从密钥库获得私钥
我有.cer
这是由他人签名。从那我使用下面的工具创建私钥文件.jks
。从密钥库获得私钥
keytool -importcert -file aaa.cer -keystore aaa.jks -alias abcd
输出:
Owner: CN=Sample, [email protected], C=IN, OU=Director, O=ABCDEF
Issuer: C=IN, O=ABCDEF, CN=Owner
Serial number: 1
Valid from: Fri Feb 20 17:11:48 IST 2015 until: Mon Feb 19 17:11:48 IST 2018
Certificate fingerprints:
MD5: 59:9A:1C:FA:F7:F3:45:CA:06:1D:FA:AA:13:B7:68:1C
SHA1: 3B:4E:4B:5A:57:9E:DC:D6:3E:3C:EB:18:91:60:B6:EA:9D:FB:6E:DA
SHA256: 37:04:49:08:0A:2E:1D:5D:58:51:0E:69:C3:85:5C:45:55:F0:D9:6B:27:EE:99:6B:E7:08:B7:4A:EA:E0:83:EC
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
相同的证书,我需要签名XML的,我写了下面的代码,
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document inputDocument = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(xmlDoc)));
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("../cer/aaa.jks"), "xxxxxxx".toCharArray());
KeyStore.PrivateKeyEntry keyEntry =(KeyStore.PrivateKeyEntry) ks.getEntry("abcd", new KeyStore.PasswordProtection("xxxxxxx".toCharArray()));
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate();
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate();
XMLSignatureFactory fac = XMLSignatureFactory.getInstance(MEC_TYPE);
Reference ref = fac.newReference(WHOLE_DOC_URI, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)), null, null);
SignedInfo sInfo = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,(C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),Collections.singletonList(ref));
KeyInfo kInfo = getKeyInfo(x509Cert, fac);
DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),inputDocument.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(sInfo,kInfo);
signature.sign(dsc);
Node node = dsc.getParent();
Document signedDocument = node.getOwnerDocument();
StringWriter stringWriter = new StringWriter();
TransformerFactory tf = TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.transform(new DOMSource(signedDocument), new StreamResult(stringWriter));
return stringWriter.getBuffer().toString();
但是我却越来越在行6号异常。
堆栈跟踪:
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
请帮助如何解决这个问题谢谢。
A .cer
文件只包含公共密钥和来自CA的一些签名信息,因此您的密钥库中没有私钥可供检索。你对导入.cer
文件所做的工作是将其添加到JVM将信任的证书集合中。
您需要使这项工作成为用于为此证书生成证书签署请求的私钥文件。如果它不是使用keytool在java-keystore中创建的,则可能需要执行一些额外步骤,因为您可以直接将私钥和证书导入.jks
-文件,但例如,必须创建一个中间PKCS12密钥库。使用openssl可能会这样工作:
# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in certificate.cer -inkey server.key -out keystore.p12
# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias abcd
这是什么'server.key'文件?对不起,我是新手。 – 2015-02-11 07:25:45
这是包含私钥的pem文件 - 但是你也可能已经在jks文件中。您目前的主要挑战是以某种方式找出您的私钥保存在哪里。 – 2015-02-11 07:31:09
请勿在此处发布输出图片。复制并粘贴*文本。*很简单。否则,你会浪费别人的带宽;减少易读性;消除进一步的co py/paste;并且通常会减少你回答的机会。 – EJP 2015-02-11 07:53:18