我遇到了众所周知的
PKIX path building failed
异常,要找到根本原因,我必须启用 java.security.debug=certpath 并查看日志。就我而言,原因是
certpath:SunCertPathBuilder.depthFirstSearchForward():最终验证失败:java.security.cert.CertPathValidatorException:证书未指定 OCSP 响应者
但我的问题是我无法以编程方式解决上述根本原因,因为抛出的异常(见下文)在我无法导入的 sun.security.validator 包中,即使我可以,我也不确定它是否包含对根本原因(如果我错了请纠正我)
我正在使用 Java 17
相关代码为:
PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, null);
params.addCertStore(intermediateCAcertStore);
params.addCertPathChecker((PKIXCertPathChecker) CertPathValidator.getInstance("PKIX").getRevocationChecker());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(new CertPathTrustManagerParameters(params));
X509TrustManager tm = (X509TrustManager) tmf.getTrustManagers()[0];
tm.checkClientTrusted(new X509Certificate[]{ targetCert }), "RSA");
抛出:
Exception in thread "main" sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:242)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:107)
at com.example.TrustManagerTest.test1(TrustManagerTest.java:98)
at com.example.TrustManagerTest.main(TrustManagerTest.java:54)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 6 more
所以我无法看到真正的原因是 OCSP 检查,除非我启用安全调试并在日志中搜索。但我想以编程方式发现它并可能处理它,或者至少以某种方式掌握
java.security.cert.CertPathValidatorException:证书不 指定 OCSP 响应者
消息并显示它。
有什么建议吗?