logo标签列表

无法将X509证书加载到XML数字签名中

javaxmldigital-signature
3
我正在使用JDK 1.8.0_74。
我有创建XML数字签名的代码,基于一种标准的实现方式(例如http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html)。
然而,与其加载密钥库和X509Data元素的密钥作为签名块的一部分,我只想加载X509证书作为签名块的一部分,这将产生类似于以下内容:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#body">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>d6xssQEvw9mMXEbQ1+/jpYTFbqY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HwQ5o5RzCauJSIcyGyzPlIJHMYtaA2spBmnRvTmcL0S+bfb/UovUwBAn7WAKckUH
Qv0TuRMMZG3xaV5h4tdrW3hgSw1wZFfEG9cxViz6cr7FOTOEfOAjtU3M8v2/f21i
4o7w5ZORwAlUONamQ0C9x5CNccvNZln5vrpdcL+vqSc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">MIIC9TCCAl6gAwIBAgICFNAwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAlpB
MSIwIAYDVQQIExlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQKExRU
aGF3dGUgQ2VydGlmaWNhdGlvbjEXMBUGA1UECxMOVEVTVCBURVNUIFRFU1QxHDAa
BgNVBAMTE1RoYXd0ZSBUZXN0IENBIFJvb3QwHhcNMDUwNTI2MTkxNzE2WhcNMDUw
NjE2MTkxNzE2WjCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNBTElGT1JOSUEx
EjAQBgNVBAcTCVNBTiBQRURSTzEPMA0GA1UEChMGQURWRU5UMR8wHQYDVQQLFBZS
RVNFQVJDSCAmIERFVkVMT1BNRU5UMScwJQYDVQQDEx5hZHZjZW50cmFsLmFkdmVu
dHJlc291cmNlcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQQh/K9
GBezwbZuES/zX1exs+9/RDGH2Gv5b5mzSsytg4AY/gYN65tbL5PT/ZsfMs0QYpl0
KGxJFnZ5HHlR/90Ut86PhQPsVsr3S0iWJCrPHaPE8yWt4MKWP/5ERIf1C11cvRvh
bYmrIab5+bxOhYzci3t7aRBf2Er6m89Fd5SjAgMBAAGjZDBiMAwGA1UdEwEB/wQC
MAAwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL3d3dy50aGF3dGUuY29tL3Rlc3Rj
ZXJ0LmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN
AQEEBQADgYEAJz3h8DT7kTvCPVhxOpRV1pE31QQaf4kD5/qI0D9yRYck2RkLH+ow
U1OQODhRyAkJUhbjfkWJPnjJUoYTmtlJioWq0r6lYJPv9QKgg4LwMo/RGvhdfHMc
83/Q5HSKWdat3US79R8K6FALTq3Ij7m4nJZZ6Zi+Ev8JBsSGsedSt+o=</X509Certificate>
<X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509IssuerName>CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA</X509IssuerName>
<X509SerialNumber>5328</X509SerialNumber>
</X509IssuerSerial>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

(顺便说一句,这是我之前验证过的有效签名。)
现在,我的代码看起来像这样:
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory kif = fac.getKeyInfoFactory();
        List x509Content = new ArrayList();

        X509Certificate certObj1 = null;

        try {
            InputStream fis = this.getClass().getClassLoader().getResourceAsStream("test.cert");
            certObj1 = (X509Certificate)(X509Certificate.getInstance(fis));
            fis.close();
            fis = null;                       
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (javax.security.cert.CertificateException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }        

        x509Content.add(certObj1);
        x509Content.add(certObj1.getSubjectDN().getName());

        javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
        javax.xml.crypto.dsig.keyinfo.KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));

但是,当执行这行代码时:

javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);

我收到了一个异常:

java.lang.ClassCastException: content[0] is not a valid X509Data type
    at org.jcp.xml.dsig.internal.dom.DOMX509Data.<init>(DOMX509Data.java:90)
    at org.jcp.xml.dsig.internal.dom.DOMKeyInfoFactory.newX509Data(DOMKeyInfoFactory.java:106)
    at com.abc.service.TestService.generateSignature(TestService.java:33...

我已经查看了相关代码(在线和实际的反编译.class文件),在DOMX509Data构造函数的这个部分出现了错误:

if (x509Type instanceof String) {
                new X500Principal((String)x509Type);
            } else if (!(x509Type instanceof byte[]) &&
                !(x509Type instanceof X509Certificate) &&
                !(x509Type instanceof X509CRL) &&
                !(x509Type instanceof XMLStructure)) {
                throw new ClassCastException
                    ("content["+i+"] is not a valid X509Data type");
            }

但是,如果我复制/粘贴并在自己的代码中重新创建相同的代码,则该异常永远不会发生!

我真的无法弄清楚为什么会这样。 我已经检查了content [0]的类型是com.sun.security.cert.internal.x509.X509V1CertImpl,它绝对扩展了X509Certificate

我做错了什么? 我希望我忽略了某些东西或者我正在做一些完全非法的事情。

任何帮助都将不胜感激。

提前致谢。

更新

虽然我仍然想知道这是为什么,但考虑到时间,我已经按照这里的例子进行了操作(http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html),它会加载证书正文本身,但您首先必须将证书转换为密钥库(这可能有所帮助:在Java密钥库中导入现有的x509证书和私钥以用于ssl)。

此外,如果您只想加载序列号信息而不是证书正文本身,请尝试类似于以下内容:

String dn = cert.getIssuerDN().toString();
BigInteger sn = cert.getSerialNumber();
X509IssuerSerial xd = kif.newX509IssuerSerial(dn, sn);

// next commented line was the original, replaced with the above line    
//javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
javax.xml.crypto.dsig.keyinfo.KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kif.newX509Data(Collections.singletonList(xd))));
1个回答
1
我知道现在有点晚了,但是也许有一天会对某个人有所帮助。
我遇到了同样的错误,在我的情况下,我传递了错误的别名。要查找别名,请在终端(Windows)上执行以下命令:
keytool -v -list -keystore <jks file>

别名在开头:

keytool -v -list -keystore keystore.jks

输入密钥库密码:

密钥库类型: JKS

密钥库提供者: SUN

您的密钥库包含1个条目

别名: (*一堆数字*) *别名*

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接