java - CXF REST client call with 2-way auth failing with "unable to find valid certification path to requested target" -


i've been iterating through implementing rest call cxf clientbuilder. had earlier problem reported @ have cert file , key file, need build truststore , keystore cxf clientbuilder , i've worked through, it's morphed different.

based on response got that, used "openssl" convert key file pkcs#1 pkcs#8. gets me past clientbuilder setup, although next problem see makes me think still have fix something.

after creating client, executed code this:

    webtarget   target  = client.target(getserverhostport()).path(getserverpath());     builder request = target.request();     response    postresponse    = request.post(entity.text("tokenid=" + token));

this results in following:

caused by: javax.net.ssl.sslhandshakeexception: sslhandshakeexception invoking https://<hostport>/token/tokenval: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target @ sun.reflect.nativeconstructoraccessorimpl.newinstance0(native method) @ sun.reflect.nativeconstructoraccessorimpl.newinstance(unknown source) @ sun.reflect.delegatingconstructoraccessorimpl.newinstance(unknown source) @ java.lang.reflect.constructor.newinstance(unknown source) @ org.apache.cxf.transport.http.httpconduit$wrappedoutputstream.mapexception(httpconduit.java:1377)

note tried "curl" call same thing, looks this:

curl --data "tokenid=gz...8f" --pass changeit --key priv8.pem -e certfile:changeit https://<hostport>/token/nxsats/tokenval

this reports error, it's expected error business logic in downstream service, not ssl handshake.

my setup code client looks this:

private certificate buildcertfromfile(string filename) throws certificateexception {     return certificatefactory.getinstance("x.509").generatecertificate(classloaderutils.getresourceasstream(filename, <thisclass>.class)); }  public static privatekey getprivatekey(string filename) throws ioexception, nosuchalgorithmexception, invalidkeyspecexception {     string  contents    = ioutils.tostring(classloaderutils.getresourceasstream(filename, tguardservice.class), "utf-8");     contents    = contents.replaceall("-----[a-z ]+-----", "").replaceall("\\s+", "");     system.out.println("contents[" + contents + "]");     byte[]  bytes   = base64.getdecoder().decode(contents);     system.out.println("decoded[" + new string(bytes) + "");     pkcs8encodedkeyspec spec = new pkcs8encodedkeyspec(bytes);     keyfactory kf = keyfactory.getinstance("rsa");     return kf.generateprivate(spec); }  @postconstruct public void init() {     try {         keystore    truststore  = keystore.getinstance("jks");         truststore.load(null, null);         certificate cert    = buildcertfromfile("certfile");         truststore.setcertificateentry("cert", cert);          keystore    keystore    = keystore.getinstance("jks");         keystore.load(null, "abc".tochararray());         privatekey  privatekey  = getprivatekey("priv8.pem");         system.out.println("privatekey[" + privatekey + "]");         keystore.setkeyentry("key", privatekey, "abc".tochararray(), new certificate[]{cert});          clientbuilder   builder = clientbuilder.newbuilder();         builder.truststore(truststore);         builder.keystore(keystore, "abc");          builder.hostnameverifier(new hostnameverifier() {             @override             public boolean verify(string host, sslsession session) {                 try {                     certificate[] certs = session.getpeercertificates();                     return certs != null && certs[0] instanceof x509certificate;                 }                 catch (sslexception ex) {                     return false;                 }             }         });          client  = builder.build();     }     catch (keystoreexception | nosuchalgorithmexception | certificateexception | ioexception | invalidkeyspecexception ex) {         ex.printstacktrace();     } }

update:

i tried turning on "-djavax.net.debug=all", gave me lots of output, of can't interpret well. there 1 section did seem odd me. saw following output right before makes call:

keystore :  keystore type : jks keystore provider :  init keystore init keymanager of type sunx509 truststore is: c:\program files\java\jdk1.8.0_102\jre\lib\security\cacerts truststore type : jks truststore provider :  init truststore adding trusted cert:   subject: cn=equifax secure global ebusiness ca-1, o=equifax secure inc., c=us   issuer:  cn=equifax secure global ebusiness ca-1, o=equifax secure inc., c=us   algorithm: rsa; serial number: 0xc3517   valid sun jun 20 21:00:00 pdt 1999 until sun jun 21 21:00:00 pdt 2020

note "keystore is" , "truststore is" lines. value "keystore is" appears blank, truststore, appears show existing path file on disk. fact is, both keystore , truststore connection should referring objects entirely in memory, not files on disk. if client thinks truststore @ "c:\program files\java\jdk1.8.0_102\jre\lib\security\cacerts", seems calling "builder.truststore()" didn't anything, assuming that's reporting info available truststore.


Comments

Post a Comment

Popular posts from this blog

Command prompt result in label. Python 2.7 -

i want put result(output) of shell command label. command works, label shows "0", however, in command prompt, result shown correctly, need showed in label. doing ubuntu. myg1 = button(root, text="rodyti informacija", command=lambda: gauti()) myg1.pack(side=bottom) def gauti(): imti = tekstas.get("1.0", "end-1c") info = subprocess.call("id '{imti}' ".format(imti=imti), shell=true) w = label(root, text= info) w.pack(side = bottom) subprocess.call() returns exit code of process created (in case 0 success). if want text output of process, should instead call subprocess.check_output() .
Read more

javascript - How do I use URL parameters to change link href on page? -

i change href value of link using url parameters. example: default <a id="dlink" href="link-1">link</a> but, when user goes https://url.com/?dlink=link-2 it swaps out link new link <a id="dlink" href="link-2">link</a> first need value url. if you're not using javascript framework can create function using jquery. please check get url parameter jquery or how query string values in js it. after that, element "a" id , set value there. $("#dlink").attr("href", hreffromparam);
Read more

amazon web services - AWS Route53 Trying To Get Site To Resolve To www -

so have domain nameservers pointed aws route 53. site hosted on ec2 instance , reachable resolves site.com, if input www.site.com. i'm curious how site resolve www.site.com. have under route53 domains hosted zone 2 additional record sets outside of ns , soa: a site.com ec2 elastic ip cname www.site.com ec2 public dns i can reach site using both site.com , www.site.com, resolve site.com. there way make if enter either, resolves www.site.com? at first, both should record set. a site.com ec2 elastic ip www.site.com ec2 elastic ip and need redirect setting in web server (nginx, apache, ..) following. (source: how redirect www non-www nginx on centos 7 ) redirect non-www www if want redirect users plain, non-www domain www domain, add server block: server { server_name example.com; return 301 $scheme://www.example.com$request_uri; } save , exit. configures nginx redirect requests "example.com" "www.example.com". not...
Read more