java - Spring http 客户端 : pkcs12 keystore and trustsrtore on httpclient

Question

在我的应用程序中，我使用 HttpClient 设置 ssl 上下文:

@Bean
public HttpClient httpClient() throws Exception {
    SSLContext sslContext = SSLContextBuilder.create()
        .loadKeyMaterial(
            new URL(schedulerConfiguration.getKeyStore()),
            schedulerConfiguration.getKeyStorePassword().toCharArray(),
            schedulerConfiguration.getKeyPassword().toCharArray()
        )
        .loadTrustMaterial(
            new URL(schedulerConfiguration.getTrustStore()),
            schedulerConfiguration.getTrustStorePassword().toCharArray()
        )
        .build();

    return HttpClients.custom().setSSLContext(sslContext).build();      
}

如您所见，我正在加载一个 keystore 和一个信任库。

keystore 包含私钥，truststore 包含所有链证书。

我正在针对无法启动的客户端连接运行，原因是:

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://balancer:8080/token": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我已经从这样的 .p12 文件构建了我的 jks。

为了构建 trsutstore:

$ openssl pkcs12 -in fitxers.p12 -nokeys -out cacerts-nokeys.crt
$ keytool -importcert -file cacerts-nokeys.crt -keystore cacerts-pre-splitted.jks

为了创建我的 keystore :

$ keytool -importkeystore -srckeystore fitxers.p12 -srcstoretype pkcs12 -destkeystore auth-backoffice-pre.jks -deststoretype jks

有什么问题吗？

Answer 1

我记得在没有正确使用别名时遇到过类似的问题。您是否在原始 p12 文件中使用了别名？如果是这样，我建议使用其他方法通过自定义 PrivateKeyStrategy 加载 key Material 。

尝试使用 vm 选项连接您的客户端时，还要看一下:

-Djavax.net.debug=all

您将能够看到更多信息。希望这能指导您找到解决方案!