Исключение: sun.security.validator.ValidatorException: сбой построения пути PKIX: sun.security.provider.certpath.SunCertPathBuilderException - PullRequest
Новая
       19

Исключение: sun.security.validator.ValidatorException: сбой построения пути PKIX: sun.security.provider.certpath.SunCertPathBuilderException

0 голосов
/ 12 марта 2019

Я пытаюсь сделать SOAP-запрос, используя сторонний сертификат клиента. Я настроил параметры виртуальной машины, как показано ниже. 

-Djavax.net.debug=all
-Djavax.net.ssl.keyStore=/keystore/path/keystore.jks
-Djavax.net.ssl.keyStorePassword=password

Моя конфигурация плагина в pom.xml. 

<plugin>
        <groupId>org.jvnet.jaxb2.maven2</groupId>
        <artifactId>maven-jaxb2-plugin</artifactId>
        <version>0.13.0</version>

        <executions>
            <execution>
                <goals>
                    <goal>generate</goal>
                </goals>
            </execution>
        </executions>

        <configuration>
            <args>
                <arg>-XautoNameResolution</arg>
            </args>
            <schemaDirectory>${project.basedir}/src/main/resources/wsdl</schemaDirectory>
        </configuration>
</plugin>

Вот класс конфигурации. 

@Configuration
public class ConfigurationClass {

@Bean
public Jaxb2Marshaller getMarshaller() {
    Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
    String[] packages = {"ca", "iso", "org", "swift"};
    marshaller.setPackagesToScan(packages);
    return marshaller;
}

@Bean
public TestClass getTestClass() throws Exception {
    TestClass test = new TestClass();
    test.setDefaultUri("https://some.uri.com/");
    test.setMarshaller(getMarshaller());
    test.setUnmarshaller(getMarshaller());
return test;
}
}

Далее создан класс с методом для вызова. 

public class TestClass extends WebServiceGatewaySupport {

public String getStatement() {
    ObjectFactory factory1 = new ObjectFactory();
    GetStatementRequestType getStatement = factory1.createGetStatementRequestType();
    cmrq_002_001.ObjectFactory factory2 = new cmrq_002_001.ObjectFactory();
    Document document = factory2.createDocument();
    GetStatement getStmt = factory2.createGetStatement();
    MessageIdentyfication msgId = factory2.createMessageIdentyfication();
    StatementQueryDefinition stmtQryDef = factory2.createStatementQueryDefinition();
    StatementCriteria stmtCrit = factory2.createStatementCriteria();
    NewCriteria newCrit = factory2.createNewCriteria();
    SearchCriteria schCrit = factory2.createSearchCriteria();
    AccountIdentification accId = factory2.createAccountIdentification();
    AccountIdentification3Choice id = factory2.createAccountIdentification3Choice();
    StatementValueSearch stmtValDt = factory2.createStatementValueSearch();
    DatePeriodDetails dtSch = factory2.createDatePeriodDetails();
    try {
        Date dob = null;
        DateFormat df = new SimpleDateFormat("dd/MM/yyyy");
        dob = df.parse("13/06/1983");
        GregorianCalendar cal = new GregorianCalendar();
        cal.setTime(dob);
        XMLGregorianCalendar xmlDate = DatatypeFactory
                .newInstance()
                .newXMLGregorianCalendarDate(cal
                                .get(Calendar.YEAR), cal
                                .get(Calendar.MONTH) + 1, cal
                                .get(Calendar.DAY_OF_MONTH),
                        DatatypeConstants.FIELD_UNDEFINED);
        dtSch.setDt(xmlDate);
    } catch (Exception e) {
        e.printStackTrace();
    }

    stmtValDt.setDtSch(dtSch);
    id.setOId("8000");
    accId.setId(id);
    schCrit.setAcctId(accId);
    schCrit.setStmtValDt(stmtValDt);
    newCrit.setSchCrit(schCrit);
    stmtCrit.setNewCrit(newCrit);
    stmtQryDef.setStmtCrit(stmtCrit);
    msgId.setId("ABC");
    getStmt.setMsgId(msgId);
    getStmt.setStmtQryDef(stmtQryDef);
    document.setGetStmt(getStmt);
    getStatement.setDocument(document);
    JAXBElement<GetStatementRequestType> request = factory1.createGetStatement(getStatement);
    getWebServiceTemplate().marshalSendAndReceive("https://some.uri.com/", request, new SoapActionCallback("action/GetStatement"));

    return "RESPONSE";
}

Я добавил сертификаты в касцеры в папке JVM.

