我正在与一个名为CommWeb的商户帐户集成,并且正在向其URL发送SSL帖子( migs.mastercard.au/vpcdps ).当我尝试发送帖子时,出现以下异常:
I'm integrating with a Merchant Account called CommWeb and I'm sending an SSL post to their URL (migs.mastercard.au/vpcdps). When I try to send the post, I get the following exception:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target执行该帖子的代码(我没有写过,并且已经存在于我们的代码库中)是:
The code (which I didn't write, and that already exists in our codebase) that performs the post is:
public static HttpResponse sendHttpPostSSL(String url, Map<String, String> params) throws IOException { PostMethod postMethod = new PostMethod(url); for (Map.Entry<String, String> entry : params.entrySet()) { postMethod.addParameter(entry.getKey(), StringUtils.Nz(entry.getValue())); } HttpClient client = new HttpClient(); int status = client.executeMethod(postMethod); if (status == 200) { StringBuilder resultBuffer = new StringBuilder(); resultBuffer.append(postMethod.getResponseBodyAsString()); return new HttpResponse(resultBuffer.toString(), ""); } else { throw new IOException("Invalid response code: " + status); } }商家帐户"集成文档中没有任何有关证书的内容.他们确实提供了一些似乎盲目接受证书的示例JSP代码:
The documentation for the Merchant Account integration says nothing about certificates. They did provide some sample JSP code that seems to blindly accept certificates:
<%! // Define Static Constants // *********************** public static X509TrustManager s_x509TrustManager = null; public static SSLSocketFactory s_sslSocketFactory = null; static { s_x509TrustManager = new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; } public boolean isClientTrusted(X509Certificate[] chain) { return true; } public boolean isServerTrusted(X509Certificate[] chain) { return true; } }; java.security.Security.addProvider(new com.sun.ssl.internal.ssl.Provider()); try { SSLContext context = SSLContext.getInstance("TLS"); context.init(null, new X509TrustManager[] { s_x509TrustManager }, null); s_sslSocketFactory = context.getSocketFactory(); } catch (Exception e) { e.printStackTrace(); throw new RuntimeException(e.getMessage()); } } ... ... // write output to VPC SSLSocket ssl = (SSLSocket)s_sslSocketFactory.createSocket(s, vpc_Host, vpc_Port, true); ssl.startHandshake(); os = ssl.getOutputStream(); // get response data from VPC is = ssl.getInputStream(); ... ... %>我们的Web应用程序具有一个密钥库,我尝试使用keytool命令添加证书(我是从firefox导出的),但这没有用,并且出现了相同的错误.我已经在网络上尝试了解决方案(导入密钥并使用System.setProperty),但这似乎有些笨拙,并且没有用(给我一个NoSuchAlgorithmError).感谢您的帮助!
Our webapp has a keystore, and I tried adding the certificate (which I exported from firefox) using the keytool command, but that didn't work and I got the same error. I've tried solutions on the web (importing the key and using System.setProperty) but that seems kind of clunky and it didn't work (gave me a NoSuchAlgorithmError). Any help is appreciated!
推荐答案很明显,valicert 3类CA证书不在您的默认信任库中(它可能是JRE lib/security目录中的cacerts文件,但请参见 JSSE文档)
Evidently the valicert class 3 CA certificate is not in your default truststore (which is probably the cacerts file in your JRE lib/security directory, but see the JSSE documentation for the full story).
您可以将此证书添加到cacerts文件中,但是我不建议这样做.相反,我认为您应该创建自己的信任库文件(可以是cacerts文件的副本),并在其中添加valicert根ca.然后使用javax.ssl.trustStore系统属性指向该文件.
You could add this certificate to the cacerts file, but I don't recommend this. Instead, I think you should create your own truststore file (which can be a copy of the cacerts file) and add the valicert root ca to this. Then point to this file with the javax.ssl.trustStore system property.
更多推荐
建立SSL连接时PKIX路径构建失败
发布评论