英文:
Java SSL handshake_failure if app built with jpackage
问题
我正在使用jpackage在Mac和PC上分发Java应用程序,但是当尝试从某些站点使用https加载图像时,出现了握手失败(handshake_failure)的问题。如果我从Eclipse或命令行上运行代码,无论是在Mac还是PC上,都能正常工作,但是打包成应用程序后就不行了。
如果我从某些站点加载图像(例如https://st4.depositphotos.com),问题就会消失。这使我认为“有问题的站点”不在信任链中。
但是为什么运行打包的应用程序时,信任链会有所不同呢?
使用Java 14.0.2和15时,看到了相同的行为。以下示例使用OpenJDK Runtime Environment(版本15+36-1562)。
请注意,jpackage将运行时集成到应用程序中。这是一个非模块化的应用程序(下面显示了使用的jpackage选项)。
在Mac上进行调试,并使用-Djavax.net.debug=all选项,我查找了打包的应用程序使用的trustStore。打印的路径无效,因为它以/Applications开头,而不是/Volumes,但除此之外还可以。也许这只是一个打印问题?无论如何,我使用了-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts来强制打包的应用程序使用与JDK相同的trustStore,但情况没有改善。
您认为我的代码有问题还是jpackage存在问题?非常感谢您的帮助!
以下是打包命令:
--verbose \--type pkg \--input HelloTest \--name HelloTest \--main-class HelloTest.HelloTest \--main-jar HelloTest.jar \--runtime-image target/java-runtime \--java-options -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts \--java-options -Djavax.net.debug=all \--vendor "ACME Inc." \--copyright "Copyright © 2019-20 ACME Inc." \--mac-package-identifier com.acme.app \--mac-package-name ACME
以下是代码:
public class HelloTest{public static void main(String... args) throws IOException {System.out.println("javax.net.ssl.trustStore = " + System.getProperty("javax.net.ssl.trustStore"));JFrame f = new JFrame(); //creates jframe fDimension screenSize = Toolkit.getDefaultToolkit().getScreenSize(); //this is your screen sizeint halfWidth = screenSize.width/2;int halfHeight = screenSize.height/2;ImageIcon img = new ImageIcon();//OK: ... https://st4.depositphotos.com seems to be well trusted// String urlName = "https://st4.depositphotos.com/36188500/38581/i/1600/depositphotos_385811360-stock-photo-woman-lingerie-dog-rose.jpg";//KO: ... https://en.iconda.solutions is only trusted when code is run from Eclipse or the command lineString urlName = "https://en.iconda.solutions/wp-content/uploads/2020/07/getting_equipped.png";JLabel lbl = new JLabel();URL url;try {url = new URL(urlName);HttpsURLConnection httpsConnection = (HttpsURLConnection)url.openConnection();try {/* The following works from Eclipse and from the command line, but not from an app with an integrated runtime* that was produced using jpackage ... */try {img = new ImageIcon(ImageIO.read(httpsConnection.getInputStream()).getScaledInstance(screenSize.width, screenSize.height, Image.SCALE_SMOOTH));} catch(Exception e) {System.out.println("went wrong #1 for " + urlName);e.printStackTrace();}} catch(Exception e) {System.out.println("went wrong #2 for " + urlName);e.printStackTrace();}} catch (MalformedURLException e) {e.printStackTrace();} catch (IOException e) {e.printStackTrace();}lbl.setIcon(img);f.getContentPane().add(lbl); //puts label inside the jframef.setSize(halfWidth, halfHeight); // set frame size to half of screen ... but need to resize the imageint x = (screenSize.width - f.getSize().width)/2; //These two lines are the dimensionsint y = (screenSize.height - f.getSize().height)/2;//of the center of the screenf.setLocation(x, y); //sets the location of the jframef.setVisible(true); //makes the jframe visible}}
以下是调试输出的部分内容:
$ /Applications/HelloTest.app/Contents/MacOS/HelloTest ; exit;javax.net.ssl.trustStore = /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacertsjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:05.852 CEST|null:-1|System property jdk.tls.client.cipherSuites is set to 'null'…javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.130 CEST|null:-1|trustStore is: /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacertstrustStore type is: pkcs12trustStore provider is:the last modified time is: Wed Aug 12 02:19:32 CEST 2020javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.131 CEST|null:-1|Reload the trust storejavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.283 CEST|null:-1|Reload trust certsjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.286 CEST|null:-1|Reloaded 91 trust certsjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.430 CEST|null:-1|adding