JDK17从17.0.5开始,默认不再允许使用SHA1算法,如果引用的jar包或代码里使用了SHA1算法,会报以下错误。
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraintsat java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1450)at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1421)at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220)at com.pingan.openbank.api.sdk.common.helper.WebUtils.doRequest(WebUtils.java:167)at com.pingan.openbank.api.sdk.common.helper.WebUtils.doPost(WebUtils.java:110)... 11 common frames omitted
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraintsat java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1571)at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1496)at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1440)at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)... 29 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSAat java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1567)... 32 common frames omitted
如果从JDK8升级到JDK17时,或其他原因,必须要使用SHA1算法,则需要修改JDK的配置
找到你的JDK安装目录,找到目录下conf/security/java.security文件,如"/java-17-openjdk/conf/security/java.security"
注释掉或者直接删除SHA1 usage SignedJAR & denyAfter 2019-01-01,注意前面的逗号和空格也要删除
如果是RedHat系的,如RHEL,AlmaLinux,Rocky Linux,/etc/crypto-policies/back-ends/java.config也需要修改,把里面的SHA1删除
之后,重启服务,即可使用SHA1加密算法
