Java RestTemplate 中的定制 SSL 上下文

发布于 2025-01-11 11:55:58 字数 1797 浏览 0 评论 0原文

我正在尝试通过代码创建定制的 SSL 上下文，因为我们无法在代码中使用 VM 参数 -Djavax.net.ssl.trustStore 提供 keystore.jks。

我正在创建一个休息模板：

@Bean
    RestTemplate restTemplate() throws Exception {
        SSLContext sslContext = new SSLContextBuilder()
                .loadTrustMaterial(
                        keyStore.getURL(),
                        keyStorePassword.toCharArray()
                ).loadKeyMaterial(keyStore.getURL(),
                    keyStorePassword.toCharArray(),
                    keySecret.toCharArray(),
                    (aliases, socket) -> keyAlias
                ).build();
        SSLConnectionSocketFactory socketFactory =
                new SSLConnectionSocketFactory(sslContext);
        HttpClient httpClient = HttpClients.custom()
                .setSSLSocketFactory(socketFactory).build();
        HttpComponentsClientHttpRequestFactory factory =
                new HttpComponentsClientHttpRequestFactory(httpClient);
        return new RestTemplate(factory);
    }

但我收到以下错误：

http-nio-8080-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我确信证书正在加载，因为我启用了 -Djavax.net.debug=ssl 并且我看到以下

adding as trusted cert:
...
...

和握手中我可以看到直到

%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-8080-exec-1, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
http-nio-8080-exec-1, WRITE: TLSv1.2 Alert, length = 2
http-nio-8080-exec-1, called closeSocket()

原文

I am trying to create a bespoke SSL context through code as we are unable to provide keystore.jks using VM arguments -Djavax.net.ssl.trustStore in the code.

I am creating a rest template along the lines:

@Bean
    RestTemplate restTemplate() throws Exception {
        SSLContext sslContext = new SSLContextBuilder()
                .loadTrustMaterial(
                        keyStore.getURL(),
                        keyStorePassword.toCharArray()
                ).loadKeyMaterial(keyStore.getURL(),
                    keyStorePassword.toCharArray(),
                    keySecret.toCharArray(),
                    (aliases, socket) -> keyAlias
                ).build();
        SSLConnectionSocketFactory socketFactory =
                new SSLConnectionSocketFactory(sslContext);
        HttpClient httpClient = HttpClients.custom()
                .setSSLSocketFactory(socketFactory).build();
        HttpComponentsClientHttpRequestFactory factory =
                new HttpComponentsClientHttpRequestFactory(httpClient);
        return new RestTemplate(factory);
    }

but I am getting the following error:

http-nio-8080-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am sure that the certificate is being loaded in as I have -Djavax.net.debug=ssl enabled and I see the following

adding as trusted cert:
...
...

and on the handshake I can see till

%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-8080-exec-1, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
http-nio-8080-exec-1, WRITE: TLSv1.2 Alert, length = 2
http-nio-8080-exec-1, called closeSocket()

分享到QQ

分享到微博