PKIX建路失败Exception的原因如何把握

问题描述 投票:0回答:0

我遇到了众所周知的 

PKIX path building failed
异常,要找到根本原因,我必须启用 java.security.debug=certpath 并查看日志。就我而言,原因是

certpath:SunCertPathBuilder.depthFirstSearchForward():最终验证失败:java.security.cert.CertPathValidatorException:证书未指定 OCSP 响应者

但我的问题是我无法以编程方式解决上述根本原因,因为抛出的异常(见下文)在我无法导入的 sun.security.validator 包中,即使我可以,我也不确定它是否包含对根本原因(如果我错了请纠正我)

我正在使用 Java 17

相关代码为:

PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, null);
params.addCertStore(intermediateCAcertStore);
params.addCertPathChecker((PKIXCertPathChecker) CertPathValidator.getInstance("PKIX").getRevocationChecker());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(new CertPathTrustManagerParameters(params));
X509TrustManager tm = (X509TrustManager) tmf.getTrustManagers()[0];
tm.checkClientTrusted(new X509Certificate[]{ targetCert }), "RSA");

抛出:

Exception in thread "main" sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
  at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
  at java.base/sun.security.validator.Validator.validate(Validator.java:264)
  at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:242)
  at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:107)
  at com.example.TrustManagerTest.test1(TrustManagerTest.java:98)
  at com.example.TrustManagerTest.main(TrustManagerTest.java:54)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
  at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
  at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 6 more

所以我无法看到真正的原因是 OCSP 检查,除非我启用安全调试并在日志中搜索。但我想以编程方式发现它并可能处理它,或者至少以某种方式掌握

java.security.cert.CertPathValidatorException:证书不 指定 OCSP 响应者

消息并显示它。

有什么建议吗?

java security ocsp jca pkix
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.