search

Tencent / TencentKonaSMSuite

Tencent Kona SM Suite contains a set of Java security providers, which support algorithms SM2, SM3 and SM4, and protocols TLCP/GMSSL, TLS 1.3 (with RFC 8998) and TLS 1.2.
Other
319 stars 68 forks source link

我用gen_tlcp_certs.sh脚本生成证书,但证书还是不能使用;ssl命令没有用tongsuo用的最新的openssl;必须要用铜锁吗? #805

Open yangmen opened 4 days ago

yangmen commented 4 days ago 
com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  com.tencent.kona.sun.security.validator.ValidatorException: PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:391)
    at com.tencent.kona.sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:245)
    at com.tencent.kona.sun.security.validator.Validator.validate(Validator.java:256)
    at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:286)
    at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:145)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.checkServerCerts(TLCPCertificate.java:729)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.onCertificate(TLCPCertificate.java:499)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.consume(TLCPCertificate.java:388)
    at com.tencent.kona.sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:424)
    at com.tencent.kona.sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:502)
    at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
    at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1263)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1208)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:750)
  Caused by: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
    at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:386)
    ... 36 more}

)
com.tencent.kona.ssl|ALL|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.753 CST|SSLSessionImpl.java:1268|Invalidated session:  Session(1719484669414|SSL_NULL_WITH_NULL_NULL)
com.tencent.kona.ssl|ALL|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.754 CST|SSLSessionImpl.java:1268|Invalidated session:  Session(1719484669703|TLCP_ECC_SM4_GCM_SM3)
com.tencent.kona.ssl|WARNING|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.754 CST|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
com.tencent.kona.ssl|FINE|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.755 CST|SSLEngineOutputRecord.java:530|WRITE: TLCPv1.1 alert, length = 2
com.tencent.kona.ssl|FINE|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.755 CST|SSLEngineOutputRecord.java:551|Raw write (
  0000: 15 01 01 00 02 02 2E                               .......
)
[nioEventLoopGroup-2-1] WARN io.netty.channel.DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tencent.kona.sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at com.tencent.kona.sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
    at com.tencent.kona.sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
    at com.tencent.kona.sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.checkServerCerts(TLCPCertificate.java:751)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.onCertificate(TLCPCertificate.java:499)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.consume(TLCPCertificate.java:388)
    at com.tencent.kona.sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:424)
    at com.tencent.kona.sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:502)
    at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
    at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1263)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1208)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
    ... 17 more
Caused by: com.tencent.kona.sun.security.validator.ValidatorException: PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:391)
    at com.tencent.kona.sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:245)
    at com.tencent.kona.sun.security.validator.Validator.validate(Validator.java:256)
    at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:286)
    at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:145)
    at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.checkServerCerts(TLCPCertificate.java:729)
    ... 31 more
Caused by: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
    at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:386)
    ... 36 more

[Uploading tlcp-server-crt.zip…]()

### Tasks
johnshajiang commented 4 days ago

你的证书没有上传成功。

johnshajiang commented 4 days ago

建议先用Tongsuo的s_server和s_client测试你的证书。

yangmen commented 3 days ago

你好,这是我生成的所有证书 tlcp-crt.zip

johnshajiang commented 3 days ago

这么多证书,你具体是如何使用的?

另外,如果只是测试,可以不用重新生成证书。 直接使用仓库里的测试证书就可以吧。

yangmen commented 3 days ago

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用; 还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

johnshajiang commented 3 days ago

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;

我一般也是使用Tongsuo生成测试证书。

还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

kona keytool是指的com.tencent.kona.pkix.tool.KeyTool

yangmen commented 3 days ago

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;

我一般也是使用Tongsuo生成测试证书。

还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

kona keytool是指的com.tencent.kona.pkix.tool.KeyTool

是的

yangmen commented 3 days ago

这么多证书,你具体是如何使用的?

另外,如果只是测试,可以不用重新生成证书。 直接使用仓库里的测试证书就可以吧。

使用你在工程案例中的脚本gen_tlcp_certs.sh生成的,在netty的client和server端使用。

johnshajiang commented 3 days ago

使用你在工程案例中的脚本gen_tlcp_certs.sh生成的,在netty的client和server端使用。

我的测试就没问题啊。

yangmen commented 3 days ago

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;

我一般也是使用Tongsuo生成测试证书。

还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

kona keytool是指的com.tencent.kona.pkix.tool.KeyTool

是的

请问kona中的keytool能不能生成tlcp的证书? 有没有具体的例子

johnshajiang commented 3 days ago

可以参考[KeyToolTest.java]

[KeyToolTest.java]: https://github.com/Tencent/TencentKonaSMSuite/blob/master/kona-pkix/src/test/java/com/tencent/kona/pkix/tool/KeyToolTest.java