OkHttpClient忽略https证书, PKIX path building failed:unable to find valid certification path to requeste

最新推荐文章于 2024-04-30 17:28:01 发布
最新推荐文章于 2024-04-30 17:28:01 发布
阅读量4.3k 收藏 6
点赞数 5
分类专栏: java 服务器 其他 文章标签: java https ca证书 ssl
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u011221074/article/details/104675035
版权
java 同时被 3 个专栏收录
7 篇文章 0 订阅
订阅专栏
服务器
2 篇文章 0 订阅
订阅专栏
其他
2 篇文章 0 订阅
订阅专栏

1.背景

近些年okhttpclient在后端开发中大放光彩,其高效、简介、逻辑清晰的特性吸引了大批后端开发人员,当满足的场景增多,问题也就随之而来,okhttpclient如何通过https认证就是一个常见的问题。

2.问题描述

接口url中使用https开头,使用okhttpclient发送请求,会报错,常见错误:

security.validator.ValidatorException: PKIX path building failed:unable to find valid certification path to requested target

3.解决方法: 

    (1)使用证书。我方是客户端,一般要去获取要访问的服务器的证书,并导入到我方客户端的jre_home的环境中即可生效。

a.浏览器保存,类似文件下载,直接另存到指定的位置即可,如下:

 

b.java代码生成证书,运行下面的代码:

import java.io.BufferedReader;  
import java.io.File;  
import java.io.FileInputStream;  
import java.io.FileOutputStream;  
import java.io.InputStream;  
import java.io.InputStreamReader;  
import java.io.OutputStream;  
import java.security.KeyStore;  
import java.security.MessageDigest;  
import java.security.cert.CertificateException;  
import java.security.cert.X509Certificate;  
  
import javax.net.ssl.SSLContext;  
import javax.net.ssl.SSLException;  
import javax.net.ssl.SSLSocket;  
import javax.net.ssl.SSLSocketFactory;  
import javax.net.ssl.TrustManager;  
import javax.net.ssl.TrustManagerFactory;  
import javax.net.ssl.X509TrustManager;  
  
public class InstallCert {  
  
    public static void main(String[] args) throws Exception {  
        String host;  
        int port;  
        char[] passphrase;  
        if ((args.length == 1) || (args.length == 2)) {  
            String[] c = args[0].split(":");  
            host = c[0];  
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);  
            String p = (args.length == 1) ? "changeit" : args[1];  
            passphrase = p.toCharArray();  
        } else {  
            System.out  
                    .println("Usage: java InstallCert <host>[:port] [passphrase]");  
            return;  
        }  
  
        File file = new File("jssecacerts");  
        if (file.isFile() == false) {  
            char SEP = File.separatorChar;  
            File dir = new File(System.getProperty("java.home") + SEP + "lib"  
                    + SEP + "security");  
            file = new File(dir, "jssecacerts");  
            if (file.isFile() == false) {  
                file = new File(dir, "cacerts");  
            }  
        }  
        System.out.println("Loading KeyStore " + file + "...");  
        InputStream in = new FileInputStream(file);  
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());  
        ks.load(in, passphrase);  
        in.close();  
  
        SSLContext context = SSLContext.getInstance("TLS");  
        TrustManagerFactory tmf = TrustManagerFactory  
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());  
        tmf.init(ks);  
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf  
                .getTrustManagers()[0];  
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);  
        context.init(null, new TrustManager[] { tm }, null);  
        SSLSocketFactory factory = context.getSocketFactory();  
  
        System.out  
                .println("Opening connection to " + host + ":" + port + "...");  
        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);  
        socket.setSoTimeout(10000);  
        try {  
            System.out.println("Starting SSL handshake...");  
            socket.startHandshake();  
            socket.close();  
            System.out.println();  
            System.out.println("No errors, certificate is already trusted");  
        } catch (SSLException e) {  
            System.out.println();  
            e.printStackTrace(System.out);  
        }  
  
        X509Certificate[] chain = tm.chain;  
        if (chain == null) {  
            System.out.println("Could not obtain server certificate chain");  
            return;  
        }  
  
        BufferedReader reader = new BufferedReader(new InputStreamReader(  
                System.in));  
  
