1. 首頁
  2. 問答
  3. KeyUsage不允許數字簽名

KeyUsage不允許數字簽名

2013-03-12 130 views
5

我試圖從我的Java EE程序向需要證書身份驗證的主機發送HTTPS請求。我有一個適當的密鑰庫文件,帶導入CA的信任庫,兩者的列表顯示了證書在裏面。KeyUsage不允許數字簽名

但我收到以下錯誤:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures 
    at ... 

... 

Caused by: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures 
    at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:270) 
    at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:141) 
    at sun.security.validator.Validator.validate(Validator.java:264) 
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) 
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) 
    at  sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) 
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319) 
... 29 more

在擴展的一部分,我看到下面的查看證書內容:

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 33 87 72 1D 09 2F DF FF 1A A7 D1 C0 E1 CF C5 FA 3.r../.......... 
0010: A4 19 54 2E          ..T. 
] 
] 

#2: ObjectId: 2.16.840.1.113730.1.1 Criticality=false 
NetscapeCertType [ 
    SSL client 
] 

#3: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: 74 9F 43 07 CC 75 FA D3 D0 13 0F 65 36 CC 4A 9A t.C..u.....e6.J. 
0010: E0 8E 9C 52          ...R 
] 
] 

#4: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://test.az:7447/Test%20CA.crl] 
]] 

#5: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    DigitalSignature 
]

所以我的證書確實含有密鑰使用[的DigitalSignature]

引發異常的地方的代碼片段如下所示:

private final static int KU_SIGNATURE = 0; 

... 

private void checkTLSServer(X509Certificate cert, String parameter) 
     throws CertificateException { 
    Set<String> exts = getCriticalExtensions(cert); 

    ... 

    } else if (KU_SERVER_SIGNATURE.contains(parameter)) { 
     if (checkKeyUsage(cert, KU_SIGNATURE) == false) { 
      throw new ValidatorException 
        ("KeyUsage does not allow digital signatures", 
        ValidatorException.T_EE_EXTENSIONS, cert); 
     } 
    } 

    ... 
}

checkKeyUsage功能:

private boolean checkKeyUsage(X509Certificate cert, int bit) 
     throws CertificateException { 
    boolean[] keyUsage = cert.getKeyUsage(); 
    if (keyUsage == null) { 
     return true; 
    } 
    return (keyUsage.length > bit) && keyUsage[bit]; 
}

它在回報(keyUsage.length>位)失敗& &的keyUsage [比特];

問題是爲什麼上述表達式的結果= false?當bit = 0且cert.getKeyUsage()必須返回布爾型[true,false,false,false,false,false,false,false]的數組時

來源

2013-03-12 chaplean

+0

您是否檢查過鏈中的所有證書(特別是CA證書)? – Bruno 2013-03-12 12:09:49

+0

是的,實際上我使用運行JRE6的舊服務器中的密鑰庫和信任庫,並且沒有問題,但帶有JRE7的新服務器會拋出異常。 – chaplean 2013-03-12 12:39:42

+0

使用'-Djavax.net.debug = all'時,你會得到更精確的結果嗎? – Bruno 2013-03-12 12:41:12

回答

6

該錯誤實際上來自驗證服務器的證書。該證書的密鑰用法部分不包含digitalSignature位。

某些密碼套件需要數字簽名位,特別是Diffie-Hellman密鑰交換(DHE_RSA和ECDHE_RSA)。您可以通過避免使用這些密碼類型來避免此錯誤。否則,服務器證書需要支持它。

來源

2013-12-18 22:04:12

+2

如何避免在java中使用這些密碼? – 2017-01-17 04:54:20

相關問題

 相關問題