Springboot: не удалось создать путь к PKIX / javax.net.ssl.SSLHandshakeException

Question

У меня есть приложение SpringBoot, которое должно вызывать REST API, для которого требуется сертификат. Мне предоставили 2 файла из службы, предлагающей эту службу REST: файл P12 и файл CA Root.

Сначала я создал хранилище ключей (JKS):

keytool -keystore keystore.jks -genkey -alias client

Затем я добавил корень CA в файл JKS:

keytool -keystore keystore.jks -import -file certeurope_root_ca_3.cer -alias cacert

Теперь в моем приложении мне нужно вызвать API остальных:

public DocumentDto sendRequest(DocumentDto documentDto) throws Exception {

    // Set variables
    String ts = "C:\\keystore\\keystore.jks";
    String ks = "C:\\keystore\\CERTIFICATE.p12";

    String tsPassword = properties.getProperty("signature.api.passphrase");
    String ksPassword = properties.getProperty("signature.api.passphrase");

    KeyStore clientStore = KeyStore.getInstance("PKCS12");
    clientStore.load(new FileInputStream(ks), ksPassword.toCharArray());
    log.warn("# clientStore : " + clientStore);
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(clientStore, ksPassword.toCharArray());
    KeyManager[] kms = kmf.getKeyManagers();

    KeyStore trustStore = KeyStore.getInstance("JKS");
    trustStore.load(new FileInputStream(ts), tsPassword.toCharArray());

    TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
    tmf.init(trustStore);
    TrustManager[] tms = tmf.getTrustManagers();

    SSLContext sslContext = null;
    sslContext = SSLContext.getInstance("TLS");
    sslContext.init(kms, tms, new SecureRandom());

    // set the URL to send the request
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
    URL url = new URL(properties.getProperty("signature.api.url.full"));

    // opening the connection
    HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) { return true; }
    };

    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    HttpsURLConnection.setDefaultAllowUserInteraction( true );
    HttpsURLConnection.setFollowRedirects( false );
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

    urlConnection.setRequestMethod("POST");
    urlConnection.setDoOutput(true);
    urlConnection.setDoInput(true);
    urlConnection.setUseCaches(false);
    urlConnection.setAllowUserInteraction(true);
    urlConnection.setReadTimeout(15000);

    // create the JSON String
    ObjectMapper mapper = new ObjectMapper();
    // convert an oject to a json string
    String jsonInString = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(documentDto);

    InputStreamReader isr=null;
    try(OutputStream os = urlConnection.getOutputStream()) {
        byte[] input = jsonInString.getBytes(StandardCharsets.UTF_8);
        os.write(input, 0, input.length);
        // check 400 & 403
        if(urlConnection.getResponseCode() == 400 || urlConnection.getResponseCode() == 403) {
            isr = new InputStreamReader(urlConnection.getErrorStream(), StandardCharsets.UTF_8);
            String st= IOUtils.toString(isr);

            log.warn("# errorStream :" + st );
        } else if(urlConnection.getResponseCode() != 200) {
            isr = new InputStreamReader(urlConnection.getErrorStream(), StandardCharsets.UTF_8);
            String st= IOUtils.toString(isr);
        } else {
            isr = new InputStreamReader(urlConnection.getInputStream(), StandardCharsets.UTF_8);
        }
    }

    // read the response
    try(BufferedReader br = new BufferedReader(new InputStreamReader(urlConnection.getInputStream(), StandardCharsets.UTF_8))) {
        StringBuilder response = new StringBuilder();
        String responseLine = null;
        while ((responseLine = br.readLine()) != null) {
            response.append(responseLine.trim());
        }
        System.out.println(response.toString());
    }

    System.out.println(jsonInString);
    return documentDto;
}

Я также изменил свой сервер портов: server.port = 8443. У меня есть 2 проблемы: Если у меня есть: TrustManagerFactory tmf = TrustManagerFactory.getInstance ("SunX509");

Я получаю: javax.net.ssl.SSLHandshakeException: доверенный сертификат не найден

Если яhave: TrustManagerFactory tmf = TrustManagerFactory.getInstance (TrustManagerFactory.getDefaultAlgorithm ());

Я получаю: javax.net.ssl.SSLHandshakeException: сбой при построении пути PKIX: sun.security.provider.certertPaseUntathathнайти правильный путь сертификации для запрошенной цели

Я застрял на этом материале некоторое время и не вижу, что происходит не так.

