1. 程式人生 > >獲取訪問目標主機的有效SSL/TLS證書 (無法直接得到證書時)

獲取訪問目標主機的有效SSL/TLS證書 (無法直接得到證書時)

現在,很多網站或者服務,都實現成基於SSL,並且提供證書下載安裝才能訪問。如果它能提供下載,當然什麼問題有沒有。

可是,如果你無權下載,並且它不是CA證書,只是自簽名的Server端證書。只知道它的埠和地址,你強行通過程式訪問,可能會得到這樣的錯誤:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

沒想到,Sun提供了一個工具程式,能夠能過程式呼叫,得到Server端的證書。

這裡以12306某部分購票需要證書為例:

E:\learn\security>java TestFetchingCert dynamic.12306.cn
Loading KeyStore C:\shared\jdk1.6.0_18\jre\lib\security\cacerts...
Opening connection to dynamic.12306.cn:443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
        at InstallCert.main(InstallCert.java:97)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:192)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
        ... 8 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
        ... 14 more

Server sent 2 certificate(s):

 1 Subject CN=dynamic.12306.cn, OU=鐵路客戶服務中心, O=Sinorail Certification Authority, C=CN
   Issuer  CN=SRCA, O=Sinorail Certification Authority, C=CN
   sha1    f6 2e c7 e4 12 d1 aa b3 f0 7f ac b7 f7 20 e6 77 da e5 b9 b7
   md5     cb 3b 65 19 fe b4 88 28 5b 0c 81 f8 bc ef ba 93

 2 Subject CN=SRCA, O=Sinorail Certification Authority, C=CN
   Issuer  CN=SRCA, O=Sinorail Certification Authority, C=CN
   sha1    ae 3f 2e 66 d4 8f c6 bd 1d f1 31 e8 9d 76 8d 50 5d f1 43 02
   md5     60 13 24 f0 9a e9 88 49 58 1b 37 c9 a1 90 57 24

Enter certificate to add to trusted keystore or 'q' to quit: [1]


[
[
  Version: V3
  Subject: CN=dynamic.12306.cn, OU=鐵路客戶服務中心, O=Sinorail Certification Authority, C=CN
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 131877243788581441455453893594344470200831819323761004983028382908123170744716274924195017274254124953756531355671448830163684168356232189427657515240155383489455640758012703375457674009273923267881490333363099952573578023750920902134321577573362887935276807781022292107338956095769504324054527406579242046053
  public exponent: 65537
  Validity: [From: Wed Jun 01 17:56:35 CST 2011,
               To: Sat May 31 17:56:35 CST 2014]
  Issuer: CN=SRCA, O=Sinorail Certification Authority, C=CN
  SerialNumber: [    205cfb9e 4a12b557]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9C 0F FE C1 B2 9D 07 6D   9F 88 EC E1 77 3D DF 41  .......m....w=.A
0010: 1D 4E 8E 43                                        .N.C
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 5E B6 77 B7 E2 52 83   43 ED C7 51 88 4C 63 85  y^.w..R.C..Q.Lc.
0010: 2C 00 43 58                                        ,.CX
]

]

[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Non_repudiation
]

Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
Unparseable CRLDistributionPoints extension due to
java.io.IOException: invalid URI name:ldap://210.75.98.102:390/cn=crl3,OU=CRL,O=Sinorail Certification Authority,C=CN?certificateRevocationList?base?objectclass=idaPerson

0000: 30 81 90 30 81 8D A0 81   8A A0 81 87 86 81 84 6C  0..0...........l
0010: 64 61 70 3A 2F 2F 32 31   30 2E 37 35 2E 39 38 2E  dap://210.75.98.
0020: 31 30 32 3A 33 39 30 2F   63 6E 3D 63 72 6C 33 2C  102:390/cn=crl3,
0030: 4F 55 3D 43 52 4C 2C 4F   3D 53 69 6E 6F 72 61 69  OU=CRL,O=Sinorai
0040: 6C 20 43 65 72 74 69 66   69 63 61 74 69 6F 6E 20  l Certification
0050: 41 75 74 68 6F 72 69 74   79 2C 43 3D 43 4E 3F 63  Authority,C=CN?c
0060: 65 72 74 69 66 69 63 61   74 65 52 65 76 6F 63 61  ertificateRevoca
0070: 74 69 6F 6E 4C 69 73 74   3F 62 61 73 65 3F 6F 62  tionList?base?ob
0080: 6A 65 63 74 63 6C 61 73   73 3D 69 64 61 50 65 72  jectclass=idaPer
0090: 73 6F 6E                                           son

