into the server's keystore/truststore.
*
* @param server
* The server party.
* @return <code>true</code> if the certificate has been bound,
* <code>false</code> if the certificate already was bound to the
* truststore.
* @throws KeyStoreException
*/
public boolean linkToServerCertificate(Party server) throws KeyStoreException {
if (keyAlias.equals(server.keyAlias)) {
throw new IllegalArgumentException("The alias of client and server must be different!");
}
keystore.setCertificateEntry(server.keyAlias, server.getAliasCert());
Certificate certificate = keystore.getCertificate(keyAlias);
server.keystore.setCertificateEntry(keyAlias, certificate);
return true;
}
AS 重启后我收到此消息:
有环境变量 JAVA_OPTS="-Djavax.net.debug=ssl" 我得到这个信息:
*** ServerHelloDone
https-jsse-nio-8443-exec-7, WRITE: TLSv1.2 Handshake, length = 1522
https-jsse-nio-8443-exec-8, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
https-jsse-nio-8443-exec-8, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-8, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
所以证书的证书链是空的
但是在客户端检查证书,它指出有一个证书链。
我很困惑,为什么证书链没有传输到服务器?
您可以像下面这样复制完整的证书链。
Key key = keystore.getKey(keyAlias, clientKeyStorePassPhrase);
Certificate[] chain = keystore.getCertificateChain(keyAlias);
server.keystore.setKeyEntry(keyAlias, key, serverKeyStorePassPhrase, chain);
请参阅 - http://www.java2s.com/Code/Java/Security/Importakeycertificatepairfromapkcs12fileintoaregularJKSformatkeystore.htm 了解有关如何将证书从一个密钥库复制到另一个密钥库的更多详细信息。
更新-
Java api 文档还建议 keystore.getCertificate(keyAlias); returns 只是证书链的第一个元素。参考 - https://docs.oracle.com/javase/8/docs/api/index.html?java/security/KeyStore.html
Ref - 有关加载证书链的更多示例 - https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
我弄错了,我的证书链顺序错了。
keystore.setKeyEntry(alias, pair.getPrivate(), pass.toCharArray(),
chainSet.toArray(new Certificate[0]));
chainSet必须按照最接近的证书是第一个证书的顺序。
真正的错误是使用了 pki 的内置实现。
我用这个方法将客户端证书注册到服务器证书中。
/**
* Links the user's certificate into the server's keystore/truststore.
*
* @param server
* The server party.
* @return <code>true</code> if the certificate has been bound,
* <code>false</code> if the certificate already was bound to the
* truststore.
* @throws KeyStoreException
*/
public boolean linkToServerCertificate(Party server) throws KeyStoreException {
if (keyAlias.equals(server.keyAlias)) {
throw new IllegalArgumentException("The alias of client and server must be different!");
}
keystore.setCertificateEntry(server.keyAlias, server.getAliasCert());
Certificate certificate = keystore.getCertificate(keyAlias);
server.keystore.setCertificateEntry(keyAlias, certificate);
return true;
}
AS 重启后我收到此消息:
有环境变量 JAVA_OPTS="-Djavax.net.debug=ssl" 我得到这个信息:
*** ServerHelloDone
https-jsse-nio-8443-exec-7, WRITE: TLSv1.2 Handshake, length = 1522
https-jsse-nio-8443-exec-8, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
https-jsse-nio-8443-exec-8, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-8, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
所以证书的证书链是空的
但是在客户端检查证书,它指出有一个证书链。
我很困惑,为什么证书链没有传输到服务器?
您可以像下面这样复制完整的证书链。
Key key = keystore.getKey(keyAlias, clientKeyStorePassPhrase);
Certificate[] chain = keystore.getCertificateChain(keyAlias);
server.keystore.setKeyEntry(keyAlias, key, serverKeyStorePassPhrase, chain);
请参阅 - http://www.java2s.com/Code/Java/Security/Importakeycertificatepairfromapkcs12fileintoaregularJKSformatkeystore.htm 了解有关如何将证书从一个密钥库复制到另一个密钥库的更多详细信息。
更新-
Java api 文档还建议 keystore.getCertificate(keyAlias); returns 只是证书链的第一个元素。参考 - https://docs.oracle.com/javase/8/docs/api/index.html?java/security/KeyStore.html
Ref - 有关加载证书链的更多示例 - https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
我弄错了,我的证书链顺序错了。
keystore.setKeyEntry(alias, pair.getPrivate(), pass.toCharArray(),
chainSet.toArray(new Certificate[0]));
chainSet必须按照最接近的证书是第一个证书的顺序。
真正的错误是使用了 pki 的内置实现。