[英]openjdk1.7 : fail to list PKCS11 keystore aliases when BouncyCastleProvider is used
I want to look into a nssdb keystore to extract get some info from available aliases. 我想研究一个nssdb密钥库,以从可用别名中提取一些信息。 On some other part of the same application, I use
BouncyCastleProvider
to handle some other security stuff. 在同一应用程序的其他部分,我使用
BouncyCastleProvider
处理其他一些安全事项。 The small code below shows how I load and run into it, and was working well with openjdk-1.6.0. 下面的小代码显示了我如何加载和运行它,并与openjdk-1.6.0一起正常工作。 Now, with openjdk-1.7.0, it only works if I don't use the
BouncyCastleProvider
or if this provider is added AFTER the PKCS11 provider. 现在,对于openjdk-1.7.0,仅当我不使用
BouncyCastleProvider
或在PKCS11提供程序之后添加此提供程序时,它才有效。 In case I add BC before PKCS11, all seems ok (no exception), but Keystore.aliases()
returns an empty list for my nss container. 如果我在PKCS11之前添加了BC,那么一切似乎都正常(无例外),但是
Keystore.aliases()
为nss容器返回了一个空列表。 Just like if load()
did not work. 就像
load()
无法正常工作一样。
import java.io.InputStream;
import java.io.ByteArrayInputStream;
import java.util.Enumeration;
import java.security.KeyStore;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class TestNSS {
public static void main(String[] args) {
try {
Provider prov = new BouncyCastleProvider();
Security.addProvider(prov);
String config = "name = nssdb\n";
config += "nssSecmodDirectory = /nssdbpath\n";
InputStream stream = new ByteArrayInputStream(config.getBytes("UTF-8"));
Provider nss = new sun.security.pkcs11.SunPKCS11(stream);
stream.close();
Security.addProvider(nss);
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nssdb");
ks.load((InputStream)null, "".toCharArray());
System.out.println("load is ok: SunPKCS11-nssdb");
for (Enumeration<String> e = ks.aliases(); e.hasMoreElements();) {
String alias = e.nextElement();
Certificate cert = ks.getCertificate(alias);
System.out.println(" . alias: "+alias+", "+cert.getType()+","+((X509Certificate)cert).getNotAfter());
}
} catch(Exception e) {
e.printStackTrace();
}
}
}
Any idea is welcome... 任何想法都欢迎...
Note: /nssdbpath contains a nssdb structure created using certutil. 注意:/ nssdbpath包含使用certutil创建的nssdb结构。
I found that - SunPKCS11 instanciation in java.security is a change in openjdk7 compared to openJDK6. 我发现-与openJDK6相比,java.security中的SunPKCS11实例是openjdk7的更改。 - loading my nssdb through nss.cfg instead of the default "nodb" mode looks ok for this matter, but this is no valid workaround, because causing side effects like keytool errors...
-通过nss.cfg而不是默认的“ nodb”模式加载nssdb似乎可以解决此问题,但这不是有效的解决方法,因为会引起诸如keytool错误的副作用...
Moreover, - I still don't know why BouncyCastleProvider is interacting with SunPKCS11 . 而且,-我仍然不知道为什么BouncyCastleProvider与SunPKCS11进行交互。 - it looks nssdb is not loaded by load() method but rather at SunPKCS11 instanciation - only one SunPKCS11 instance with a single nssdb may be loaded in a JVM
-看起来nssdb不是通过load()方法加载的,而是在SunPKCS11实例中加载的-JVM中只能加载一个具有单个nssdb的SunPKCS11实例
=> SunPKCS11 is not the good way to go to read my nssdb data: I'll go through external (non-java) code as workaround. => SunPKCS11不是读取nssdb数据的好方法:我将通过外部(非Java)代码作为解决方法。
Anyway if someone has another solution, I'm still interested in reading. 无论如何,如果有人有其他解决方案,我仍然会对阅读感兴趣。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.