获取访问目标主机的有效SSL/TLS证书 (无法直接得到证书时)
现在,很多网站或者服务,都实现成基于SSL,并且提供证书下载安装才能访问。如果它能提供下载,当然什么问题有没有。
可是,如果你无权下载,并且它不是CA证书,只是自签名的Server端证书。只知道它的端口和地址,你强行通过程序访问,可能会得到这样的错误:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)没想到,Sun提供了一个工具程序,能够能过程序调用,得到Server端的证书。
这里以12306某部分购票需要证书为例:
E:\learn\security>java TestFetchingCert dynamic.12306.cn
Loading KeyStore C:\shared\jdk1.6.0_18\jre\lib\security\cacerts...
Opening connection to dynamic.12306.cn:443...
Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at InstallCert.main(InstallCert.java:97)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
... 8 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 14 more
Server sent 2 certificate(s):
1 Subject CN=dynamic.12306.cn, OU=铁路客户服务中心, O=Sinorail Certification Authority, C=CN
Issuer CN=SRCA, O=Sinorail Certification Authority, C=CN
sha1 f6 2e c7 e4 12 d1 aa b3 f0 7f ac b7 f7 20 e6 77 da e5 b9 b7
md5 cb 3b 65 19 fe b4 88 28 5b 0c 81 f8 bc ef ba 93
2 Subject CN=SRCA, O=Sinorail Certification Authority, C=CN
Issuer CN=SRCA, O=Sinorail Certification Authority, C=CN
sha1 ae 3f 2e 66 d4 8f c6 bd 1d f1 31 e8 9d 76 8d 50 5d f1 43 02
md5 60 13 24 f0 9a e9 88 49 58 1b 37 c9 a1 90 57 24
Enter certificate to add to trusted keystore or 'q' to quit: [1]
[
[
Version: V3
Subject: CN=dynamic.12306.cn, OU=铁路客户服务中心, O=Sinorail Certification Authority, C=CN
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 131877243788581441455453893594344470200831819323761004983028382908123170744716274924195017274254124953756531355671448830163684168356232189427657515240155383489455640758012703375457674009273923267881490333363099952573578023750920902134321577573362887935276807781022292107338956095769504324054527406579242046053
public exponent: 65537
Validity: [From: Wed Jun 01 17:56:35 CST 2011,
To: Sat May 31 17:56:35 CST 2014]
Issuer: CN=SRCA, O=Sinorail Certification Authority, C=CN
SerialNumber: [ 205cfb9e 4a12b557]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9C 0F FE C1 B2 9D 07 6D 9F 88 EC E1 77 3D DF 41 .......m....w=.A
0010: 1D 4E 8E 43 .N.C
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 5E B6 77 B7 E2 52 83 43 ED C7 51 88 4C 63 85 y^.w..R.C..Q.Lc.
0010: 2C 00 43 58 ,.CX
]
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
]
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
Unparseable CRLDistributionPoints extension due to
java.io.IOException: invalid URI name:ldap://210.75.98.102:390/cn=crl3,OU=CRL,O=Sinorail Certification Authority,C=CN?certificateRevocationList?base?objectclass=idaPerson
0000: 30 81 90 30 81 8D A0 81 8A A0 81 87 86 81 84 6C 0..0...........l
0010: 64 61 70 3A 2F 2F 32 31 30 2E 37 35 2E 39 38 2E dap://210.75.98.
