证书未知错误 - Java使用的trustStore

时间:2016-11-01 14:16:39

标签: java ssl https truststore

使用JDK 1.4.2,我的服务器端代码尝试但无法通过Https连接到Google URL(用于reCAPTCHA验证)。当到达链中的GeoTrust证书时,握手过程似乎失败,并发出致命警报certificate_unknown。我使用keytool来验证有效的geotrust证书是否在信任库中。客户端的证书是自签名的,由keytool生成。它似乎还没有涉及到这个错误。我的问题是:

  • JDK版本是否因此而过时?
  • 如何确定信任库正在使用中。调试输出在这方面没有任何指示。我确实在代码中明确设置了信任存储位置。

我很欣赏有关如何使其发挥作用的任何见解。谢谢。

我的代码的一部分:

System.setProperty("javax.net.debug", "all");
debug.println(" -- java home: " + System.getProperty("java.home"));
System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home") + "/lib/security/cacerts");
debug.println(" -- javax.net.ssl.trustStore: " + System.getProperty("javax.net.ssl.trustStore"));
System.setProperty("javax.net.ssl.keyStore", System.getProperty("java.home") + "/lib/security/sl-test.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
URL u = new URL(VERIFY_URL);
HttpsURLConnection urlConn = (HttpsURLConnection)u.openConnection();

debug.println(" -- set params");
urlConn.setRequestMethod("POST");
urlConn.setDoOutput(true);
String params = "secret=" + secretKey + "&response=" + answer + "remoteip=" + remoteIP;

debug.println(" -- write");
DataOutputStream wr = new DataOutputStream(urlConn.getOutputStream());
wr.writeBytes(params);
wr.flush();
...

调试输出:

11/1/16 6:29:59 AM, Debug:  -- java home: /usr/local/j2sdk1.4.2_13/jre
11/1/16 6:29:59 AM, Debug:  -- javax.net.ssl.trustStore: /usr/local/j2sdk1.4.2_13/jre/lib/security/cacerts
11/1/16 6:29:59 AM, Debug:  -- set params
11/1/16 6:29:59 AM, Debug:  -- write
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1477941207 bytes = { 45, 37, 131, 243, 221, 171, 180, 252, 49, 49, 23, 95, 184, 46, 27, 142, 123, 251, 231, 191, 36, 237, 192, 105, 13, 131, 247, 18 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
thread-pool-26, WRITE: TLSv1 Handshake, length = 73
thread-pool-26, WRITE: SSLv2 client hello message, length = 98
thread-pool-26, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: 1477941207 bytes = { 197, 41, 29, 25, 107, 127, 2, 82, 166, 216, 201, 197, 71, 86, 192, 136, 13, 41, 74, 115, 11, 230, 3, 56, 247, 142, 3, 84 }
Session ID:  {98, 65, 244, 32, 10, 29, 122, 200, 236, 125, 14, 230, 208, 25, 47, 42, 248, 37, 243, 170, 183, 55, 207, 106, 178, 32, 136, 84, 11, 199, 209, 223}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created:  [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
thread-pool-26, READ: TLSv1 Handshake, length = 3081
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11

  Key:  SunJSSE RSA public key:
  public exponent:
    010001
  modulus:
    930c0073 cd6105e6 7f838615 e1ec7f03 b6c37090 6768877d 5ca8d3dc f859a602
    744ccd31 bff5a67d 15ea0e5a c556191c d7749342 43635694 31377d0f 5a2ac2a7
    dc49f4e0 ca19a1f4 d7f41943 e2ce56fc 7638ffa0 e70cef9c 2396e05e b4638987
    bb238f06 a0c8b826 05de9310 e717ede8 6e2cfcb1 fab5cea5 9c98a0bd 712a1639
    e7dfce2b e6757238 38b995b9 ceb7f73d 944377dd f1ed7fe3 4b881e9f 2b9da8d8
    2083552b 07f951f7 ac186edf d3f92d84 47caec93 b5bf34fc 324e7856 af4343b3
    c3be2f41 c826cbe5 61eeb2da db22e0e2 b0a61e14 78b3a266 2dd33c38 56b5a28f
    615c5e7f 8b75f708 49816aae 09e807b2 a0ecf8e2 632bfe64 03ed38c0 1425c90f
  Validity: [From: Wed Oct 26 03:08:50 PDT 2016,
           To: Wed Jan 18 01:56:00 PST 2017]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    1311feb2 5eb90fa0]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 5C 30 5A 30 2B 06 08   2B 06 01 05 05 07 30 02  .\0Z0+..+.....0.
0010: 86 1F 68 74 74 70 3A 2F   2F 70 6B 69 2E 67 6F 6F  ..http://pki.goo
0020: 67 6C 65 2E 63 6F 6D 2F   47 49 41 47 32 2E 63 72  gle.com/GIAG2.cr
0030: 74 30 2B 06 08 2B 06 01   05 05 07 30 01 86 1F 68  t0+..+.....0...h
0040: 74 74 70 3A 2F 2F 63 6C   69 65 6E 74 73 31 2E 67  ttp://clients1.g
0050: 6F 6F 67 6C 65 2E 63 6F   6D 2F 6F 63 73 70        oogle.com/ocsp


