我正在尝试使用第三方客户端证书提出SOAP请求。我如下设置虚拟机选项。
-Djavax.net.debug=all
-Djavax.net.ssl.keyStore=/keystore/path/keystore.jks
-Djavax.net.ssl.keyStorePassword=password
我在pom.xml中的插件配置。
<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
<artifactId>maven-jaxb2-plugin</artifactId>
<version>0.13.0</version>
<executions>
<execution>
<goals>
<goal>generate</goal>
</goals>
</execution>
</executions>
<configuration>
<args>
<arg>-XautoNameResolution</arg>
</args>
<schemaDirectory>${project.basedir}/src/main/resources/wsdl</schemaDirectory>
</configuration>
</plugin>
这是配置类。
@Configuration
public class ConfigurationClass {
@Bean
public Jaxb2Marshaller getMarshaller() {
Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
String[] packages = {"ca", "iso", "org", "swift"};
marshaller.setPackagesToScan(packages);
return marshaller;
}
@Bean
public TestClass getTestClass() throws Exception {
TestClass test = new TestClass();
test.setDefaultUri("https://some.uri.com/");
test.setMarshaller(getMarshaller());
test.setUnmarshaller(getMarshaller());
return test;
}
}
接下来,创建具有要调用方法的类。
public class TestClass extends WebServiceGatewaySupport {
public String getStatement() {
ObjectFactory factory1 = new ObjectFactory();
GetStatementRequestType getStatement = factory1.createGetStatementRequestType();
cmrq_002_001.ObjectFactory factory2 = new cmrq_002_001.ObjectFactory();
Document document = factory2.createDocument();
GetStatement getStmt = factory2.createGetStatement();
MessageIdentyfication msgId = factory2.createMessageIdentyfication();
StatementQueryDefinition stmtQryDef = factory2.createStatementQueryDefinition();
StatementCriteria stmtCrit = factory2.createStatementCriteria();
NewCriteria newCrit = factory2.createNewCriteria();
SearchCriteria schCrit = factory2.createSearchCriteria();
AccountIdentification accId = factory2.createAccountIdentification();
AccountIdentification3Choice id = factory2.createAccountIdentification3Choice();
StatementValueSearch stmtValDt = factory2.createStatementValueSearch();
DatePeriodDetails dtSch = factory2.createDatePeriodDetails();
try {
Date dob = null;
DateFormat df = new SimpleDateFormat("dd/MM/yyyy");
dob = df.parse("13/06/1983");
GregorianCalendar cal = new GregorianCalendar();
cal.setTime(dob);
XMLGregorianCalendar xmlDate = DatatypeFactory
.newInstance()
.newXMLGregorianCalendarDate(cal
.get(Calendar.YEAR), cal
.get(Calendar.MONTH) + 1, cal
.get(Calendar.DAY_OF_MONTH),
DatatypeConstants.FIELD_UNDEFINED);
dtSch.setDt(xmlDate);
} catch (Exception e) {
e.printStackTrace();
}
stmtValDt.setDtSch(dtSch);
id.setOId("8000");
accId.setId(id);
schCrit.setAcctId(accId);
schCrit.setStmtValDt(stmtValDt);
newCrit.setSchCrit(schCrit);
stmtCrit.setNewCrit(newCrit);
stmtQryDef.setStmtCrit(stmtCrit);
msgId.setId("ABC");
getStmt.setMsgId(msgId);
getStmt.setStmtQryDef(stmtQryDef);
document.setGetStmt(getStmt);
getStatement.setDocument(document);
JAXBElement<GetStatementRequestType> request = factory1.createGetStatement(getStatement);
getWebServiceTemplate().marshalSendAndReceive("https://some.uri.com/", request, new SoapActionCallback("action/GetStatement"));
return "RESPONSE";
}
我向JVM文件夹中的cacerts添加了证书。
得到错误:
System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trustStore is: /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
---LIST OF CERTIFICATES---
keyStore is : /keystore/filepath/keystore.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : 3126459
chain [0] = [
[
Version: V3
Subject: C=PL, CN=3126459
Signature Algorithm: SHA1withRSA, OID = ---OID NUMBER---
Key: Sun RSA public key, 2048 bits
modulus:
---NUMBERS---
public exponent:
Validity: [From: Fri Feb 15 08:58:44 CET 2019,
To: Sun Feb 14 08:58:44 CET 2021]
Issuer: O=Default, CN=Default CA
SerialNumber: [ 00]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
clientAuth
]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
]
[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]]]
Algorithm: [SHA1withRSA]
Signature:
]
chain [1] = [
[
Version: V3
Subject: O=Default, CN=Default CA
Signature Algorithm: SHA512withRSA, OID = ---OID NUMBER---
Key: Sun RSA public key, 2048 bits
modulus:
---NUMBERS---
public exponent:
Validity: [From: Wed Jun 26 14:52:00 CEST 2013,
To: Sun Jun 26 14:52:00 CEST 2033]
Issuer: O=Default, CN=Default CA
SerialNumber: [ ]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]]]
Algorithm: [SHA512withRSA]
Signature:
]
***
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-8080-exec-2, setSoTimeout(0) called
http-nio-8080-exec-2, the previous server name in SNI (type=host_name (0) value=uri.to.connect.com) was replaced with (type=host_name (0), value=uri.to.connect.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1535548090 bytes = { 41, 134, 212, 217, 12, 148, 12, 10, 189, 84, 89, 55, 44, 171, 215, 58, 247, 168, 74, 108, 74, 161, 147, 214, 135, 11, 16, 231 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=uri.to.connect.com]
***
[write] MD5 and SHA1 hashes: len = 229
http-nio-8080-exec-2, WRITE: TLSv1.2 Handshake, length = 229
[Raw write]: length = 234
[Raw read]: length = 5
[
[Raw read]: length = 91
http-nio-8080-exec-2, READ: TLSv1.2 Handshake, length = 91
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie: GMT: -557873549 bytes = { 199, 238, 231, 2, 245, 226, 102, 41, 21, 24, 119, 57, 171, 8, 194, 31, 195, 0, 137, 186, 236, 83, 182, 8, 228, 131, 52, 151 }
Session ID: {}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
[read] MD5 and SHA1 hashes: len = 91
[Raw read]: length = 5
[Raw read]: length = 1754
http-nio-8080-exec-2, READ: TLSv1.2 Handshake, length = 1754
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
hain [0] = [
[
Version: V3
Subject: CN=uri.to.connect.com, OU=Some OU, O=Some O., L=Some L, C=PL, SERIALNUMBER=Serial, OID.1.3.6.1.4.1.311.60.2.1.3=PL, OID.2.5.4.15=PrivateOrganization
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus:
public exponent:
Validity: [From: Tue Jun 26 02:00:00 CEST 2018,
To: Sun Jun 30 14:00:00 CEST 2019]
Issuer: CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ ]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/
]]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier []]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.]
DistributionPoint:
[URIName: http://crl4.]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.2.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier:
]]]
[CertificatePolicyId: [2.23.140.1.1]
[]]]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: uri.to.connect.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]]]
Algorithm: [SHA256withRSA]
Signature:
***
]
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-2, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-8080-exec-2, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
http-nio-8080-exec-2, called closeSocket()
http-nio-8080-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我该如何解决?问题出在哪里? 我可以使用密钥库通过SOAP UI连接到服务。