我遇到了从SpringBoot RestTemplate连接到HTTPS服务器的问题。服务器团队为我提供了pem证书(.pem)和私钥(.key)。我需要配置我的spring服务,以使用我拥有的证书和密钥通过https连接。
我所做的是:
1-将.pem文件和.key文件组合到一个.pem文件中,并使用确认我具有----- BEGIN证书-----和----- BEGIN RSA私钥- ----在组合的pem中:
cat server-cert.pem server-private-key.key > combined-cert-and-key.pem
2-创建了JKS密钥库和信任库,并将证书添加到其中:
keytool -genkeypair -alias dev -keyalg RSA -keysize 2048 -dname "CN=Preview,OU=B,O=Company,L=City,S=ON,C=CA" -keypass PASSWROD -keystore dev.jks -storepass PASSWROD -validity 3650
keytool -importcert -keystore dev.jks -alias dev1-public-cert -file combined-cert-and-key.pem -storepass PASSWROD -noprompt
3-将我的JKS导出为base64(根据需要,这样我可以通过重建JKS从配置服务器加载文件)
openssl base64 -in dev.jks -out dev.txt
4-休息控制器:
@Autowired
private RestTemplate rest;
@RequestMapping(value = "/search", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity<?> searchCreditCard(@RequestHeader(value = "Authorization", required = true) String authorization,
@RequestBody Object bod) {
String firstDataUrl = String.format("%s", "https://SERVER-DOMAIN/search");
HttpHeaders header = new HttpHeaders();
header.set("Content-Type", "application/json");
HttpEntity<Object> httpEntity = new HttpEntity<>(bod, header);
Object response = rest.postForEntity(firstDataUrl, httpEntity, Object.class);
return new ResponseEntity<>(response, HttpStatus.OK);
}
5- Aplication.java:
@Value("${tls.keystore.value}")
private String keyStoreValue; // the base64 of my keystore created from #3
@Value("${tls.keystore.password}")
private String keyStorePass;
@Value("${tls.truststore.value}")
private String trustStoreValue; // the base64 of my keystore created from #3
@Value("${tls.truststore.password}")
private String trustStorePass;
@Bean
public RestTemplate template() throws KeyManagementException, NoSuchAlgorithmException {
return new RestTemplate(new HttpComponentsClientHttpRequestFactory(getHttpClient()));
}
private HttpClient getHttpClient() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sslContext = buildSSLContext(keyStoreValue, keyStorePass, trustStoreValue, trustStorePass);
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext);
return HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();
}
@SuppressWarnings("unused")
private static SSLContext buildSSLContext(String keyStoreValue, String keyStorePass, String trustStoreValue,
String trustStorePass) {
KeyStore keyStore = loadJksKeyStore(keyStoreValue, keyStorePass);
KeyStore trustStore = loadJksKeyStore(trustStoreValue, trustStorePass);
return buildSSLContext(keyStore, trustStore, keyStorePass.toCharArray());
}
@SuppressWarnings("deprecation")
private static SSLContext buildSSLContext(KeyStore keyStore, KeyStore trustStore, char[] keyPassword) {
try {
return SSLContexts.custom().loadTrustMaterial(trustStore, TrustSelfSignedStrategy.INSTANCE)
.loadKeyMaterial(keyStore, keyPassword).build();
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | UnrecoverableKeyException e) {
throw new RuntimeException("Cloud not setup SSLContext", e);
}
}
private static KeyStore loadJksKeyStore(String based64Value, String password) {
byte[] jksFile = Base64.getMimeDecoder().decode(based64Value);
return loadJksKeyStore(new ByteArrayInputStream(jksFile), password);
}
private static KeyStore loadJksKeyStore(InputStream inputStream, String password) {
try {
KeyStore keyStore = KeyStore.getInstance("JKS");
char[] passwordAsCharArray = password == null ? null : password.toCharArray();
keyStore.load(inputStream, passwordAsCharArray);
return keyStore;
} catch (NoSuchAlgorithmException | CertificateException | KeyStoreException | IOException e) {
throw new RuntimeException("Unable to load JKS KeyStore", e);
}
}
但是,我仍然遇到此错误:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",