1. 首頁
  2. 問答
  3. 從密鑰庫獲得私鑰

從密鑰庫獲得私鑰

2015-02-11 306 views
0

我有.cer這是由他人簽名。從那我使用下面的工具創建私鑰文件.jks從密鑰庫獲得私鑰

keytool -importcert -file aaa.cer -keystore aaa.jks -alias abcd

輸出:

Owner: CN=Sample, [email protected], C=IN, OU=Director, O=ABCDEF 
Issuer: C=IN, O=ABCDEF, CN=Owner 
Serial number: 1 
Valid from: Fri Feb 20 17:11:48 IST 2015 until: Mon Feb 19 17:11:48 IST 2018 
Certificate fingerprints: 
     MD5: 59:9A:1C:FA:F7:F3:45:CA:06:1D:FA:AA:13:B7:68:1C 
     SHA1: 3B:4E:4B:5A:57:9E:DC:D6:3E:3C:EB:18:91:60:B6:EA:9D:FB:6E:DA 
     SHA256: 37:04:49:08:0A:2E:1D:5D:58:51:0E:69:C3:85:5C:45:55:F0:D9:6B:27:EE:99:6B:E7:08:B7:4A:EA:E0:83:EC 
     Signature algorithm name: SHA1withRSA 
     Version: 3 
Trust this certificate? [no]: yes 
Certificate was added to keystore

相同的證書,我需要簽名XML的,我寫了下面的代碼,

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); 
dbf.setNamespaceAware(true); 
Document inputDocument = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(xmlDoc))); 
KeyStore ks = KeyStore.getInstance("JKS"); 
ks.load(new FileInputStream("../cer/aaa.jks"), "xxxxxxx".toCharArray()); 
KeyStore.PrivateKeyEntry keyEntry =(KeyStore.PrivateKeyEntry) ks.getEntry("abcd", new KeyStore.PasswordProtection("xxxxxxx".toCharArray())); 
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate(); 
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate(); 
XMLSignatureFactory fac = XMLSignatureFactory.getInstance(MEC_TYPE); 
Reference ref = fac.newReference(WHOLE_DOC_URI, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)), null, null); 
SignedInfo sInfo = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,(C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),Collections.singletonList(ref)); 
KeyInfo kInfo = getKeyInfo(x509Cert, fac); 
DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),inputDocument.getDocumentElement()); 
XMLSignature signature = fac.newXMLSignature(sInfo,kInfo); 
signature.sign(dsc); 
Node node = dsc.getParent(); 
Document signedDocument = node.getOwnerDocument(); 
StringWriter stringWriter = new StringWriter(); 
TransformerFactory tf = TransformerFactory.newInstance(); 
Transformer trans = tf.newTransformer(); 
trans.transform(new DOMSource(signedDocument), new StreamResult(stringWriter)); 
return stringWriter.getBuffer().toString();

但是我卻越來越在行6號異常。

堆棧跟蹤:

java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected 
    at java.security.KeyStoreSpi.engineGetEntry(Unknown Source) 
    at java.security.KeyStore.getEntry(Unknown Source)

請幫助如何解決這個問題謝謝。

來源

2015-02-11 Rajesh Narravula

+0

請勿在此處發佈輸出圖片。複製並粘貼*文本。*很簡單。否則,你會浪費別人的帶寬;減少易讀性;消除進一步的co py/paste;並且通常會減少你回答的機會。 – EJP 2015-02-11 07:53:18

回答

1

A .cer文件只包含公共密鑰和來自CA的一些簽名信息,因此您的密鑰庫中沒有私鑰可供檢索。你對導入.cer文件所做的工作是將其添加到JVM將信任的證書集合中。

您需要使這項工作成爲用於爲此證書生成證書籤署請求的私鑰文件。如果它不是使用keytool在java-keystore中創建的,則可能需要執行一些額外步驟,因爲您可以直接將私鑰和證書導入.jks-文件,但例如,必須創建一箇中間PKCS12密鑰庫。使用openssl可能會這樣工作:

# Create PKCS12 keystore from private key and public certificate. 
openssl pkcs12 -export -name myservercert -in certificate.cer -inkey server.key -out keystore.p12 
# Convert PKCS12 keystore into a JKS keystore 
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias abcd

來源

2015-02-11 07:16:45

+0

這是什麼'server.key'文件?對不起,我是新手。 – 2015-02-11 07:25:45

+0

這是包含私鑰的pem文件 - 但是你也可能已經在jks文件中。您目前的主要挑戰是以某種方式找出您的私鑰保存在哪裏。 – 2015-02-11 07:31:09

 相關問題

  • 暫無相關問題^_^