私钥算法与最终实体证书中的公钥算法不匹配(索引 0)
[英]Private key algorithm does not match algorithm of public key in end entity certificate (at index 0)
问题描述
I'm trying to store a Private key and it certificate chain in a keystore and I'm getting the following error: private key algorithm does not match algorithm of public key in end entity certificate (at index 0)
我正在尝试将私钥及其证书链存储在密钥库中,但出现以下错误:私钥算法与最终实体证书中的公钥算法不匹配(索引为 0)
This is how I generate the keypair:这就是我生成密钥对的方式:
public GenerateKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
//Generating and ECDSA KeyPair
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime239v3");
KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
g.initialize(ecSpec, new SecureRandom());
KeyPair keygen = g.generateKeyPair();
//Setting the ECDSA KeyGen
this.keygen = keygen;
}
This is the method I use to generate the X509Certificate:这是我用来生成 X509Certificate 的方法:
public static X509Certificate GetCertificate_v3(KeyPair keygen, Date startDate, Date expiryDate,
String serial, String Certification_Aut_Id) throws InvalidKeyException, SecurityException, SignatureException{
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
v3CertGen.setIssuerDN(new X509Principal("CN=" + Certification_Aut_Id + ", O=o, L=L, ST=il, C= c"));
v3CertGen.setNotBefore(startDate);
v3CertGen.setNotAfter(expiryDate);
v3CertGen.setSubjectDN(new X509Principal("CN=" + Certification_Aut_Id + ", O=o, L=L, ST=il, C= c"));
v3CertGen.setPublicKey(keygen.getPublic());
v3CertGen.setSignatureAlgorithm("SHA256withECDSA");
X509Certificate cert = v3CertGen.generateX509Certificate(keygen.getPrivate());
return cert;
}
And the code use to store the keypair is:用于存储密钥对的代码是:
public static void storeKeypair(String KSpwd, String PKpwd, String KSname, X509Certificate certificate,
KeyPair keygen, String alias, String temp_local) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException{
//Before a keystore can be accessed, it must be loaded.
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] KSpassword = KSpwd.toCharArray();
FileInputStream fis = new java.io.FileInputStream(KSname);
ks.load(fis, KSpassword);
fis.close();
//writing the X509Certificate in a .cer file
FileOutputStream fos1 = new FileOutputStream(temp_local + alias + ".cer");
fos1.write( certificate.getEncoded() );
fos1.flush();
fos1.close();
// Load the certificate chain (in X.509 DER encoding).
FileInputStream certificateStream = new FileInputStream(temp_local + alias + ".cer");
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Certificate[] chain = {};
chain = certificateFactory.generateCertificates(certificateStream).toArray(chain);
// save my private key & certificate chain
char[] PKpassword = PKpwd.toCharArray();
ks.setEntry(alias, new KeyStore.PrivateKeyEntry(keygen.getPrivate(), chain),
new KeyStore.PasswordProtection(PKpassword)
);
//Store the KeyStore
// Write out the keystore
FileOutputStream fos = new FileOutputStream(KSname);
ks.store(fos, KSpassword);
fos.close();
}
The error generated is:产生的错误是:
Exception in thread "main" java.lang.IllegalArgumentException: private key algorithm does not match algorithm of public key in end entity certificate (at index 0)
at java.security.KeyStore$PrivateKeyEntry.<init>(KeyStore.java:408)
at SDSGeneration.keyStore.storeKeypair(keyStore.java:65)
at FinalTest.main(FinalTest.java:70)
2 个解决方案
解决方案1
0 2020-05-27 05:18:56
I faced the same problem when using theWeb Crypto API .我在使用Web Crypto API时遇到了同样的问题。 My problem was that I was using the key pair instead of the derived secret key to encrypt the messages.我的问题是我使用密钥对而不是派生的秘密密钥来加密消息。
解决方案2
0 2021-03-28 13:22:28
I ran into this problem while generating VAPID keys to enable Web Push.我在生成 VAPID 密钥以启用 Web Push 时遇到了这个问题。 I wanted to store the generated keys into a java keystore which requires you to have a certificate for a private key.我想将生成的密钥存储到一个 java 密钥库中,这需要您拥有私钥的证书。
Changing the algorithm from ECDSA to EC made things work.将算法从 ECDSA 更改为 EC 使事情奏效。 Afaik EC is the algorithm to generate the key while ECDSA is a signature algorithm for EC keys. Afaik EC 是生成密钥的算法,而 ECDSA 是 EC 密钥的签名算法。
public static KeyPair generateVapidKeyPair() throws CryptoException {
try {
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime256v1");
KeyPairGenerator g = KeyPairGenerator.getInstance("EC", "BC");
g.initialize(ecSpec, new SecureRandom());
return g.generateKeyPair();
} catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException ex) {
throw new CryptoException("Could not generate VAPID keypair", ex);
}
}
After that I sign the key with the SHA256withECDSA algorithm and generate a certificate with BC.之后,我使用 SHA256withECDSA 算法对密钥进行签名,并使用 BC 生成证书。 This is largely the same as with RSA so I will omit that part of the code.这与 RSA 大致相同,因此我将省略该部分代码。 After that I'm able to store and retrieve the keys from the keystore (programatically with BC as provider) without any problems.之后,我可以毫无问题地从密钥库中存储和检索密钥(以 BC 作为提供者的编程方式)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.