Home » Blogs » SuperMMX's blog

JSSE 中的 TrustStore

安装 [OpenFire] 的时候,在安全一项中加上了 TLS/SSL 的支持,这样它就会生成 DomainName_rsaDomainName_dsa 两份证书,当然这是自己签发的。那么在连上去以后就必须使用 TLS/SSL 来进行验证。但是中间抛了异常如下:

  1. [java] Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
  2.               sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
  3.               certification path to requested target
  4. [java] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
  5. [java] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
  6. [java] at sun.security.validator.Validator.validate(Validator.java:218)
  7. [java] at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
  8. [java] at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
  9. [java] at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
  10. [java] at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
  11. [java] ... 10 more
  12. [java] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
  13.                   valid certification path to requested target
  14. [java] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
  15. [java] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
  16. [java] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
  17. [java] ... 16 more

然后 Google 了一下这个错,发现不少人都碰到了,就是必须要把自己签发的证书加到本地的 TrustStore 中,可以加到系统缺省的地方,也是在命令行中指定。寻找的顺序是:

  1. javax.net.ssl.trustStore 系统属性所指定的 TrustStore 文件
  2. $JAVA_HOME/lib/security/jssecacerts
  3. $JAVA_HOME/lib/security/cacerts

如果安装的是 JDK,那么就在 $JAVA_HOME/jre/lib/security,如果是 JRE,那么就在 $JAVA_HOME/lib/security/。详细的信息可以在 [SUN JSSE Reference Guide] 中找到。

那如何把 OpenFire 中的证书给导出来,它的证书是在 [url][$OPEN_FIRE_HOME/resources/security/keystore][/url],可以使用 JDK 自带的工具 keytool 来导出来。OpenFire 生成的证书有两个,可以在它的 "Admin Console/Server Certificates" 中找到。

  1. # 列出一个 KeyStore 中的密钥
  2. keytool.exe -list -keystore $OPEN_FIRE_HOME/resources/security/keystore
  3.  
  4. 结果:
  5.  
  6. Keystore 类型: JKS
  7. Keystore 提供者: SUN
  8.  
  9. 您的 keystore 包含 2 输入
  10.  
  11. DomainName_rsa, 2007-10-27, PrivateKeyEntry,
  12. 认证指纹 (MD5): 5D:15:91:68:42:BD:AD:82:C2:3A:0D:C0:3E:A8:FF:3B
  13. DomainName_dsa, 2007-10-27, PrivateKeyEntry,
  14. 认证指纹 (MD5): 1F:7D:A9:63:C7:16:8C:38:6E:D9:AA:A4:2A:B4:E5:FE
  15.  
  16. # 导出两个密钥
  17. keytool.exe -export -alias DomainName_dsa -keystore $OPEN_FIRE_HOME/resources/security/keystore -rfc -file DomainName_dsa
  18. keytool.exe -export -alias DomainName_rsa -keystore $OPEN_FIRE_HOME/resources/security/keystore -rfc -file DomainName_rsa
  19.  
  20. # 导入到系统的 TrustStore 中
  21. keytool -import -alias DomainName_rsa -file DomainNAME_rsa -keystore $JAVA_HOME/jre/lib/security/jssecacerts
  22. keytool -import -alias DomainName_dsa -file DomainNAME_dsa -keystore $JAVA_HOME/jre/lib/security/jssecacerts
  23.  
  24. # 再验证一下
  25. keytool.exe -list -keystore $JAVA_HOME/jre/lib/security/jssecacerts
  26.  
  27. 结果:
  28.  
  29. Keystore 类型: JKS
  30. Keystore 提供者: SUN
  31.  
  32. 您的 keystore 包含 2 输入
  33.  
  34. supermmx.org_rsa, 2007-10-27, trustedCertEntry,
  35. 认证指纹 (MD5): 5D:15:91:68:42:BD:AD:82:C2:3A:0D:C0:3E:A8:FF:3B
  36. supermmx.org_dsa, 2007-10-27, trustedCertEntry,
  37. 认证指纹 (MD5): 1F:7D:A9:63:C7:16:8C:38:6E:D9:AA:A4:2A:B4:E5:FE

这样就讲两个证书成功导入到系统缺省的 TrustStore 中,然后直接连就没有问题了。但是 [Pidgin] 直接就能连,也不需要任何设置,可能是其中使用的库的缘故吧。

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>
  • You can use BBCode tags in the text.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>. The supported tag styles are: <foo>, [foo].
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
  _____  __   __   ___    _____     _   ____    ____         
 |_   _| \ \ / /  / _ \  |  ___|   (_) |___ \  | ___|    ___ 
   | |    \ V /  | | | | | |_      | |   __) | |___ \   / _ \
   | |     | |   | |_| | |  _|     | |  / __/   ___) | |  __/
   |_|     |_|    \__\_\ |_|      _/ | |_____| |____/   \___|
                                 |__/
Enter the code depicted in ASCII art style.