[英]Unable to Load an X509Certificate into an XML Digital Signature
我使用的是 JDK 1.8.0_74。
我有基於標准做事方式創建 XML 數字簽名的代碼(例如http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html )。
但是,我不想為簽名塊的 X509Data 元素加載密鑰存儲和密鑰,而是只想加載 X509Certificate 作為簽名塊的一部分,這將產生如下結果:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#body">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>d6xssQEvw9mMXEbQ1+/jpYTFbqY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HwQ5o5RzCauJSIcyGyzPlIJHMYtaA2spBmnRvTmcL0S+bfb/UovUwBAn7WAKckUH
Qv0TuRMMZG3xaV5h4tdrW3hgSw1wZFfEG9cxViz6cr7FOTOEfOAjtU3M8v2/f21i
4o7w5ZORwAlUONamQ0C9x5CNccvNZln5vrpdcL+vqSc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">MIIC9TCCAl6gAwIBAgICFNAwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAlpB
MSIwIAYDVQQIExlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQKExRU
aGF3dGUgQ2VydGlmaWNhdGlvbjEXMBUGA1UECxMOVEVTVCBURVNUIFRFU1QxHDAa
BgNVBAMTE1RoYXd0ZSBUZXN0IENBIFJvb3QwHhcNMDUwNTI2MTkxNzE2WhcNMDUw
NjE2MTkxNzE2WjCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNBTElGT1JOSUEx
EjAQBgNVBAcTCVNBTiBQRURSTzEPMA0GA1UEChMGQURWRU5UMR8wHQYDVQQLFBZS
RVNFQVJDSCAmIERFVkVMT1BNRU5UMScwJQYDVQQDEx5hZHZjZW50cmFsLmFkdmVu
dHJlc291cmNlcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQQh/K9
GBezwbZuES/zX1exs+9/RDGH2Gv5b5mzSsytg4AY/gYN65tbL5PT/ZsfMs0QYpl0
KGxJFnZ5HHlR/90Ut86PhQPsVsr3S0iWJCrPHaPE8yWt4MKWP/5ERIf1C11cvRvh
bYmrIab5+bxOhYzci3t7aRBf2Er6m89Fd5SjAgMBAAGjZDBiMAwGA1UdEwEB/wQC
MAAwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL3d3dy50aGF3dGUuY29tL3Rlc3Rj
ZXJ0LmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN
AQEEBQADgYEAJz3h8DT7kTvCPVhxOpRV1pE31QQaf4kD5/qI0D9yRYck2RkLH+ow
U1OQODhRyAkJUhbjfkWJPnjJUoYTmtlJioWq0r6lYJPv9QKgg4LwMo/RGvhdfHMc
83/Q5HSKWdat3US79R8K6FALTq3Ij7m4nJZZ6Zi+Ev8JBsSGsedSt+o=</X509Certificate>
<X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509IssuerName>CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA</X509IssuerName>
<X509SerialNumber>5328</X509SerialNumber>
</X509IssuerSerial>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
(順便說一句,這是我之前驗證過的有效簽名。)
現在,我的代碼如下所示:
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory kif = fac.getKeyInfoFactory();
List x509Content = new ArrayList();
X509Certificate certObj1 = null;
try {
InputStream fis = this.getClass().getClassLoader().getResourceAsStream("test.cert");
certObj1 = (X509Certificate)(X509Certificate.getInstance(fis));
fis.close();
fis = null;
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (javax.security.cert.CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
x509Content.add(certObj1);
x509Content.add(certObj1.getSubjectDN().getName());
javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
javax.xml.crypto.dsig.keyinfo.KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
但是,當執行此行時:
javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
我得到一個例外:
java.lang.ClassCastException: content[0] is not a valid X509Data type
at org.jcp.xml.dsig.internal.dom.DOMX509Data.<init>(DOMX509Data.java:90)
at org.jcp.xml.dsig.internal.dom.DOMKeyInfoFactory.newX509Data(DOMKeyInfoFactory.java:106)
at com.abc.service.TestService.generateSignature(TestService.java:33...
查看了適當的代碼(在線和反編譯的實際 .class 文件中),它在 DOMX509Data 構造函數的這一部分失敗:
if (x509Type instanceof String) {
new X500Principal((String)x509Type);
} else if (!(x509Type instanceof byte[]) &&
!(x509Type instanceof X509Certificate) &&
!(x509Type instanceof X509CRL) &&
!(x509Type instanceof XMLStructure)) {
throw new ClassCastException
("content["+i+"] is not a valid X509Data type");
}
但是,如果我在自己的代碼中復制/粘貼並重新創建相同的代碼,則永遠不會發生該異常!
對於我的生活,我無法弄清楚為什么會這樣。 我已經檢查過content[0]
的類型是com.sun.security.cert.internal.x509.X509V1CertImpl
,它絕對擴展了X509Certificate
。
我做錯了什么? 我希望我忽略了一些東西,或者我正在做一些完全非法的事情。
任何幫助將不勝感激。
提前致謝。
更新
雖然我仍然想知道為什么會這樣,但為了節省時間,我已經按照這里的示例( http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772 .html )並加載到證書正文中,但您首先必須將證書轉換為密鑰庫(這可能有幫助: 在 Java 密鑰庫中導入現有的 x509 證書和私鑰以在 ssl 中使用)。
此外,如果您只想加載序列信息而不是證書正文本身,請嘗試以下操作:
String dn = cert.getIssuerDN().toString();
BigInteger sn = cert.getSerialNumber();
X509IssuerSerial xd = kif.newX509IssuerSerial(dn, sn);
// next commented line was the original, replaced with the above line
//javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
javax.xml.crypto.dsig.keyinfo.KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kif.newX509Data(Collections.singletonList(xd))));
我知道這有點晚了,但有一天可能會幫助某人。
我遇到了同樣的錯誤,就我而言,我傳遞了錯誤的別名。 要查找別名,請在終端 (Windows) 上執行以下命令:
keytool -v -list -keystore <jks file>
別名就在開頭:
keytool -v -list -keystore keystore.jks
輸入密鑰庫密碼:
密鑰庫類型:JKS
密鑰庫類型:JKS 密鑰庫提供者:SUN
您的密鑰庫包含 1 個條目
別名: (*一堆數字*)*別名*
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.