0

我有一个用于测试 api 的 java cucumber 测试自动化框架。

以前我使用的是一个名为 Karate 的工具,它有一个简单的标志 ( karate.configure('ssl', { trustAll: true });),它允许您信任所有证书。

我希望有一个类似的标志可用于 Apache HTTP 客户端......但我所有的谷歌搜索都会导致冗长而复杂的代码。

这是我到目前为止编写的将 .pfx 文件发送到 api 的代码

        String keyPassphrase = "";

        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(new FileInputStream("src/main/resources/sslCertificates/certificate.pfx"), keyPassphrase.toCharArray());

        SSLContext sslContext = SSLContexts.custom()
                .loadKeyMaterial(keyStore, null)
                .build();


        //This is the httpClient that you will use to send your http request
        CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();

        //Send the request
        CloseableHttpResponse response = httpClient.execute(request);

但它在发送之前被拒绝说

 "javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

如何轻松接受所有证书以解决此问题?如前所述,我只是在测试,所以这样做没有问题。

但是,我确实有 .pfx 和 .crt 格式的证书文件以及可能使用的 client.key 文件 - 但我不知道如何使用。

4

3 回答 3

0

如果使用HttpClient 4.4或更高版本,您可以执行以下操作(示例取自以下参考):

TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
    SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, 
      NoopHostnameVerifier.INSTANCE);
    
    Registry<ConnectionSocketFactory> socketFactoryRegistry = 
      RegistryBuilder.<ConnectionSocketFactory> create()
      .register("https", sslsf)
      .register("http", new PlainConnectionSocketFactory())
      .build();

    BasicHttpClientConnectionManager connectionManager = 
      new BasicHttpClientConnectionManager(socketFactoryRegistry);
    CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf)
      .setConnectionManager(connectionManager).build();

更多细节在这里:https ://www.baeldung.com/httpclient-ssl

于 2022-03-04T14:02:19.330 回答
0

这段代码似乎已经成功了:

        String keyPassphrase = "";
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(new FileInputStream("src/main/resources/sslCertificates/certificate.pfx"), keyPassphrase.toCharArray());
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, null);

        // Create a trust manager that does not validate certificate chains
        TrustManager[] trustAllCerts = new TrustManager[]{
                new X509TrustManager() {
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }
                    public void checkClientTrusted(
                            java.security.cert.X509Certificate[] certs, String authType) {
                    }
                    public void checkServerTrusted(
                            java.security.cert.X509Certificate[] certs, String authType) {
                    }
                }
        };

        // Install the all-trusting trust manager
            SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(keyManagerFactory.getKeyManagers(), trustAllCerts, new java.security.SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());


        //This is the httpClient that you will use to send your http request
        CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();

        //Send the request
        CloseableHttpResponse response = httpClient.execute(request);
于 2022-03-04T16:12:27.053 回答
0

我使用了这篇文章中提到的解决方案:

让 Java 通过 HTTPS 接受所有证书

在那里,您构建了一个自定义 TrustManager 和 HostNameVerifier 来接受任何证书和域:

HostNameVerifier 的自定义实现:

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;

public class TrustAllHostNameVerifier implements HostnameVerifier {

    public boolean verify(String hostname, SSLSession session) {
        return true;
    }
}

Https连接创建:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        public void checkClientTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
        public void checkServerTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    }
};

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    HttpsURLConnection.setHostnameVerifier(new TrustAllHostNameVerifier())
} catch (Exception e) {
  :
  :
}

尽管您澄清说它是出于测试目的,但重要的是要记住这是一个极其不安全的解决方案,您将失去使用 SSL 提供的所有保护。

于 2022-03-04T13:59:35.553 回答