Answer 1

Ну, я нашел решение, которое может быть не самым элегантным. Но, по крайней мере, это работает. Я тоже сделал какой-то рефакторинг ...

public DocumentCreateRequestDto sendRequest(DocumentDto documentDto) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {

    // Set variables
    String certificate = properties.getProperty("signature.api.certificate");
    String PwdPk12 = properties.getProperty("signature.api.passphrase");
    String httpsRestUrl = properties.getProperty("signature.api.url.full");

    HttpsURLConnection con = getHttpsURLConnection(certificate, PwdPk12, httpsRestUrl);

    // create the JSON String
    ObjectMapper mapper = new ObjectMapper();
    // convert an oject to a json string

    String jsonInString = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(documentDto);
    jsonInString = "[" + jsonInString + "]";
    StringBuilder response = getStringBuilder(con, jsonInString);

    String output = response.toString();
    output = output.substring(1, output.length()-1);

    return mapper.readValue(output, DocumentCreateRequestDto.class);
}



private HttpsURLConnection getHttpsURLConnection(String certificate, String pwdPk12, String httpsRestUrl) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException, KeyManagementException {

    KeyStore ks = KeyStore.getInstance("PKCS12");
    ks.load(new FileInputStream(certificate), pwdPk12.toCharArray());

    TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                @Override
                public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                }

                @Override
                public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                }

                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    // return new X509Certificate[0];
                    return null;
                }
            }
    };

    SSLContext ctx = SSLContext.getInstance("TLS");

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) { return true; }
    };


    KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
    kmf.init( ks, pwdPk12.toCharArray() );
    ctx.init( kmf.getKeyManagers(), trustAllCerts, new SecureRandom() );

    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    HttpsURLConnection.setDefaultAllowUserInteraction( true );
    HttpsURLConnection.setFollowRedirects( false );
    HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());


    URL url = new URL(httpsRestUrl);
    HttpsURLConnection con = (HttpsURLConnection) url.openConnection();

    //connection
    con.setRequestMethod("POST");
    con.setDoOutput(true);
    con.setRequestProperty("Accept-Encoding", "gzip,deflate");
    con.setRequestProperty("Content-Type", "application/json");
    con.setRequestProperty("Connection", "Keep-Alive");
    con.setRequestProperty("User-Agent", "Apache-HttpClient/4.1.1 (java 1.5)");
    con.setReadTimeout(15000);
    con.setDoInput(true);
    con.setUseCaches(false);
    con.setAllowUserInteraction(true);
    return con;
}

И:

private StringBuilder getStringBuilder(HttpsURLConnection con, String jsonInString) throws IOException {
    InputStreamReader isr = null;
    try (OutputStream os = con.getOutputStream()) {
        byte[] input = jsonInString.getBytes(StandardCharsets.UTF_8);
        os.write(input, 0, input.length);
        // check 400 & 403
        if (con.getResponseCode() == 400 || con.getResponseCode() == 403) {
            isr = new InputStreamReader(con.getErrorStream(), StandardCharsets.UTF_8);
            String st = IOUtils.toString(isr);

            log.warn("# errorStream :" + st);
        } else if (con.getResponseCode() != 200) {
            isr = new InputStreamReader(con.getErrorStream(), StandardCharsets.UTF_8);
        } else {
            isr = new InputStreamReader(con.getInputStream(), StandardCharsets.UTF_8);
        }
    }

    // read the response
    String responseLine;
    StringBuilder response = new StringBuilder();
    try (BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream(), StandardCharsets.UTF_8))) {
        while ((responseLine = br.readLine()) != null) {
            response.append(responseLine.trim());
        }
    }
    return response;
}