Получение ошибок: 

System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

trustStore is: /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is : 
init truststore

---LIST OF CERTIFICATES---

keyStore is : /keystore/filepath/keystore.jks
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
***
found key for : 3126459
chain [0] = [
[
  Version: V3
  Subject: C=PL, CN=3126459
  Signature Algorithm: SHA1withRSA, OID = ---OID NUMBER---

  Key:  Sun RSA public key, 2048 bits
  modulus: 
---NUMBERS---
public exponent: 
Validity: [From: Fri Feb 15 08:58:44 CET 2019,
           To: Sun Feb 14 08:58:44 CET 2021]
Issuer: O=Default, CN=Default CA
SerialNumber: [    00]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
clientAuth
]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
]
[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [                                      
]]]
Algorithm: [SHA1withRSA]
Signature:
]
chain [1] = [
[
Version: V3
Subject: O=Default, CN=Default CA
Signature Algorithm: SHA512withRSA, OID = ---OID NUMBER---
Key:  Sun RSA public key, 2048 bits
modulus: 
---NUMBERS---
public exponent: 
Validity: [From: Wed Jun 26 14:52:00 CEST 2013,
           To: Sun Jun 26 14:52:00 CEST 2033]
Issuer: O=Default, CN=Default CA
SerialNumber: [     ]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]]]
Algorithm: [SHA512withRSA]
Signature:
]
***
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-8080-exec-2, setSoTimeout(0) called
http-nio-8080-exec-2, the previous server name in SNI (type=host_name (0) value=uri.to.connect.com) was replaced with (type=host_name (0), value=uri.to.connect.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1535548090 bytes = { 41, 134, 212, 217, 12, 148, 12, 10, 189, 84, 89, 55, 44, 171, 215, 58, 247, 168, 74, 108, 74, 161, 147, 214, 135, 11, 16, 231 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=uri.to.connect.com]
***
[write] MD5 and SHA1 hashes:  len = 229

http-nio-8080-exec-2, WRITE: TLSv1.2 Handshake, length = 229
[Raw write]: length = 234
[Raw read]: length = 5
[
[Raw read]: length = 91
http-nio-8080-exec-2, READ: TLSv1.2 Handshake, length = 91
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -557873549 bytes = { 199, 238, 231, 2, 245, 226, 102, 41, 21, 24, 119, 57, 171, 8, 194, 31, 195, 0, 137, 186, 236, 83, 182, 8, 228, 131, 52, 151 }
Session ID:  {}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
[read] MD5 and SHA1 hashes:  len = 91
[Raw read]: length = 5                            
[Raw read]: length = 1754
http-nio-8080-exec-2, READ: TLSv1.2 Handshake, length = 1754
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
hain [0] = [
[
Version: V3
Subject: CN=uri.to.connect.com, OU=Some OU, O=Some O., L=Some L, C=PL,     SERIALNUMBER=Serial, OID.1.3.6.1.4.1.311.60.2.1.3=PL, OID.2.5.4.15=PrivateOrganization
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key:  Sun RSA public key, 2048 bits
modulus: 
public exponent: 
Validity: [From: Tue Jun 26 02:00:00 CEST 2018,
           To: Sun Jun 30 14:00:00 CEST 2019]
Issuer: CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [    ]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/
]]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier []]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.]
DistributionPoint:
[URIName: http://crl4.]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.2.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 
]]]
[CertificatePolicyId: [2.23.140.1.1]
[]]]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName:  uri.to.connect.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [                                 
]]]
Algorithm: [SHA256withRSA]
Signature:
***
]
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-2, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
http-nio-8080-exec-2, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
http-nio-8080-exec-2, called closeSocket()
http-nio-8080-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Как я могу решить это? Где может быть проблема? Я могу подключиться к сервису через интерфейс SOAP, используя хранилище ключей.

Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.

Нет похожих вопросов

...