0020: 31 30 32 3A 33 39 30 2F 63 6E 3D 63 72 6C 33 2C 102:390/cn=crl3,
0030: 4F 55 3D 43 52 4C 2C 4F 3D 53 69 6E 6F 72 61 69 OU=CRL,O=Sinorai
0040: 6C 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 l Certification
0050: 41 75 74 68 6F 72 69 74 79 2C 43 3D 43 4E 3F 63 Authority,C=CN?c
0060: 65 72 74 69 66 69 63 61 74 65 52 65 76 6F 63 61 ertificateRevoca
0070: 74 69 6F 6E 4C 69 73 74 3F 62 61 73 65 3F 6F 62 tionList?base?ob
0080: 6A 65 63 74 63 6C 61 73 73 3D 69 64 61 50 65 72 jectclass=idaPer
0090: 73 6F 6E son
]
Algorithm: [SHA1withRSA]
Signature:
0000: AC 2F FA 07 7B 8F 92 8B 51 2D A4 8A E3 FE AA 56 ./......Q-.....V
0010: 16 AD 38 DC E0 87 4B ED 47 05 B4 4B D6 4E 73 5E ..8...K.G..K.Ns^
0020: 19 66 8B 2C BB 1D 7B 6A A5 23 E1 8E 79 25 DD 9D .f.,...j.#..y%..
0030: DF 8F 6D F0 5C E6 79 36 41 0F 0A AF 90 72 D5 CD ..m.\.y6A....r..
0040: B1 1D 20 DB 6E 27 8D 56 42 29 8D 18 E8 D3 6D EF .. .n'.VB)....m.
0050: 99 EE 83 7B 68 16 49 00 A2 B9 FD 82 9E 76 07 A3 ....h.I......v..
0060: 45 60 C7 D6 04 68 14 39 1F 8D 89 EA 4C 5C 38 8C E`...h.9....L\8.
0070: 9A BD 18 FC DD 9E BC EA 27 DC C7 05 5A 0D 41 F5 ........'...Z.A.
]
Added certificate to keystore 'jssecacerts' using alias 'dynamic.12306.cn-1'
E:\learn\security>这样,把这个证书都可以导出来:
导成可见文本:(密码是默认的changeit)
E:\learn\security>keytool -export -alias dynamic.12306.cn-1 -keystore jssecacerts -rfc -file 12306.cer
输入keystore密码:
保存在文件中的认证 <12306.cer>E:\learn\security>cat 12306.cer
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIIIFz7nkoStVcwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ04xKTAn
BgNVBAoTIFNpbm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRTUkNBMB4X
DTExMDYwMTA5NTYzNVoXDTE0MDUzMTA5NTYzNVowbjELMAkGA1UEBhMCQ04xKTAnBgNVBAoTIFNp
bm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRkwFwYDVQQLHhCUwY3vW6JiN2cNUqFOLV/D
MRkwFwYDVQQDExBkeW5hbWljLjEyMzA2LmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7
zKdfpqBX5VlDwU7QLfV3e3+J2c10UpRbexwhFuLCsGGxFsO7e5XHU+cXMv2EcZ1D8la2go4bkOUF
ylvJ/odu5jx8968kvcUHwa67F52SU9QqHpPekVI8VBJwSdd6iv9QY2P8l7fI9hw8bh9bsrLN1sqe
WmnKB9INOxqAAYUSZQIDAQABo4HuMIHrMB8GA1UdIwQYMBaAFHletne34lKDQ+3HUYhMY4UsAENY
MIGbBgNVHR8EgZMwgZAwgY2ggYqggYeGgYRsZGFwOi8vMjEwLjc1Ljk4LjEwMjozOTAvY249Y3Js
MyxPVT1DUkwsTz1TaW5vcmFpbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSxDPUNOP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1pZGFQZXJzb24wCwYDVR0PBAQDAgbA
MB0GA1UdDgQWBBScD/7Bsp0HbZ+I7OF3Pd9BHU6OQzANBgkqhkiG9w0BAQUFAAOBgQCsL/oHe4+S
i1EtpIrj/qpWFq043OCHS+1HBbRL1k5zXhlmiyy7HXtqpSPhjnkl3Z3fj23wXOZ5NkEPCq+QctXN
sR0g224njVZCKY0Y6NNt75nug3toFkkAorn9gp52B6NFYMfWBGgUOR+NiepMXDiMmr0Y/N2evOon
3McFWg1B9Q==
-----END CERTIFICATE-----这样,你随时可以用上边的证书建立到目标主机的SSL连接。