[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 C0 2B 4A D4 81 93 09   DD 23 15 24 87 95 D4 6A  ..+J.....#.$...j
0010: AB 70 CE B3                                        .p..
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]

]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://pki.google.com/GIAG2.crl]
]]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: www.google.com]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]

[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

]
  Algorithm: [1.2.840.113549.1.1.11]
  Signature:
0000: 22 09 AA 59 92 54 50 BF   C8 C5 4C 6A DC F5 86 D1  "..Y.TP...Lj....
0010: F8 F3 2A CF C1 72 CB AE   12 A7 3E 0A 88 8E 3D FF  ..*..r....>...=.
0020: E3 14 B5 EB E6 EB 36 45   BD E3 86 D9 61 26 21 55  ......6E....a&!U
0030: 1D 6F 28 D9 23 F2 75 13   47 15 C4 ED DF 1A 52 59  .o(.#.u.G.....RY
0040: 36 95 80 17 D4 89 18 8D   BC 32 0F FF D8 FA 5E 64  6........2....^d
0050: FA 79 1E B4 60 E1 71 41   8D 7A E7 B8 FF C3 3B 21  .y..`.qA.z....;!
0060: CA 45 62 5B B4 BD 31 F1   7A 74 D2 51 2A 11 98 42  .Eb[..1.zt.Q*..B
0070: 1D 14 F1 1F 44 D9 0B 50   B6 C4 52 4F 79 89 03 47  ....D..P..ROy..G
0080: 96 89 33 E3 FF 21 DF 9D   66 B8 FC 9C 01 86 9C 12  ..3..!..f.......
0090: 4E 86 E1 34 79 4B 27 F9   FE 98 C9 CC 40 A3 15 29  N..4yK'.....@..)
00A0: 4A F6 4B F3 1A 2F E4 F4   B6 8A 97 80 A6 53 70 27  J.K../.......Sp'
00B0: FD 29 B1 6E 6D 5A D2 B6   DE 7A A8 FC C4 1F 54 9C  .).nmZ...z....T.
00C0: DB E3 8A 36 96 13 D9 10   11 95 11 F9 8B EF 7B 87  ...6............
00D0: 7E 70 54 B6 06 1B 16 65   91 7A 4D DA C1 17 DE E7  .pT....e.zM.....
00E0: 0D 57 F1 8A 98 BE C8 E7   3E 82 7A 14 C7 B7 3F 7A  .W......>.z...?z
00F0: 7F E4 0C 6D 8B 62 E5 4A   94 23 FD 2A 5D A2 4D 4F  ...m.b.J.#.*].MO

]
chain [1] = [
[
  Version: V3
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11

  Key:  SunJSSE RSA public key:
  public exponent:
    010001
  modulus:
    9c2a0477 5cd85091 3a06a382 e0d85048 bc893ff1 19701a88 467ee08f c5f189ce
    21ee5afe 610db732 4489a074 0b534f55 a4ce8262 95eeeb59 5fc6e105 8012c45e
    943fbc5b 4838f453 f724e6fb 91e915c4 cff4530d f44afc9f 54de7dbe a06b6f87
    c0d0501f 28300340 da087351 6c7fff3a 3ca73706 8ebd4b11 04eb7d24 dee6f9fc
    3171fb94 d560f32e 4aaf42d2 cbeac46a 1ab2cc53 dd154b8b 1fc81961 1fcd9da8
    3e632b84 35696584 c819c546 22f85395 bee3804a 10c62aec ba972011 c7399910
    04a0f061 7a95258c 4e5275e2 b6ed08ca 14fcce22 6ab34ecf 46039797 037ec0b1
    de7baf45 33cfba3e 71b7def4 2525c20d 35899d9d fb0e1179 891e37c5 af8e7269
  Validity: [From: Tue Mar 31 17:00:00 PDT 2015,
           To: Sun Dec 31 15:59:59 PST 2017]
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  SerialNumber: [    023a92]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 22 30 20 30 1E 06 08   2B 06 01 05 05 07 30 01  ."0 0...+.....0.
0010: 86 12 68 74 74 70 3A 2F   2F 67 2E 73 79 6D 63 64  ..http://g.symcd
0020: 2E 63 6F 6D                                        .com


[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]

