PKIX 路径构建失败：SunCertPathBuilderException：无法找到请求的有效证书路径

Question

我正在使用 eclipse，在尝试执行此功能时遇到错误。

我想连同证书和密钥一起发送一个 GET 请求。我可以下载任何格式的证书，所以这不是问题。我知道我需要将此添加到 java keystone 但在尝试了各种建议后我仍然无法解决此问题。

   public String sendGET(String GET_URL, String authStringEnc) throws IOException {
            try {
                KeyStore ks = KeyStore.getInstance("JKS");
                FileInputStream fis = new FileInputStream("src/com/resources/ece-cyberark-cert.jks");
                ks.load(fis, "5<@7wBj[Ht()~GRf".toCharArray());
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ks, "5<@7wBj[Ht()~GRf".toCharArray());
                SSLContext sc = SSLContext.getInstance("TLS");
                sc.init(kmf.getKeyManagers(), null, null);
                URL obj = new URL(GET_URL);
                HttpURLConnection con = (HttpURLConnection) obj.openConnection();
                if (con instanceof HttpsURLConnection) {
                    ((HttpsURLConnection)con)
                         .setSSLSocketFactory(sc.getSocketFactory());
                }
                con.setRequestMethod("GET");
                con.setRequestProperty("User-Agent", USER_AGENT);
                con.setRequestProperty("Authorization", "Basic " + authStringEnc);      
                con.setRequestProperty("Content-Type", "application/json");
                
                int responseCode = con.getResponseCode();
                System.out.println("GET Response Code :: " + responseCode + " :: " + GET_URL);
                if (responseCode == HttpURLConnection.HTTP_OK) { // success
                    BufferedReader in = new BufferedReader(new InputStreamReader(
                            con.getInputStream()));
                    String inputLine;
                    StringBuffer response = new StringBuffer();
    
                    while ((inputLine = in.readLine()) != null) {
                        response.append(inputLine);
                    }
                    in.close();
                    con.disconnect();
                    // print result
                    return response.toString();
                } else {
                    // return failed requests response code
                    return "GET request not worked :: GET Response Code :: " + responseCode + " ::  + GET_URL";
                }
            } catch (Exception e) {
                e.printStackTrace();
                return "Exceptionn";
            }
            
            
    
        }

以下是错误-

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)

Answer 1

密钥管理器用于向 HTTP 服务器验证您（HTTP 客户端）的身份。但首先，信任管理器用于对服务器进行身份验证。如果服务器的证书在运行时的默认“信任锚”下不受信任，则需要明确提供正确的根证书。

KeyStore trusted = ...; /* Initialize a trust store containing the non-standard CA. */
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(trusted);
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
...

如果您不打算使用 TLS 客户端身份验证，则应删除所有与 KeyManager 相关的初始化。