Собственное изображение Graal, вызывающее https throws Причины: java.security.InvalidAlgorithmParameterException: параметр trustAnchors должен быть непустым
Я создаю собственное изображение Graal, которое выполняет вызов https. Проблема в том, что он выдает исключение при попытке сделать вызов:
@Controller("/")
public class ExampleController {
private static final Log LOG = LogFactory.getLog(ExampleController.class);
private ObjectMapper mapper = new ObjectMapper()
.disable(MapperFeature.CAN_OVERRIDE_ACCESS_MODIFIERS)
.disable(MapperFeature.ALLOW_FINAL_FIELDS_AS_MUTATORS)
.enable(JsonParser.Feature.ALLOW_COMMENTS)
.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
private static final HttpClientFactory<ConnectionManagerAwareHttpClient> httpClientFactory = new
ApacheHttpClientFactory();
private HttpClient httpClient;
public ExampleController() {
this.httpClient = httpClientFactory.create(HttpClientSettings.adapt(new ClientConfiguration()));
}
@Get("/http")
public String httpClient() throws IOException {
String url = "https://www.google.com/search?q=httpClient";
HttpGet request = new HttpGet(url);
// add request header
HttpResponse response = httpClient.execute(request);
System.out.println("Response Code : "
+ response.getStatusLine().getStatusCode());
return "ok";
}
}
Трассировка:
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:142)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
at com.amazonaws.http.conn.$Proxy225.connect(Unknown Source)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1297)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
... 49 more
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1290)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 73 more
Ранее мне приходилось вручную добавлять несколько классов в refle.json до тех пор, пока я не дошел до того момента, когда не знаю, как продолжить:
, {
"name" : "com.sun.crypto.provider.HmacCore",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "com.sun.crypto.provider.HmacCore$HmacSHA256",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.provider.X509Factory",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.AuthorityKeyIdentifierExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.SubjectKeyIdentifierExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.SubjectAlternativeNameExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.KeyUsageExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.CRLDistributionPointsExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.ExtendedKeyUsageExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.CertificatePoliciesExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.AuthorityInfoAccessExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.x509.BasicConstraintsExtension",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}, {
"name" : "sun.security.ssl.X509TrustManagerImpl",
"allPublicMethods" : true,
"allDeclaredConstructors" : true
}
Проект доступен на Github: https://github.com/codependent/graal-app
Чтобы проверить это, запустите:
export AWS_DEFAULT_REGION=eu-central-1
docker build . -t graap-app
./sam-local.sh
ОБНОВИТЬ:
Я нашел документацию по безопасности на https://github.com/oracle/graal/blob/master/substratevm/JCA-SECURITY-SERVICES.md
Я удалил все классы, которые я добавил для отражения. Json, и вместо этого поместил --enable-all-security-services
флаг в native-image
команда находится в build-native-image.sh
,
Теперь ошибка:
Вызывается: java.security.InvalidAlgorithmParameterException: параметр trustAnchors должен быть непустым