java - 无法使用 AWS 安全令牌找到到所请求目标的有效认证路径
问题描述
我正在尝试实施以下 AWS 文章中介绍的解决方案:
所以我做了接下来的步骤:
创建本地密钥库:
keystore winpty openssl pkcs12 -export -in eeb81a0eb6-certificate.pem.crt -inkey eeb81a0eb6-private.pem.key -name myname -out my.p12 -password pass:mypasskeytool -importkeystore -destkeystore mykeystore.jks -srckeystore my.p12 -srcstoretype PKCS12 -deststorepass mypass -srcstorepass mypass创建本地信任库:
keytool -keystore my_ca.jks -alias myalias -import -file AmazonRootCA1.pem我的代码:
public class AWSSessionCredentialsProviderImpl implements AWSSessionCredentialsProvider {
private static final Logger LOGGER = LogManager.getLogger(AWSSessionCredentialsProviderImpl.class.getName());
private final Gson gson = new Gson();
private SdkHttpClient client;
private HttpExecuteRequest request;
private String awsAccessKeyId;
private String awsSecretAccessKeyId;
private String awsSessionToken;
public void init(String clientId) throws IOException, URISyntaxException {
System.setProperty("javax.net.ssl.trustStore", Configuration.KEYSTOREPATH_CA.toAbsolutePath().toString());
System.setProperty("javax.net.ssl.trustStoreType", "jks");
try {
System.setProperty("javax.net.ssl.trustStorePassword", new String(Files.readAllBytes(Configuration.KEYSTOREPATH_CA_PASS)));
} catch (IOException e) {
throw new IOException("Read password of trust store is failed", e);
}
System.setProperty("javax.net.ssl.keyStore", Configuration.KEYSTOREPATH.toAbsolutePath().toString());
System.setProperty("javax.net.ssl.keyStoreType", "jks");
try {
System.setProperty("javax.net.ssl.keyStorePassword", new String(Files.readAllBytes(Configuration.KEYSTOREPATH_PASS)));
} catch (IOException e) {
throw new IOException("Read password of key store is failed", e);
}
client = ApacheHttpClient.builder().build();
SdkHttpRequest httpRequest;
try {
httpRequest = SdkHttpFullRequest.builder()
.method(SdkHttpMethod.GET)
.uri(new URI(Configuration.CLIENT_ENDPOINT))
.putHeader("x-amzn-iot-thingname", clientId)
.build();
} catch (URISyntaxException e) {
throw new URISyntaxException(Configuration.CLIENT_ENDPOINT, "Building URI from client endpoint is failed");
}
request = HttpExecuteRequest.builder()
.request(httpRequest)
.build();
try {
setCredentials();
} catch (IOException e) {
throw new IOException("Set temporary credentials is failed", e);
}
}
@Override
public void refresh() {
try {
setCredentials();
} catch (IOException e) {
LOGGER.error("Refresh session credentials is failed", e);
}
}
@Override
public AWSSessionCredentials getCredentials() {
return new BasicSessionCredentials(awsAccessKeyId, awsSecretAccessKeyId, awsSessionToken);
}
private void setCredentials() throws IOException {
HttpExecuteResponse response = client.prepareRequest(request).call();
String credStr = IoUtils.toUtf8String(response.responseBody().get());
CredentialsJson credJson = gson.fromJson(credStr, CredentialsJson.class);
awsAccessKeyId = credJson.credentials.accessKeyId;
awsSecretAccessKeyId = credJson.credentials.secretAccessKey;
awsSessionToken = credJson.credentials.sessionToken;
}
}
- 因此,我成功获得了临时凭据,但是当我使用它们时:
AWSSessionCredentialsProviderImpl credentialsProvider = new AWSSessionCredentialsProviderImpl();
credentialsProvider.init("someid");
s3Client = AmazonS3ClientBuilder.standard()
.withRegion(region)
.withCredentials(credentialsProvider)
.build();
s3Client.putObject(request);
我得到以下异常:
原因:
sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
如果我能成功获得临时凭据,我不明白为什么会出现此异常。
解决方案
这个问题可能与很多事情有关。
很可能,您的 Java 程序将无法与远程对等方建立信任关系,这可能是因为 AWS CA 不是预配置的 JVM 受信任 CA 之一。
我认为您可以采取的解决问题的最佳方法是将SdkHttpClient您已经拥有的也传递给 S3 客户端。
请注意,在您的示例代码中,您使用AmazonS3ClientBuilder的是 AWS Java SDK 版本 1 类,同时其余代码使用的是 AWS SDK v2。
也许您可以将代码更新到最新版本的 S3Client并尝试以下操作:
System.setProperty("javax.net.ssl.trustStore", Configuration.KEYSTOREPATH_CA.toAbsolutePath().toString());
System.setProperty("javax.net.ssl.trustStoreType", "jks");
try {
System.setProperty("javax.net.ssl.trustStorePassword", new String(Files.readAllBytes(Configuration.KEYSTOREPATH_CA_PASS)));
} catch (IOException e) {
throw new IOException("Read password of trust store is failed", e);
}
System.setProperty("javax.net.ssl.keyStore", Configuration.KEYSTOREPATH.toAbsolutePath().toString());
System.setProperty("javax.net.ssl.keyStoreType", "jks");
try {
System.setProperty("javax.net.ssl.keyStorePassword", new String(Files.readAllBytes(Configuration.KEYSTOREPATH_PASS)));
} catch (IOException e) {
throw new IOException("Read password of key store is failed", e);
}
SdkHttpClient client = ApacheHttpClient.builder().build();
// The idea is reuse the configured HTTP client, modify it as per your needs
AWSSessionCredentialsProviderImpl credentialsProvider = new AWSSessionCredentialsProviderImpl(client);
credentialsProvider.init("someid");
S3Client s3 = S3Client.builder()
.httpClient(client)
.region(region)
.credentialsProvider(credentialsProvider)
.build();
请确保您的信任库包含实际的 SSL 证书。您拥有 AWS 的根 CA 证书,但可能与实际服务不对应。
如有必要,您可以通过以下方式获取服务 SSL 证书:
openssl s_client -connect s3.us-west-1.amazonaws.com:443
请根据您所在的地区更改命令。您需要从响应中提取 PEM 内容。
如答案的评论中所示,另一种选择可能是取消设置System在调用之前获取凭据时建立的属性S3Client:
System.clearProperty("javax.net.ssl.trustStore");
System.clearProperty("javax.net.ssl.trustStorePassword");
System.clearProperty("javax.net.ssl.trustStoreType");
它将为 AWS 开发工具包提供调用 S3 的全新环境。
推荐阅读
- html - 如何删除两个单词之间的大空间以证明移动设备中的对齐?
- ibeacon - 使用 Apple Wallet 当 iBeacon 触手可及时的自定义操作
- extjs - Extjs 5.0.1:当我们将边框半径赋予网格或其任何父级时,在滚动时获取网格中的空白
- c# - 如何从通用列表转换
- c# - mod_security (Apache) 来自 C# 中的 multipart/form-data 请求
- java - 如何在jway java json解析器中将所有json路径键转换为大写字母?
- python - “TypeError:'模块'对象不可调用”与 webdriver.chrome
- c# - MSB4020:元素中“项目”属性的值“”
是无效的 - javascript - 如何将数据添加到firestore数据库子集合中的特定文档?
- dotnetnuke-9 - 如何在 DotNetNuke 9 中使用 crud 功能创建和安装 mvc 模块