        System.out.println();  
        System.out.println("Server sent " + chain.length + " certificate(s):");  
        System.out.println();  
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");  
        MessageDigest md5 = MessageDigest.getInstance("MD5");  
        for (int i = 0; i < chain.length; i++) {  
            X509Certificate cert = chain[i];  
            System.out.println(" " + (i + 1) + " Subject "  
                    + cert.getSubjectDN());  
            System.out.println("   Issuer  " + cert.getIssuerDN());  
            sha1.update(cert.getEncoded());  
            System.out.println("   sha1    " + toHexString(sha1.digest()));  
            md5.update(cert.getEncoded());  
            System.out.println("   md5     " + toHexString(md5.digest()));  
            System.out.println();  
        }  
  
        System.out  
                .println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");  
        String line = reader.readLine().trim();  
        int k;  
        try {  
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;  
        } catch (NumberFormatException e) {  
            System.out.println("KeyStore not changed");  
            return;  
        }  
  
        X509Certificate cert = chain[k];  
        String alias = host + "-" + (k + 1);  
        ks.setCertificateEntry(alias, cert);  
  
        OutputStream out = new FileOutputStream("jssecacerts");  
        ks.store(out, passphrase);  
        out.close();  
  
        System.out.println();  
        System.out.println(cert);  
        System.out.println();  
        System.out  
                .println("Added certificate to keystore 'jssecacerts' using alias '"  
                        + alias + "'");  
    }  
  
    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();  
  
    private static String toHexString(byte[] bytes) {  
        StringBuilder sb = new StringBuilder(bytes.length * 3);  
        for (int b : bytes) {  
            b &= 0xff;  
            sb.append(HEXDIGITS[b >> 4]);  
            sb.append(HEXDIGITS[b & 15]);  
            sb.append(' ');  
        }  
        return sb.toString();  
    }  
  
    private static class SavingTrustManager implements X509TrustManager {  
  
        private final X509TrustManager tm;  
        private X509Certificate[] chain;  
  
        SavingTrustManager(X509TrustManager tm) {  
            this.tm = tm;  
        }  
  
        public X509Certificate[] getAcceptedIssuers() {  
            throw new UnsupportedOperationException();  
        }  
  
        public void checkClientTrusted(X509Certificate[] chain, String authType)  
                throws CertificateException {  
            throw new UnsupportedOperationException();  
        }  
  
        public void checkServerTrusted(X509Certificate[] chain, String authType)  
                throws CertificateException {  
            this.chain = chain;  
            tm.checkServerTrusted(chain, authType);  
        }  
    }  
  
}

输入1,回车,然后会在当前的目录下产生一个名为“ssecacerts”的证书。

将证书拷贝到$JAVA_HOME/jre/lib/security目录下,或者通过以下方式:
a.System.setProperty("javax.net.ssl.trustStore", "你的jssecacerts证书路径");

b.shell窗口执行 sudo keytool -import -alias myfile.cer -keystore "/Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts" -file myfile.cer -trustcacerts

注意:因为是静态加载,所以要重新启动你的Web Server,证书才能生效

(2)获取服务器端的证书后,也可以不导入java的环境配置中,直接用代码读取证书,再配置到ssl工厂中,最后初始化到okhttpclient中发送请求即可,代码如下:

import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.concurrent.TimeUnit;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;

import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;

import org.apache.commons.lang.StringUtils;

import com.alibaba.fastjson.util.IOUtils;

public class OkHttpTool {

    public static final MediaType JSON_TYPE = MediaType.parse("application/json; charset=utf-8");
    public static final String AUTH_FILE_URL = "AUTH_FILE_URL";//配置的地址
    
    public static String post(String url, String json, String token) {
        String result = "";
        InputStream caInput =null;
        Response response =null;
        try {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            caInput = new BufferedInputStream(new FileInputStream(AUTH_FILE_URL));
            Certificate ca = cf.generateCertificate(caInput);
            String keyStoreType = KeyStore.getDefaultType();
            KeyStore keyStore = KeyStore.getInstance(keyStoreType);
            keyStore.load(null, null);
            keyStore.setCertificateEntry("ca", ca);
            String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
            tmf.init(keyStore);
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, tmf.getTrustManagers(), null);

