建立 SSL 连接时,PKIX 路径构建失败

2022-01-25 00:00:00 integration ssl ssl-certificate java

我正在与一个名为 CommWeb 的商家帐户集成,并且我正在向他们的 URL (https://migs.mastercard.com.au/vpcdps).当我尝试发送帖子时,出现以下异常:

I'm integrating with a Merchant Account called CommWeb and I'm sending an SSL post to their URL (https://migs.mastercard.com.au/vpcdps). When I try to send the post, I get the following exception:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

执行该帖子的代码(我没有编写,并且已经存在于我们的代码库中)是:

The code (which I didn't write, and that already exists in our codebase) that performs the post is:

public static HttpResponse sendHttpPostSSL(String url, Map<String, String> params) throws IOException {
    PostMethod postMethod = new PostMethod(url);
    for (Map.Entry<String, String> entry : params.entrySet()) {
        postMethod.addParameter(entry.getKey(), StringUtils.Nz(entry.getValue()));
    }

    HttpClient client = new HttpClient();
    int status = client.executeMethod(postMethod);
    if (status == 200) {
        StringBuilder resultBuffer = new StringBuilder();
        resultBuffer.append(postMethod.getResponseBodyAsString());
        return new HttpResponse(resultBuffer.toString(), "");
    } else {
        throw new IOException("Invalid response code: " + status);
    }
}

商家帐户集成的文档没有提及证书.他们确实提供了一些似乎盲目接受证书的示例 JSP 代码:

The documentation for the Merchant Account integration says nothing about certificates. They did provide some sample JSP code that seems to blindly accept certificates:

<%! // Define Static Constants
    // ***********************
public static X509TrustManager s_x509TrustManager = null;
public static SSLSocketFactory s_sslSocketFactory = null;

static {
        s_x509TrustManager = new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; } 
        public boolean isClientTrusted(X509Certificate[] chain) { return true; } 
        public boolean isServerTrusted(X509Certificate[] chain) { return true; } 
    };

    java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    try {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, new X509TrustManager[] { s_x509TrustManager }, null);
        s_sslSocketFactory = context.getSocketFactory();
    } catch (Exception e) {
        e.printStackTrace();
        throw new RuntimeException(e.getMessage());
    }
}

...
...
           // write output to VPC
            SSLSocket ssl = (SSLSocket)s_sslSocketFactory.createSocket(s, vpc_Host, vpc_Port, true);
            ssl.startHandshake();
            os = ssl.getOutputStream();
            // get response data from VPC
            is = ssl.getInputStream();
...
...
%>

我们的 web 应用程序有一个密钥库,我尝试使用 keytool 命令添加证书(我从 firefox 导出的),但这没有用,我得到了同样的错误.我已经在网上尝试过解决方案(导入密钥并使用 System.setProperty),但这似乎有点笨拙并且不起作用(给了我一个 NoSuchAlgorithmError).任何帮助表示赞赏!

Our webapp has a keystore, and I tried adding the certificate (which I exported from firefox) using the keytool command, but that didn't work and I got the same error. I've tried solutions on the web (importing the key and using System.setProperty) but that seems kind of clunky and it didn't work (gave me a NoSuchAlgorithmError). Any help is appreciated!

推荐答案

显然 valicert class 3 CA 证书不在您的默认信任库中(可能是您的 JRE lib/security 目录中的 cacerts 文件,但请参阅 JSSE 文档 全文).

Evidently the valicert class 3 CA certificate is not in your default truststore (which is probably the cacerts file in your JRE lib/security directory, but see the JSSE documentation for the full story).

您可以将此证书添加到 cacerts 文件中,但我不建议这样做.相反,我认为您应该创建自己的信任库文件(可以是 cacerts 文件的副本)并将 valicert root ca 添加到其中.然后使用 javax.net.ssl.trustStore 系统属性指向此文件.

You could add this certificate to the cacerts file, but I don't recommend this. Instead, I think you should create your own truststore file (which can be a copy of the cacerts file) and add the valicert root ca to this. Then point to this file with the javax.net.ssl.trustStore system property.

相关文章