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: AC 2F FA 07 7B 8F 92 8B   51 2D A4 8A E3 FE AA 56  ./......Q-.....V
0010: 16 AD 38 DC E0 87 4B ED   47 05 B4 4B D6 4E 73 5E  ..8...K.G..K.Ns^
0020: 19 66 8B 2C BB 1D 7B 6A   A5 23 E1 8E 79 25 DD 9D  .f.,...j.#..y%..
0030: DF 8F 6D F0 5C E6 79 36   41 0F 0A AF 90 72 D5 CD  ..m.\.y6A....r..
0040: B1 1D 20 DB 6E 27 8D 56   42 29 8D 18 E8 D3 6D EF  .. .n'.VB)....m.
0050: 99 EE 83 7B 68 16 49 00   A2 B9 FD 82 9E 76 07 A3  ....h.I......v..
0060: 45 60 C7 D6 04 68 14 39   1F 8D 89 EA 4C 5C 38 8C  E`...h.9....L\8.
0070: 9A BD 18 FC DD 9E BC EA   27 DC C7 05 5A 0D 41 F5  ........'...Z.A.

]

Added certificate to keystore 'jssecacerts' using alias 'dynamic.12306.cn-1'

E:\learn\security>

這樣,把這個證書都可以匯出來:

導成可見文字:(密碼是預設的changeit)

E:\learn\security>keytool -export -alias dynamic.12306.cn-1 -keystore jssecacerts -rfc -file 12306.cer
輸入keystore密碼:
儲存在檔案中的認證 <12306.cer>
E:\learn\security>cat 12306.cer
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIIIFz7nkoStVcwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ04xKTAn
BgNVBAoTIFNpbm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRTUkNBMB4X
DTExMDYwMTA5NTYzNVoXDTE0MDUzMTA5NTYzNVowbjELMAkGA1UEBhMCQ04xKTAnBgNVBAoTIFNp
bm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRkwFwYDVQQLHhCUwY3vW6JiN2cNUqFOLV/D
MRkwFwYDVQQDExBkeW5hbWljLjEyMzA2LmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7
zKdfpqBX5VlDwU7QLfV3e3+J2c10UpRbexwhFuLCsGGxFsO7e5XHU+cXMv2EcZ1D8la2go4bkOUF
ylvJ/odu5jx8968kvcUHwa67F52SU9QqHpPekVI8VBJwSdd6iv9QY2P8l7fI9hw8bh9bsrLN1sqe
WmnKB9INOxqAAYUSZQIDAQABo4HuMIHrMB8GA1UdIwQYMBaAFHletne34lKDQ+3HUYhMY4UsAENY
MIGbBgNVHR8EgZMwgZAwgY2ggYqggYeGgYRsZGFwOi8vMjEwLjc1Ljk4LjEwMjozOTAvY249Y3Js
MyxPVT1DUkwsTz1TaW5vcmFpbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSxDPUNOP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1pZGFQZXJzb24wCwYDVR0PBAQDAgbA
MB0GA1UdDgQWBBScD/7Bsp0HbZ+I7OF3Pd9BHU6OQzANBgkqhkiG9w0BAQUFAAOBgQCsL/oHe4+S
i1EtpIrj/qpWFq043OCHS+1HBbRL1k5zXhlmiyy7HXtqpSPhjnkl3Z3fj23wXOZ5NkEPCq+QctXN
sR0g224njVZCKY0Y6NNt75nug3toFkkAorn9gp52B6NFYMfWBGgUOR+NiepMXDiMmr0Y/N2evOon
3McFWg1B9Q==
-----END CERTIFICATE-----

這樣,你隨時可以用上邊的證書建立到目標主機的SSL連線。