            RequestBody body = RequestBody.create(JSON_TYPE, json);
            Request request = new Request.Builder().url(url).post(body)
                    .addHeader("clientId", "204")
                    .addHeader("Client-Type", "android")
                    .addHeader("Client-Version", "2.2.6")
                    .addHeader("plain-text-transfer", "true")
                    .addHeader("token", StringUtils.isBlank(token) ? "" : token).build();
            
            OkHttpClient client = new OkHttpClient.Builder()
            .sslSocketFactory(context.getSocketFactory())
            .connectTimeout(15, TimeUnit.SECONDS)
            .readTimeout(30, TimeUnit.SECONDS)
            .hostnameVerifier(new TrustAnyHostnameVerifier())
            .build();
            
            response = client.newCall(request).execute();
            if (response.isSuccessful()) {
                result = response.body().string();
            } else {
                throw new IOException("Unexpected code " + response);
            }
            caInput.close();
            response.close();
        } catch (Exception e) {
            e.printStackTrace();
        }finally{
            if(caInput!=null){
                IOUtils.close(caInput);
            }
            if(response!=null){
                IOUtils.close(response);
            }
        }
        return result;
    }
    
     private static class TrustAnyHostnameVerifier implements HostnameVerifier {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        }
}

    (3)代码中默认全部信任,也就是常说的忽略https认证,说白了就是自己构建一个x509认证,默认通过,再传到ssl配置工厂中,再用okhttpclient发送就不会报错了,代码如下:

import java.util.concurrent.TimeUnit;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import okhttp3.OkHttpClient;

/*
*@Description: Okhttp工具类
*@Author: marx
*@Time: 2020年3月5日15:32:50
*/
public class OkHttpClientTool {
    /**
     * 获取OkHttpClient
     *
     * @return OkHttpClient
     */
    public static OkHttpClient getUnsafeOkHttpClient() {
        try {
            final TrustManager[] trustAllCerts = new TrustManager[]{
                    new X509TrustManager() {
                        @Override
                        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
                        }

                        @Override
                        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
                        }

                        @Override
                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                            return new java.security.cert.X509Certificate[]{};
                        }
                    }
            };

            final SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
            final javax.net.ssl.SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            // 过时方法,单构造参数方法过时,多传一个X509TrustManager就可以了
            //builder.sslSocketFactory(sslSocketFactory);
            builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);

            builder.hostnameVerifier(new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });
            builder.connectTimeout(30, TimeUnit.SECONDS);
            return builder.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

 