as trusted certificates ("certificate" : {"version" : "v3","serial number" : "00 A6 8B 79 29 00 00 00 00 50 D0 91 F9","signature algorithm": "SHA384withECDSA","issuer" : "CN=Entrust Root Certification Authority - EC1, OU=\"(c) 2012 Entrust<details><summary>英文:</summary>I am using jpackage to distribute a java app on Mac and PC and I have a handshake_failure when it tries to load an image using https from certain sites. The code works fine if I run it from Eclipse or from the command line, both on Mac and PC, but not if run it as a packaged app.The problem goes away if I load an image from certain sites: https://st4.depositphotos.com, for example. This makes me think that the “problem sites” are not in the chain of trust.But why should the chain of trust be different when running as a packaged app?The same behaviour is seen using java 14.0.2 and 15. The following example uses OpenJDK Runtime Environment (build 15+36-1562).Note that jpackage integrates a runtime into the app. This is a non-modular app (I show the jpackage options used below).Debugging on the Mac and using the -Djavax.net.debug=all option, I looked for the trustStore being used by the packaged app. The printed path was invalid as it started with /Applications, rather than /Volumes, but apart from that it was ok. Maybe this was just a printing problem? Either way, I used -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts to force the packaged app to use the same trustStore as the JDK and this didn’t improve matters.Do you think that my code is buggy or is there a problem in jpackage? Many thanks for any help!Here is the packaging command:```jpackage \--verbose \--type pkg \--input HelloTest \--name HelloTest \--main-class HelloTest.HelloTest \--main-jar HelloTest.jar \--runtime-image target/java-runtime \--java-options -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts \--java-options -Djavax.net.debug=all \--vendor "ACME Inc." \--copyright "Copyright © 2019-20 ACME Inc." \--mac-package-identifier com.acme.app \--mac-package-name ACME
Here is the code:
public class HelloTest{public static void main(String... args) throws IOException {System.out.println("javax.net.ssl.trustStore = " + System.getProperty("javax.net.ssl.trustStore"));JFrame f = new JFrame(); //creates jframe fDimension screenSize = Toolkit.getDefaultToolkit().getScreenSize(); //this is your screen sizeint halfWidth = screenSize.width/2;int halfHeight = screenSize.height/2;ImageIcon img = new ImageIcon();//OK: ... https://st4.depositphotos.com seems to be well trusted// String urlName = "https://st4.depositphotos.com/36188500/38581/i/1600/depositphotos_385811360-stock-photo-woman-lingerie-dog-rose.jpg";//KO: ... https://en.iconda.solutions is only trusted when code is run from Eclipse or the command lineString urlName = "https://en.iconda.solutions/wp-content/uploads/2020/07/getting_equipped.png";JLabel lbl = new JLabel();URL url;try {url = new URL(urlName);HttpsURLConnection httpsConnection = (HttpsURLConnection)url.openConnection();try {/* The following works from Eclipse and from the command line, but not from an app with an integrated runtime* that was produced using jpackage ... */try {img = new ImageIcon(ImageIO.read(httpsConnection.getInputStream()).getScaledInstance(screenSize.width, screenSize.height, Image.SCALE_SMOOTH));} catch(Exception e) {System.out.println("went wrong #1 for " + urlName);e.printStackTrace();}} catch(Exception e) {System.out.println("went wrong #2 for " + urlName);e.printStackTrace();}} catch (MalformedURLException e) {e.printStackTrace();} catch (IOException e) {e.printStackTrace();}lbl.setIcon(img);f.getContentPane().add(lbl); //puts label inside the jframef.setSize(halfWidth, halfHeight); // set frame size to half of screen ... but need to resize the imageint x = (screenSize.width - f.getSize().width)/2; //These two lines are the dimensionsint y = (screenSize.height - f.getSize().height)/2;//of the center of the screenf.setLocation(x, y); //sets the location of the jframef.setVisible(true); //makes the jframe visible}}
