openjdk1.7:使用BouncyCastleProvider时无法列出PKCS11密钥库别名
[英]openjdk1.7 : fail to list PKCS11 keystore aliases when BouncyCastleProvider is used
问题描述
I want to look into a nssdb keystore to extract get some info from available aliases. 
我想研究一个nssdb密钥库,以从可用别名中提取一些信息。 On some other part of the same application, I use BouncyCastleProvider to handle some other security stuff. 在同一应用程序的其他部分,我使用BouncyCastleProvider处理其他一些安全事项。 The small code below shows how I load and run into it, and was working well with openjdk-1.6.0. 下面的小代码显示了我如何加载和运行它,并与openjdk-1.6.0一起正常工作。 Now, with openjdk-1.7.0, it only works if I don't use the BouncyCastleProvider or if this provider is added AFTER the PKCS11 provider. 现在,对于openjdk-1.7.0,仅当我不使用BouncyCastleProvider或在PKCS11提供程序之后添加此提供程序时,它才有效。 In case I add BC before PKCS11, all seems ok (no exception), but Keystore.aliases() returns an empty list for my nss container. 如果我在PKCS11之前添加了BC,那么一切似乎都正常(无例外),但是Keystore.aliases()为nss容器返回了一个空列表。 Just like if load() did not work. 就像load()无法正常工作一样。
import java.io.InputStream;
import java.io.ByteArrayInputStream;
import java.util.Enumeration;
import java.security.KeyStore;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class TestNSS {
public static void main(String[] args) {
try {
Provider prov = new BouncyCastleProvider();
Security.addProvider(prov);
String config = "name = nssdb\n";
config += "nssSecmodDirectory = /nssdbpath\n";
InputStream stream = new ByteArrayInputStream(config.getBytes("UTF-8"));
Provider nss = new sun.security.pkcs11.SunPKCS11(stream);
stream.close();
Security.addProvider(nss);
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nssdb");
ks.load((InputStream)null, "".toCharArray());
System.out.println("load is ok: SunPKCS11-nssdb");
for (Enumeration<String> e = ks.aliases(); e.hasMoreElements();) {
String alias = e.nextElement();
Certificate cert = ks.getCertificate(alias);
System.out.println(" . alias: "+alias+", "+cert.getType()+","+((X509Certificate)cert).getNotAfter());
}
} catch(Exception e) {
e.printStackTrace();
}
}
}
Any idea is welcome... 任何想法都欢迎...
Note: /nssdbpath contains a nssdb structure created using certutil. 注意:/ nssdbpath包含使用certutil创建的nssdb结构。
1 个解决方案
解决方案1
0 2014-06-19 15:42:38
I found that - SunPKCS11 instanciation in java.security is a change in openjdk7 compared to openJDK6. 我发现-与openJDK6相比,java.security中的SunPKCS11实例是openjdk7的更改。 - loading my nssdb through nss.cfg instead of the default "nodb" mode looks ok for this matter, but this is no valid workaround, because causing side effects like keytool errors... -通过nss.cfg而不是默认的“ nodb”模式加载nssdb似乎可以解决此问题,但这不是有效的解决方法,因为会引起诸如keytool错误的副作用...
Moreover, - I still don't know why BouncyCastleProvider is interacting with SunPKCS11 . 而且,-我仍然不知道为什么BouncyCastleProvider与SunPKCS11进行交互。 - it looks nssdb is not loaded by load() method but rather at SunPKCS11 instanciation - only one SunPKCS11 instance with a single nssdb may be loaded in a JVM -看起来nssdb不是通过load()方法加载的,而是在SunPKCS11实例中加载的-JVM中只能加载一个具有单个nssdb的SunPKCS11实例
=> SunPKCS11 is not the good way to go to read my nssdb data: I'll go through external (non-java) code as workaround. => SunPKCS11不是读取nssdb数据的好方法:我将通过外部(非Java)代码作为解决方法。
Anyway if someone has another solution, I'm still interested in reading. 无论如何,如果有人有其他解决方案,我仍然会对阅读感兴趣。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.