解决PKIX path building failed的问题
Java在请求某些不受信任的https网站时会报:PKIX path building failed
解决方法一:使用keytool手动导入证书,为JRE环境导入信任证书
参考:http://www.cnblogs.com/wanghaixing/p/5630070.html
方法二:使用代码下载证书保存
参考:https://blog.csdn.net/frankcheng5143/article/details/52164939
方法三:服务器不信任我们自己创建的证书,所以在代码中忽略证书信任问题。
参考:http://mengyang.iteye.com/blog/575671
最后注意:检查eclipse/myeclipse的JDK或JRE,是否为你导入证书的JRE。
注意:myeclipse是自带JDK的,JDK中自带JRE,而我们通过命令导入的jre是系统环境变量下path的jre。
两者很可能不是同一个,要改myeclipse的配置。(具体操作很简单,windows-->preferences-->搜索jre)
方法二代码实现
功能:把目标host证书保存到jre/lib/security/jssecacerts文件,亲测有效
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 | import java.io.BufferedReader; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStream; import java.security.*; import javax.net.ssl.*; import java.security.cert.*; import org.junit.Test; public class certUtils { private int port = 443 ; private char [] passphrase= "changeit" .toCharArray(); /** * @param host 例:www.80s.tw * @param port https默认为443端口 * @param passphrase keyStore密码 */ public void installCert(String host, int port, char [] passphrase) { //文件分隔符 char SEP = File.separatorChar; //获取jre/lib/security目录 File dir = new File(System.getProperty( "java.home" ) + SEP + "lib" + SEP + "security" ); //新建文件jre/lib/security/jssecacerts,向文件输出时文件才真正创建 File file = new File(dir, "jssecacerts" ); //jssecacerts文件不存在时,获取jre/lib/security/cacerts文件索引 if (file.isFile() == false ) { file = new File(dir, "cacerts" ); } System.out.println( "Loading KeyStore " + file + "..." ); try { InputStream in = new FileInputStream(file); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(in, passphrase); in.close(); SSLContext context = SSLContext.getInstance( "TLS" ); TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); X509TrustManager defaultTrustManager = (X509TrustManager) tmf .getTrustManagers()[ 0 ]; SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); context.init( null , new TrustManager[] { tm }, null ); SSLSocketFactory factory = context.getSocketFactory(); //与目标主机进行连接 System.out.println( "Opening connection to " + host + ":" + port); try { SSLSocket socket = (SSLSocket) factory.createSocket(host, port); socket.setSoTimeout( 10000 ); System.out.println( "Starting SSL handshake..." ); socket.startHandshake(); socket.close(); System.out.println( "No errors, certificate is already trusted" ); } catch (Exception e) { e.printStackTrace(); } X509Certificate[] chain = tm.chain; if (chain == null ) { return ; } BufferedReader reader = new BufferedReader( new InputStreamReader( System.in)); MessageDigest sha1 = MessageDigest.getInstance( "SHA1" ); MessageDigest md5 = MessageDigest.getInstance( "MD5" ); for ( int i = 0 ; i < chain.length; i++) { X509Certificate cert = chain[i]; sha1.update(cert.getEncoded()); md5.update(cert.getEncoded()); } // 默认证书链第一个 int index = 0 ; X509Certificate cert = chain[index]; String alias = host + "-" + (index + 1 ); ks.setCertificateEntry(alias, cert); // keyStore保存到文件jssecacerts File jssecacerts = new File(dir, "jssecacerts" ); OutputStream out = new FileOutputStream(jssecacerts); ks.store(out, passphrase); out.close(); System.out.println( "-----打印cert-----" ); System.out.println(cert); } catch (Exception e) { e.printStackTrace(); } } private final char [] HEXDIGITS = "0123456789abcdef" .toCharArray(); private String toHexString( byte [] bytes) { StringBuilder sb = new StringBuilder(bytes.length * 3 ); for ( int b : bytes) { b &= 0xff ; sb.append(HEXDIGITS[b >> 4 ]); sb.append(HEXDIGITS[b & 15 ]); sb.append( ' ' ); } return sb.toString(); } private class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm; private X509Certificate[] chain; SavingTrustManager(X509TrustManager tm) { this .tm = tm; } public X509Certificate[] getAcceptedIssuers() { throw new UnsupportedOperationException(); } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new UnsupportedOperationException(); } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { this .chain = chain; tm.checkServerTrusted(chain, authType); } } } |
查看证书
1 | keytool -list -v -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit <br>这条命令是在JDK安装的密钥库中,查找别名是aurora的证书,密钥库口令是changeit。 |
删除证书
1 2 | keytool - delete -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit 删除别名是aurora的证书。 |
方法三代码实现
只要在创建connection之前调用两个方法:
由于有网友这么说:这样做是放弃了证书的认证,那你们用https还有什么意义呢?就好像搭建了一个https的server,最后在认证失败的时候放弃认证,直接选择信任,那么这个https的server就沦落为一个http的server了,而且性能要比http差
在下就没有测试,请自行测试。
1 2 | trustAllHttpsCertificates(); HttpsURLConnection.setDefaultHostnameVerifier(hv); |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String urlHostName, SSLSession session) { System.out.println( "Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost()); return true ; } }; private static void trustAllHttpsCertificates() throws Exception { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[ 1 ]; javax.net.ssl.TrustManager tm = new miTM(); trustAllCerts[ 0 ] = tm; javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext .getInstance( "SSL" ); sc.init( null , trustAllCerts, null ); javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc .getSocketFactory()); } static class miTM implements javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null ; } public boolean isServerTrusted( java.security.cert.X509Certificate[] certs) { return true ; } public boolean isClientTrusted( java.security.cert.X509Certificate[] certs) { return true ; } public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) throws java.security.cert.CertificateException { return ; } public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) throws java.security.cert.CertificateException { return ; } } |
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】博客园携手 AI 驱动开发工具商 Chat2DB 推出联合终身会员
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 用纯.NET开发并制作一个智能桌面机器人:从.NET IoT入门开始
· 一个超经典 WinForm,WPF 卡死问题的终极反思
· ASP.NET Core - 日志记录系统(二)
· .NET 依赖注入中的 Captive Dependency
· .NET Core 对象分配(Alloc)底层原理浅谈
· 开箱你的 AI 语音女友「GitHub 热点速览」
· 互联网不景气了那就玩玩嵌入式吧,用纯.NET开发并制作一个智能桌面机器人(二):用.NET IoT库
· 几个自学项目的通病,别因为它们浪费了时间!
· C#钩子(Hook) 捕获键盘鼠标所有事件 - 5分钟没有操作,自动关闭 Form 窗体
· 特斯拉CEO埃隆.马斯克的五步工作法,怎么提高工程效率加速产品开发?