And here are a few lines from the debug output:
$ /Applications/HelloTest.app/Contents/MacOS/HelloTest ; exit;javax.net.ssl.trustStore = /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacertsjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:05.852 CEST|null:-1|System property jdk.tls.client.cipherSuites is set to 'null'…javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.130 CEST|null:-1|trustStore is: /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacertstrustStore type is: pkcs12trustStore provider is:the last modified time is: Wed Aug 12 02:19:32 CEST 2020javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.131 CEST|null:-1|Reload the trust storejavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.283 CEST|null:-1|Reload trust certsjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.286 CEST|null:-1|Reloaded 91 trust certsjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.430 CEST|null:-1|adding as trusted certificates ("certificate" : {"version" : "v3","serial number" : "00 A6 8B 79 29 00 00 00 00 50 D0 91 F9","signature algorithm": "SHA384withECDSA","issuer" : "CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US",…javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.445 CEST|null:-1|keyStore is :javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.445 CEST|null:-1|keyStore type is : pkcs12javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.445 CEST|null:-1|keyStore provider is :javax.net.ssl|ALL|01|main|2020-09-17 07:27:06.445 CEST|null:-1|init keystorejavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.446 CEST|null:-1|init keymanager of type SunX509javax.net.ssl|ALL|01|main|2020-09-17 07:27:06.447 CEST|null:-1|trigger seeding of SecureRandomjavax.net.ssl|ALL|01|main|2020-09-17 07:27:06.449 CEST|null:-1|done seeding of SecureRandomjavax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.476 CEST|null:-1|System property jdk.tls.client.SignatureSchemes is set to 'null'javax.net.ssl|WARNING|01|main|2020-09-17 07:27:06.478 CEST|null:-1|Signature algorithm, ed25519, not supported by JSSEjavax.net.ssl|WARNING|01|main|2020-09-17 07:27:06.479 CEST|null:-1|Signature algorithm, ed448, not supported by JSSEjavax.net.ssl|WARNING|01|main|2020-09-17 07:27:06.480 CEST|null:-1|No AlgorithmParameters for x25519 ("throwable" : {java.security.NoSuchAlgorithmException: Algorithm x25519 not availableat java.base/javax.crypto.KeyAgreement.getInstance(Unknown Source)at java.base/sun.security.ssl.NamedGroup.<init>(Unknown Source)…javax.net.ssl|ERROR|01|main|2020-09-17 07:27:09.230 CEST|null:-1|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure ("throwable" : {javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureat java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
Following the helpful comments on my question, here is an example packaging script that solves the issue:
detected_modules=`jdeps \-q \--ignore-missing-deps \--print-module-deps \--class-path "MyApp.jar:../sandbox/jars/*" \-recursive MyApp.jar \MyApp/MyApp.class`echo "detected modules: ${detected_modules}"manual_modules=jdk.crypto.cryptokiecho "manual modules: ${manual_modules}"rm -rf ../runtimejlink \--no-header-files \--no-man-pages \--compress=2 \--strip-debug \--add-modules "${detected_modules},${manual_modules}" \--output ../runtimejpackage \--verbose \--type pkg \--input ../sandbox \--dest ../output \--name MyApp \--app-version $1 \--main-class MyApp.MyApp \--main-jar MyApp.jar \--runtime-image ../runtime \--mac-package-name MyApp
答案1
得分: 4
在互联网上找到了这个。从外观上看,出现了相同的“no such algorithm”错误。
链接:https://stackoverflow.com/questions/62238883/java-security-nosuchalgorithmexception-algorithm-x25519-not-available
链接中的解决方法:
需要将jdk.crypto.cryptoki添加到jlink的--add-modules列表中。
英文:
Found this on the Interwebs. Same no such algorithm error from the looks of it.
The solution from the link:
Need to add jdk.crypto.cryptoki to the --add-modules list in jlink.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论