Error: “trustAnchors parameter must be non-empty” – 错误:“trustAnchors参数必须是非空的&#8221

最后修改: 2022年 2月 15日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this tutorial, we’ll explain what a trust anchor is. Additionally, we’ll show the default location of a TrustStore and the expected file format. Finally, we’ll clarify the reasons for an error: “java.security.InvalidAlgorithmParameterException: trust anchors parameter must be non-empty”.

在本教程中,我们将解释什么是信任锚。此外,我们将展示一个TrustStore的默认位置和预期的文件格式。最后,我们将阐明出错的原因。”java.security.InvalidAlgorithmParameterException: trust anchors参数必须是非空的”。

2. Trust Anchor Definition

2.信任锚的定义

Let’s first explain what the trust anchor is. In cryptographic systems, a trust anchor defines the root entity for which trust is assumed and derived. In architectures like X.509, a root certificate is a trust anchor. Additionally, the root certificate guarantees trust for all other certificates in the chain.

让我们首先解释一下什么是信任锚在加密系统中,信任锚定义了假定和衍生信任的根实体。在X.509这样的架构中,根证书就是一个信任锚。此外,根证书保证了对链上所有其他证书的信任。

3. TrustStore Location and Format

3.TrustStore位置和格式

Let’s now have a look at a TrustStore location and format in Java. First, Java looks for the TrustStore in two locations (in order):

现在让我们来看看TrustStore在Java中的位置和格式。首先,Java会在两个位置(依次)寻找TrustStore

  • $JAVA_HOME/lib/security/jssecacerts
  • $JAVA_HOME/lib/security/cacerts

We can overwrite the default location with the parameter -Djavax.net.ssl.trustStore.

我们可以用参数-Djavax.net.ssl.trustStore.覆盖默认位置。

Additionally, the parameter -Djavax.net.ssl.trustStorePassword allows us to provide a password to the TrustStore. Finally, the command looks like this:

此外,参数-Djavax.net.ssl.trustStorePassword允许我们为TrustStore提供一个密码。最后,该命令看起来像这样。

java -Djavax.net.ssl.trustStore=/some/loc/on/server/ our_truststore.jks -Djavax.net.ssl.trustStorePassword=our_password -jar application.jar

Moreover, JKS is the default TrustStore format. The parameter -Djavax.net.ssl.trustStoreType allows overwriting the default TrustStore type.

此外,JKS是默认的TrustStore格式。参数-Djavax.net.ssl.trustStoreType允许覆盖默认TrustStore类型。

Let’s have a look at the output from the keytool utility in Java 16 executed for $JAVA_HOME/lib/security/cacerts:

让我们看看Java 16中的keytool工具对$JAVA_HOME/lib/security/cacerts执行的输出。

$ keytool -list -cacerts
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 90 entries
....

As expected, the KeyStore type is JKS. Additionally, we got all 90 certificates stored in the file.

正如预期的那样,KeyStore类型是JKS。此外,我们得到了存储在文件中的所有90个证书。

4. Reasons for the Exception

4.例外情况的原因

Let’s now have a look at the exception “java.security.InvalidAlgorithmParameterException: trustAnchors parameter must be non-empty”.

现在让我们来看看异常”java.security.InvalidAlgorithmParameterException: trustAnchors参数必须为非空”。

First, the Java runtime creates the InvalidAlgorithmParameterException only in the PKIXParameters class, which is used for reading certificates from a KeyStore. The constructor of PKIXParameters collects trustAnchors from the KeyStore given as a parameter.

首先,Java运行时创建InvalidAlgorithmParameterException只在PKIXParameters类中使用,它用于从KeyStore读取证书。PKIXParameters的构造函数从作为参数的KeyStore中收集trustAnchors

The exception is thrown when the provided KeyStore has no trustAnchors:

当提供的KeyStore没有信任Anchors时,会抛出该异常。

...
if (trustAnchors.isEmpty()) {
    throw new InvalidAlgorithmParameterException("the trustAnchors " +
        "parameter must be non-empty");
}
...

Let’s try to reproduce the case. First, let’s create an empty KeyStore:

让我们试着重现这个案例。首先,让我们创建一个空的KeyStore

private KeyStore getKeyStore() throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(null, "changeIt".toCharArray());
    return ks;
}

Let’s now test the instantiation of the PKIXParameters class:

现在让我们测试一下PKIXParameters类的实例化。

@Test
public void whenOpeningTrustStore_thenExceptionIsThrown() throws Exception {
    KeyStore keyStore = getKeyStore();
    InvalidAlgorithmParameterException invalidAlgorithmParameterException =
      Assertions.assertThrows(InvalidAlgorithmParameterException.class, () -> new PKIXParameters(keyStore));
    Assertions.assertEquals("the trustAnchors parameter must be non-empty", invalidAlgorithmParameterException.getMessage());
}

That is to say, the constructor threw the exception as expected. In other words, it’s not possible to create an instance of the PKIXParameters class when there are no trusted certificates in the given KeyStore.

也就是说,构造函数按预期抛出了异常。换句话说,当给定的KeyStore中没有可信的证书时,是不可能创建PKIXParameters类的实例的。

5. Conclusion

5.总结

In this short article, we described what a trust anchor is. Then, we showed a default TrustStore location and file format. Finally, we showed the reasons for the “trust anchors parameter must be non-empty” error.

在这篇短文中,我们描述了什么是信任锚。然后,我们展示了一个默认的TrustStore位置和文件格式。最后,我们展示了 “信任锚的参数必须为非空 “错误的原因。

As always, the source code of the example is available over on GitHub.

一如既往,该示例的源代码可在GitHub上获得over