Java#PKIX path building failed

2013-09-24

场景

项目对账系统涉及到第三方支付平台交易记录采集，通讯协议为HTTPS单向认证（客户端需要认证支付平台网关是否可信，支付平台网关不在协议层验证客户端是否可任），通讯层主要集成了Apache HttpClient组件。

项目测试过程中在测试环境(Linux)采集过三个月左右交易记录，通讯层这块没有任何问题，项目上线后发现异常日志中抛出大量与此项目相关异常信息，异常信息表述的主要意思为服务器提供的证书不被我们客户端信任。

异常信息

Caused by: sun.security.validator.ValidatorException: PKIX path

building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.tvj.iphone.pay.unipay.AuthSSLX509TrustManager.checkServerTrusted(AuthSSLX509TrustManager.java:213)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1066)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:129)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:530)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1121)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:508)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at com.tvj.erp.payment.util.httpClient.HttpProtocolHandler.execute(HttpProtocolHandler.java:121)
        at com.tvj.erp.payment.util.httpClient.HttpProtocolHandler.execute(HttpProtocolHandler.java:65)
        at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.doRequest(AbstractPaymentImpl4Alipay.java:148)
        at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.innerCollectsPaymentData(AbstractPaymentImpl4Alipay.java:94)
        at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.collectsPaymentData(AbstractPaymentImpl4Alipay.java:82)
        at com.tvj.erp.payment.acquis.DefaultPaymentDataAcquisitionStratety.doDataAcquisition(DefaultPaymentDataAcquisitionStratety.java:48)
        at com.tvj.erp.payment.PaymentDataAcquisition.doCollectsData(PaymentDataAcquisition.java:60)
        ... 2 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
        ... 31 more

解决办法

两个文件

1、%JAVA_HOME%\jre\lib\security\cacerts

2、%JAVA_HOME%\jre\lib\security\jssecerts

两种办法：

一、添加信任证书

这块也有两种办法，

1.1、指定运行时系统变量设置trustStore

"-Djavax.net.ssl.trustStore=/path/to/jssecacerts"

"-Djavax.net.ssl.trustStorePassword=truststorepassword"

1.2、使用keytool手动导入证书

二、实现自定义证书信任管理逻辑（这样做有风险）

三、Java安全#为JRE环境导入信任证书

1、使用浏览器访问目标网站，下载证书存储成cer格式

2、使用keytool导入

2.1、确认信任服务器cer文件路径/tmp/Base64.alipay.cer

2.2、确认JAVA_HOME,

2.3、keytool -import -trustcacerts -alias alipay.com -file /tmp/Base64_Alipay.cer -keystore/opt/jrockit-jdk1.6.0_20/jre/lib/security/cacerts -storepass changeit

2.4、执行中需要确认导入(y)

2.5、验证查看证书信息

2.5.1、keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias alipay.com

2.5.2、输入密码changeit

2.5.3、检查输入结果

2013-10-07
整理java#keytool工具
这个工具的用途主要是管理java安全相关的认证证书、密钥，对证书或密钥条目的导入、导出、删除、变更。
1、创建证书
keytool -genkeypair -alias "org.ybygjy.ca" -keyalg "RSA" -keystore "d:\ca.keystore"
2、查看证书库
keytool -list -keystore d:\ca.keystore
3、导出到证书文件
keytool -export -alias org.ybygjy.ca -file d:\org.ybygjy.crt -keystore d:\ca.keystore
4、导入证书
keytool -import -keystore d:\ca.keystore -file d:\org.ybygjy.crt
5、查看证书
keytool -printcert -file d:\org.ybygjy.crt
6、删除条目
keytool -delete -keystore d:\ca.keystore -alias org.ybygjy.ca
7、修改条目口令
keytool -keypasswd -alias org.ybygjy.ca -keystore d:\ca.keystore
keytool -keypasswd -alias org.ybygjy.ca -keypass abcdefaaf -new abeedcedc -storepass changeit -keystore d:\ca.keystore

资料

http://www.rap.ucar.edu/staff/paddy/cacerts/index.html

http://www.cnblogs.com/devinzhang/archive/2012/02/28/2371631.html

http://www.ibm.com/developerworks/cn/java/j-lo-ssltls/index.html

http://blog.csdn.net/faye0412/article/details/6883879