私鑰算法與最終實體證書中的公鑰算法不匹配(索引 0)
[英]Private key algorithm does not match algorithm of public key in end entity certificate (at index 0)
問題描述
我正在嘗試將私鑰及其證書鏈存儲在密鑰庫中,但出現以下錯誤:私鑰算法與最終實體證書中的公鑰算法不匹配(索引為 0)
這就是我生成密鑰對的方式:
public GenerateKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
//Generating and ECDSA KeyPair
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime239v3");
KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
g.initialize(ecSpec, new SecureRandom());
KeyPair keygen = g.generateKeyPair();
//Setting the ECDSA KeyGen
this.keygen = keygen;
}
這是我用來生成 X509Certificate 的方法:
public static X509Certificate GetCertificate_v3(KeyPair keygen, Date startDate, Date expiryDate,
String serial, String Certification_Aut_Id) throws InvalidKeyException, SecurityException, SignatureException{
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
v3CertGen.setIssuerDN(new X509Principal("CN=" + Certification_Aut_Id + ", O=o, L=L, ST=il, C= c"));
v3CertGen.setNotBefore(startDate);
v3CertGen.setNotAfter(expiryDate);
v3CertGen.setSubjectDN(new X509Principal("CN=" + Certification_Aut_Id + ", O=o, L=L, ST=il, C= c"));
v3CertGen.setPublicKey(keygen.getPublic());
v3CertGen.setSignatureAlgorithm("SHA256withECDSA");
X509Certificate cert = v3CertGen.generateX509Certificate(keygen.getPrivate());
return cert;
}
用於存儲密鑰對的代碼是:
public static void storeKeypair(String KSpwd, String PKpwd, String KSname, X509Certificate certificate,
KeyPair keygen, String alias, String temp_local) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException{
//Before a keystore can be accessed, it must be loaded.
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] KSpassword = KSpwd.toCharArray();
FileInputStream fis = new java.io.FileInputStream(KSname);
ks.load(fis, KSpassword);
fis.close();
//writing the X509Certificate in a .cer file
FileOutputStream fos1 = new FileOutputStream(temp_local + alias + ".cer");
fos1.write( certificate.getEncoded() );
fos1.flush();
fos1.close();
// Load the certificate chain (in X.509 DER encoding).
FileInputStream certificateStream = new FileInputStream(temp_local + alias + ".cer");
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Certificate[] chain = {};
chain = certificateFactory.generateCertificates(certificateStream).toArray(chain);
// save my private key & certificate chain
char[] PKpassword = PKpwd.toCharArray();
ks.setEntry(alias, new KeyStore.PrivateKeyEntry(keygen.getPrivate(), chain),
new KeyStore.PasswordProtection(PKpassword)
);
//Store the KeyStore
// Write out the keystore
FileOutputStream fos = new FileOutputStream(KSname);
ks.store(fos, KSpassword);
fos.close();
}
產生的錯誤是:
Exception in thread "main" java.lang.IllegalArgumentException: private key algorithm does not match algorithm of public key in end entity certificate (at index 0)
at java.security.KeyStore$PrivateKeyEntry.<init>(KeyStore.java:408)
at SDSGeneration.keyStore.storeKeypair(keyStore.java:65)
at FinalTest.main(FinalTest.java:70)
2 個解決方案
解決方案1
0 2020-05-27 05:18:56
我在使用Web Crypto API時遇到了同樣的問題。 我的問題是我使用密鑰對而不是派生的秘密密鑰來加密消息。
你可以在這里找到一個完整的例子
解決方案2
0 2021-03-28 13:22:28
我在生成 VAPID 密鑰以啟用 Web Push 時遇到了這個問題。 我想將生成的密鑰存儲到一個 java 密鑰庫中,這需要您擁有私鑰的證書。
將算法從 ECDSA 更改為 EC 使事情奏效。 Afaik EC 是生成密鑰的算法,而 ECDSA 是 EC 密鑰的簽名算法。
public static KeyPair generateVapidKeyPair() throws CryptoException {
try {
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime256v1");
KeyPairGenerator g = KeyPairGenerator.getInstance("EC", "BC");
g.initialize(ecSpec, new SecureRandom());
return g.generateKeyPair();
} catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException ex) {
throw new CryptoException("Could not generate VAPID keypair", ex);
}
}
之后,我使用 SHA256withECDSA 算法對密鑰進行簽名,並使用 BC 生成證書。 這與 RSA 大致相同,因此我將省略該部分代碼。 之后,我可以毫無問題地從密鑰庫中存儲和檢索密鑰(以 BC 作為提供者的編程方式)。
使用給定私鑰在橢圓曲線算法中生成公鑰的代碼
[英]Codes to generate a public key in an elliptic curve algorithm using a given private key
RSA算法PKCS#1.5填充(非OEAP)密碼加密,帶有Java中的客戶端證書公共密鑰
[英]RSA algorithm PKCS #1.5 padding (not OEAP) password encryption with client certificate public key in Java
JAVA:如何使用公共證書和私鑰建立 SSL 連接
[英]JAVA : How to make SSL connection with public certificate and private key
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.