我在我的信任库中有服务器根证书,在设置-Djavax.net.debug = all后,我可以看到信任库已初始化并且可信证书在那里:
trustStore is: test.truststore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Test Root, OU=test, O=test, C=us
Issuer: CN=Test Root, OU=test, O=test, C=us
Algorithm: RSA; Serial number: 0x1
Valid from Thu Sep 05 14:49:45 GMT+00:00 2013 until Sun Sep 05 14:49:45 GMT+00:00 2021
接下来,我可以在服务器证书链中看到可信证书:
chain [2] = [
[
Version: V3
Subject: CN=Test Root, OU=test, O=test, C=us
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 259491476017...{etc}
public exponent: 65537
Validity: [From: Thu Sep 05 14:49:45 GMT+00:00 2013,
To: Sun Sep 05 14:49:45 GMT+00:00 2021]
Issuer: CN=Test Root, OU=test, O=test, C=us
SerialNumber: [ 01]
但由于某种原因,握手仍然失败:
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
Thread-2, SEND TLSv1 ALERT: fatal, description = certificate_unknown
Thread-2, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E .......
Thread-2, called closeSocket()
Thread-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: non-null policy tree required and policy tree is null
Thread-2, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: non-null policy tree required and policy tree is null
“非空策略树需要和策略树为空”是什么意思?
答案 0 :(得分:0)
当应用程序尝试验证具有Require Explicit Policy:0的链(如DoD中介所做的)并且在certPath和PKIXParameters中都包括自签名证书作为信任锚时,我看到了此问题。类似于:
CertPath certPath = CertificateFactory.getInstance("X.509").generateCertPath(chain);
X509Certificate ca = (X509Certificate)chain.get(chain.size() - 1);
TrustAnchor trustAnchor = new TrustAnchor((X509Certificate)ca, null);
PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor));
我还没有使用SSLSocket尝试过此操作,但是我认为如果服务器发送根目录,您可能会看到它(它们实际上不应该)。我认为一个有效的解决方案是在调用验证程序之前,查看最终证书是否为SelfIssued(getSubjectX500Principal() equals getIssuerX500Principal())并将其从链中删除。类似于:
if (ca.getSubjectX500Principal().equals(ca.getIssuerX500Principal())) {
chain.remove(ca);
}
未经SSL测试,但是这对验证私钥+从PEM文件中读取的完整链对我来说很有用。
与sun提供程序相比,BouncyCastle堆栈跟踪:
java.security.cert.CertPathValidatorException: non-null policy tree required and policy tree is null
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at test.main(test.java:52)
Caused by: java.security.cert.CertPathValidatorException: non-null policy tree required and policy tree is null
at sun.security.provider.certpath.PolicyChecker.processPolicies(PolicyChecker.java:572)
at sun.security.provider.certpath.PolicyChecker.checkPolicy(PolicyChecker.java:225)
at sun.security.provider.certpath.PolicyChecker.check(PolicyChecker.java:180)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 5 more
org.bouncycastle.jce.exception.ExtCertPathValidatorException: No valid policy tree found when one expected.
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertF(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at test.main(test.java:53)