]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://g.symcb.com/crls/gtglobal.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

]
  Algorithm: [1.2.840.113549.1.1.11]
  Signature:
0000: 08 4E 04 A7 80 7F 10 16   43 5E 02 AD D7 42 80 F4  .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D   90 84 18 7D E7 90 15 FB  ................
0020: 49 7F A8 99 05 91 BB 7A   C9 D6 3C 37 18 09 9A B6  I......z..<7....
0030: C7 92 20 07 35 33 09 E4   28 63 72 0D B4 E0 32 9C  .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1   50 58 B0 13 AA 13 1A 1B  ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48   63 49 E9 99 5D 20 37 CC  2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9   DE 49 82 C0 10 70 F4 2C  .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC   A5 D9 5E 1E 6D 92 C1 A7  ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C   65 69 CD 87 A4 41 50 3F  .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E   8C 09 A1 AC 7A A4 12 A5  .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03   06 F7 66 58 5F 5F 64 E1  '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98   4C 29 5A 3A 8D D3 2B CA  .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5   80 AC 26 ED 17 89 A6 93  .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E   64 E3 7D 9A E2 00 B3 49  l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7   70 90 46 4E BE D0 DB 59  .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71   CC 01 C2 12 C1 21 C6 16  .l...6.q.....!..

]
chain [2] = [
[
  Version: V3
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  SunJSSE RSA public key:
  public exponent:
    010001
  modulus:
    dacc1863 30fdf417 231a567e 5bdf3c6c 38e471b7 7891d4bc a1d84cf8 a843b603
    e94d2107 0888da58 2f663929 bd05788b 9d38e805 b76a7e71 a4e6c460 a6b0ef80
    e489280f 9e25d6ed 83f3ada6 91c798c9 42183514 9dad9846 922e4fca f18743c1
    1695572d 50ef892d 807a57ad f2ee5f6b d2008db9 14f81415 35d9c046 a37b72c8
    91bfc955 2bcdd097 3e9c2664 ccdfce83 1971ca4e e6d4d57b a919cd55 dec8ecd2
    5e3853e5 5c4f8c2d fe502336 fc66e6cb 8ea43919 00b79502 39910b0e fe382ed1
    1d059af6 4d3e6f0f 071daf2c 1e8f6039 e2fa3653 1339d45e 262bdb3d a814bd32
    eb180328 520471e5 ab333de1 38bb0736 84629c79 ea1630f4 5fc02be8 716be4f9
  Validity: [From: Mon May 20 21:00:00 PDT 2002,
           To: Mon Aug 20 21:00:00 PDT 2018]
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  SerialNumber: [    12bbe6]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95   D7 47 D8 23 20 10 4F 33  H.h.+....G.# .O3
0010: 98 90 9F D4                                        ....
]

]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.geotrust.com/crls/secureca.crl]
]]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2D 68 74 74 70 73 3A   2F 2F 77 77 77 2E 67 65  .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63   6F 6D 2F 72 65 73 6F 75  otrust.com/resou
0020: 72 63 65 73 2F 72 65 70   6F 73 69 74 6F 72 79     rces/repository

]]  ]
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 76 E1 12 6E 4E 4B 16 12   86 30 06 B2 81 08 CF F0  v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2   ED D4 3B 1F FF F0 F0 C8  ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D   18 D0 55 83 A2 6A CB 36  N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F   B8 13 D4 47 FE 8B 5A 5C  ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38   AB 97 34 14 AA 96 D2 EB  s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5   91 EF 83 36 EB 1D 56 6F  ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F   7B 3E 22 CB 3D 07 ED 5F  ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1   AF 98 EE 61 F2 84 3F 12  8t...PN....a..?.

]
***
thread-pool-26, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
thread-pool-26, WRITE: TLSv1 Alert, length = 2
thread-pool-26, called closeSocket()
thread-pool-26, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Critical: ReCaptcha.verify(), error: Exception while contacting verification site, exception: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Debug: ReCaptcha.verify(), success ? false

1 个答案:

答案 0 :(得分:1)

  

主题:CN = www.google.com,O = Google Inc,L = Mountain View,ST = California,C = US   签名算法: 1.2.840.113549.1.1.11 ,OID = 1.2.840.113549.1.1.11

     

... sun.security.validator.ValidatorException:证书签名验证失败

问题不在于信任存储中缺少CA,而是无法验证签名。算法1.2.840.113549.1.1.11引用sha256WithRSAEncryption,看起来你的应用程序不理解这个。

虽然这个签名算法是在JDK 1.4.2中添加的,但还有其他报告具有完全相同的JDK版本且具有相同的问题。如果无法升级到更高版本的Java版本,建议似乎是使用BouncyCastle。有关详细信息,请参阅Certificate signature validation failed