百里生长
关注
  • 5
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
解决PKIX path building failed的问题
03-17
NULL 博文链接:https://mengyang.iteye.com/blog/575671
完美解决 PKIX path building failed 的问题【okhttp3.0忽略https证书
11-30 1757
详细参考:https://blog.csdn.net/liang1352389/article/details/110393030
https请求报错 PKIX path building failed 解决方法
抽象画家的博客
03-24 794
https请求报错 PKIX path building failed 解决方法
Android使用OkHttp发送post请求
08-26
主要为大家详细介绍了Android使用OkHttp发送post请求,具有一定的参考价值,感兴趣的小伙伴们可以参考一下
PKIX_maven_archetype.rar
03-13
用maven的maven-archetype模板创建maven工程不全,不包括src目录; pom.xml更新jar包失败,提示PKIX path building failed
InstallCert.java工具及使用方法.zip
07-29
解决方法: HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
解决Android studio 3.6.1 出现Cause: unable to find valid certification path to requested target 报错的问题
08-19
主要介绍了Android studio 3.6.1 出现Cause: unable to find valid certification path to requested target 报错的问题及解决方法,需要的朋友可以参考下
使用 okhttp 出现报错unable to find valid certification path to requested target
风兮雨露的博客
07-30 4806
https://我在使用OkHttp 会报unable to find valid certification path to requested target错误 javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to ..
PKIX path building failed问题
LOOPY_Y的博客
12-12 2074
javax.net.ssL.SSLHandshalositorvImpleException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPethBuilderException:unable to find valid certification path to requested target问题解决方式记录
OKHttpjavax.net.ssl. SSLHandshakeException:PKIX path building failed
SportHappy的博客
03-07 5912
Android异常:java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.android.org.conscrypt.OpenSSLSocketFactoryImpl web、java项目异常:javax.net.ssl. SSLHandshakeException:PKIX path building failed..
Https基础填坑日志(1)——unable to find valid certification path to requested target
为梦想加油!!!
10-21 466
问题描述 上周在项目过程中,在和外系统联调的时候突然报错: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: u...
解决PKIX path building failed的问题的AbstractCasProtocolUrlBasedTicketValidator类
04-28
CAS默认走https,需要安装证书,但是自定义的证书貌似得不到信任,报PKIX path building failed。则可以修改源码来屏蔽错误。
SSL.7z,解决PKIX path building failed 的问题
03-10
PKIX path building failed 的问题。解决本地环境中报错 PKIX path building failed 的问题。 其中有产生证书的代码,将运行产生的证书放在文档中指定位置即可
PKIX path building failed
12-07
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java方法重写(重点讲),方法重载
weixin_46281068的博客
04-27 893
一、方法重载定义:一个类中,出现多个方法的名称相同,但是它们的形参列表是不同的,那么这些方法就称为方法重载了。注意:一个类中,只要一些方法的名称相同、形参列表不同,那么它们就是方法重载了,其它的都不管(如:修饰符,返回值类型是否一样都无所谓)。形参列表不同指的是:形参的个数、类型、顺序不同,不关心形参的名称。应用场景:开发中我们经常需要为处理一类业务,提供多种解决方案,此时用方法重载来设计是很专业的。
Day25-Java基础之常用类1
m0_46053885的博客
04-27 867
同时我们发现Math类中的方法都是静态的,因此在使用的时候我们可以直接通过类名去调用。对于计算机而言,其实是没有数据类型的概念的,都是0101010101,数据类型是编程语言自己规定的,所以在实际存储的时候,先把具体的数字变成二进制,每32个bit为一组,存储在数组中。比较内存地址值一般情况下是没有意义的,我们希望比较的是对象的属性,如果两个对象的属性相同,我们认为就是同一个对象;如果我们的数据是一个浮点类型的数据,有的时候计算机并不会将这个数据完全转换成一个二进制数据,而是将这个将其转换成一个无限的。
链表刷题集
最新发布
yajunjiao的专栏
04-30 267
本文主要列举了一些刷的题,不多,有那么几道,也建议各位去建立自己的刷题集。积少成多。
PageHelper实现分页查询
m0_63849044的博客
04-24 1144
这行代码是在使用 MyBatis Generator (MBG) 或类似的 MyBatis 工具生成的代码来构建查询条件。(可能是MyBatis的Mapper接口)来执行基于前面定义的查询条件的查询,并获取结果列表。实例之后会被用来设置各种查询条件,如字段的等于、不等于、大于、小于、模糊查询等。实体类生成的辅助类,它通常包含了一些静态内部类和方法,用于构建查询条件。在MyBatis中,这样的对象通常用于构建查询条件。对象,可能用于作为查询条件)。的一个内部类,用于定义查询的具体条件。
MSE实现全链路灰度实践
云计算、数据库、大数据、深度学习、NLP、Python
04-24 369
待更新。
SSLHandshakeException:PKIX path building failed: unable to find valid certification path to requested target
03-05
SSLHandshakeException: PKIX path building failed: unable to find valid certification path to requested target 是一个常见的SSL握手异常错误。它通常发生在客户端与服务器之间建立安全连接时,由于证书验证失败导致握手失败。 当客户端与服务器进行SSL握手时,客户端会验证服务器的证书是否有效和可信任。如果客户端无法找到有效的证书路径来验证服务器的证书,就会抛出该异常。 这个错误通常有以下几种可能的原因: 1. 服务器证书未被信任:客户端可能没有服务器证书的信任链或根证书。 2. 证书过期:服务器证书的有效期已过。 3. 证书主题与请求目标不匹配:服务器证书的主题与请求的目标不匹配。 4. 中间人攻击:可能存在中间人攻击,即有人试图截获和篡改通信。 为了解决这个问题,可以尝试以下几种方法: 1. 检查系统时间:确保客户端和服务器的系统时间准确无误。 2. 更新根证书:更新客户端的根证书库,以确保能够验证服务器证书。 3. 检查证书有效性:检查服务器证书是否过期,并确保证书的主题与请求目标匹配。 4. 检查网络代理设置:如果使用了网络代理,确保代理配置正确,并且没有被中间人攻击。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值