SSL Error : no suitable certificate found continuing without client authentication in java
SSL Error : no suitable certificate found continuing without client authentication in java
我在使用 java(HttpUrlConnection、HttpClient apache)进行客户端证书身份验证时遇到问题
我尝试通过 curl 它起作用了:
curl -v POST -H "Content-Type: application/json" --data Jsondata --cert-type P12 --cert path/to/certificat:password https://url -k
但是当我尝试使用 java 执行某些请求时,它给出:
no suitable certificate found - continuing without client authentication
代码 Java 使用 HttpUrlConnection :
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(certificatPath);
ks.load(fis, password.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);
HttpsURLConnection postConnection = (HttpsURLConnection) url.openConnection();
if (postConnection instanceof HttpsURLConnection) {
((HttpsURLConnection)postConnection).setSSLSocketFactory(sslContext.getSocketFactory());
}
在 ssl 日志中正确加载了 keystore 和 trustore
***
found key for : aliasKey
***
***
trustStore is: javaHome\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
但在“服务器完成”步骤之后,它给出消息
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
我测试了几个解决方案,但我仍然有相同的错误消息,即使密钥库加载了证书请求中指定的相同私钥 CN
*** CertificateRequest
Cert Types:
RSA
,
DSS
,
ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), Unknown (hash:0x3, signature:0x3), SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
CN authorities ....
一些代码与 p12 格式的另一个证书完美配合
当我测试 link How I can tell alias of the wanted key-entry to SSLSocket before connecting? 中提出的解决方案时,问题已解决:
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(keystorePath);
ks.load(fis, keystorePwd.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keystorePwd.toCharArray());
final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
@Override
public String[] getClientAliases(String string, Principal[] prncpls) {
return origKm.getClientAliases(string, prncpls);//To change body of generated methods, choose Tools | Templates.
}
@Override
public String chooseClientAlias(String[] strings, Principal[] prncpls, Socket socket) {
return certificatAlias; //To change body of generated methods, choose Tools | Templates.
}
@Override
public String[] getServerAliases(String string, Principal[] prncpls) {
return origKm.getServerAliases(string, prncpls); //To change body of generated methods, choose Tools | Templates.
}
@Override
public String chooseServerAlias(String string, Principal[] prncpls, Socket socket) {
return origKm.chooseServerAlias(string, prncpls, socket);//To change body of generated methods, choose Tools | Templates.
}
@Override
public PrivateKey getPrivateKey(String string) {
System.out.println(".getPrivateKey() :"+string) ;
return origKm.getPrivateKey(string);
}
@Override
public X509Certificate[] getCertificateChain(String string) {
System.out.println(".etCertificateChain :"+string) ;
return origKm.getCertificateChain(string);
}
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);
``
我在使用 java(HttpUrlConnection、HttpClient apache)进行客户端证书身份验证时遇到问题
我尝试通过 curl 它起作用了:
curl -v POST -H "Content-Type: application/json" --data Jsondata --cert-type P12 --cert path/to/certificat:password https://url -k
但是当我尝试使用 java 执行某些请求时,它给出:
no suitable certificate found - continuing without client authentication
代码 Java 使用 HttpUrlConnection :
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(certificatPath);
ks.load(fis, password.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);
HttpsURLConnection postConnection = (HttpsURLConnection) url.openConnection();
if (postConnection instanceof HttpsURLConnection) {
((HttpsURLConnection)postConnection).setSSLSocketFactory(sslContext.getSocketFactory());
}
在 ssl 日志中正确加载了 keystore 和 trustore
***
found key for : aliasKey
***
***
trustStore is: javaHome\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
但在“服务器完成”步骤之后,它给出消息
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
我测试了几个解决方案,但我仍然有相同的错误消息,即使密钥库加载了证书请求中指定的相同私钥 CN
*** CertificateRequest
Cert Types:
RSA
,
DSS
,
ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), Unknown (hash:0x3, signature:0x3), SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
CN authorities ....
一些代码与 p12 格式的另一个证书完美配合
当我测试 link How I can tell alias of the wanted key-entry to SSLSocket before connecting? 中提出的解决方案时,问题已解决:
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis = new FileInputStream(keystorePath);
ks.load(fis, keystorePwd.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keystorePwd.toCharArray());
final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
@Override
public String[] getClientAliases(String string, Principal[] prncpls) {
return origKm.getClientAliases(string, prncpls);//To change body of generated methods, choose Tools | Templates.
}
@Override
public String chooseClientAlias(String[] strings, Principal[] prncpls, Socket socket) {
return certificatAlias; //To change body of generated methods, choose Tools | Templates.
}
@Override
public String[] getServerAliases(String string, Principal[] prncpls) {
return origKm.getServerAliases(string, prncpls); //To change body of generated methods, choose Tools | Templates.
}
@Override
public String chooseServerAlias(String string, Principal[] prncpls, Socket socket) {
return origKm.chooseServerAlias(string, prncpls, socket);//To change body of generated methods, choose Tools | Templates.
}
@Override
public PrivateKey getPrivateKey(String string) {
System.out.println(".getPrivateKey() :"+string) ;
return origKm.getPrivateKey(string);
}
@Override
public X509Certificate[] getCertificateChain(String string) {
System.out.println(".etCertificateChain :"+string) ;
return origKm.getCertificateChain(string);
}
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);
``