我正在使用JDK 1.8.0_74。
我有创建XML数字签名的代码,基于一种标准的实现方式(例如http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html)。
然而,与其加载密钥库和X509Data元素的密钥作为签名块的一部分,我只想加载X509证书作为签名块的一部分,这将产生类似于以下内容:
(顺便说一句,这是我之前验证过的有效签名。)
现在,我的代码看起来像这样:
我有创建XML数字签名的代码,基于一种标准的实现方式(例如http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html)。
然而,与其加载密钥库和X509Data元素的密钥作为签名块的一部分,我只想加载X509证书作为签名块的一部分,这将产生类似于以下内容:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#body">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>d6xssQEvw9mMXEbQ1+/jpYTFbqY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HwQ5o5RzCauJSIcyGyzPlIJHMYtaA2spBmnRvTmcL0S+bfb/UovUwBAn7WAKckUH
Qv0TuRMMZG3xaV5h4tdrW3hgSw1wZFfEG9cxViz6cr7FOTOEfOAjtU3M8v2/f21i
4o7w5ZORwAlUONamQ0C9x5CNccvNZln5vrpdcL+vqSc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">MIIC9TCCAl6gAwIBAgICFNAwDQYJKoZIhvcNAQEEBQAwgYcxCzAJBgNVBAYTAlpB
MSIwIAYDVQQIExlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQKExRU
aGF3dGUgQ2VydGlmaWNhdGlvbjEXMBUGA1UECxMOVEVTVCBURVNUIFRFU1QxHDAa
BgNVBAMTE1RoYXd0ZSBUZXN0IENBIFJvb3QwHhcNMDUwNTI2MTkxNzE2WhcNMDUw
NjE2MTkxNzE2WjCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNBTElGT1JOSUEx
EjAQBgNVBAcTCVNBTiBQRURSTzEPMA0GA1UEChMGQURWRU5UMR8wHQYDVQQLFBZS
RVNFQVJDSCAmIERFVkVMT1BNRU5UMScwJQYDVQQDEx5hZHZjZW50cmFsLmFkdmVu
dHJlc291cmNlcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQQh/K9
GBezwbZuES/zX1exs+9/RDGH2Gv5b5mzSsytg4AY/gYN65tbL5PT/ZsfMs0QYpl0
KGxJFnZ5HHlR/90Ut86PhQPsVsr3S0iWJCrPHaPE8yWt4MKWP/5ERIf1C11cvRvh
bYmrIab5+bxOhYzci3t7aRBf2Er6m89Fd5SjAgMBAAGjZDBiMAwGA1UdEwEB/wQC
MAAwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL3d3dy50aGF3dGUuY29tL3Rlc3Rj
ZXJ0LmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN
AQEEBQADgYEAJz3h8DT7kTvCPVhxOpRV1pE31QQaf4kD5/qI0D9yRYck2RkLH+ow
U1OQODhRyAkJUhbjfkWJPnjJUoYTmtlJioWq0r6lYJPv9QKgg4LwMo/RGvhdfHMc
83/Q5HSKWdat3US79R8K6FALTq3Ij7m4nJZZ6Zi+Ev8JBsSGsedSt+o=</X509Certificate>
<X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509IssuerName>CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA</X509IssuerName>
<X509SerialNumber>5328</X509SerialNumber>
</X509IssuerSerial>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
(顺便说一句,这是我之前验证过的有效签名。)
现在,我的代码看起来像这样:
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory kif = fac.getKeyInfoFactory();
List x509Content = new ArrayList();
X509Certificate certObj1 = null;
try {
InputStream fis = this.getClass().getClassLoader().getResourceAsStream("test.cert");
certObj1 = (X509Certificate)(X509Certificate.getInstance(fis));
fis.close();
fis = null;
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (javax.security.cert.CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
x509Content.add(certObj1);
x509Content.add(certObj1.getSubjectDN().getName());
javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
javax.xml.crypto.dsig.keyinfo.KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
但是,当执行这行代码时:
javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
我收到了一个异常:
java.lang.ClassCastException: content[0] is not a valid X509Data type
at org.jcp.xml.dsig.internal.dom.DOMX509Data.<init>(DOMX509Data.java:90)
at org.jcp.xml.dsig.internal.dom.DOMKeyInfoFactory.newX509Data(DOMKeyInfoFactory.java:106)
at com.abc.service.TestService.generateSignature(TestService.java:33...
我已经查看了相关代码(在线和实际的反编译.class文件),在DOMX509Data构造函数的这个部分出现了错误:
if (x509Type instanceof String) {
new X500Principal((String)x509Type);
} else if (!(x509Type instanceof byte[]) &&
!(x509Type instanceof X509Certificate) &&
!(x509Type instanceof X509CRL) &&
!(x509Type instanceof XMLStructure)) {
throw new ClassCastException
("content["+i+"] is not a valid X509Data type");
}
但是,如果我复制/粘贴并在自己的代码中重新创建相同的代码,则该异常永远不会发生!
我真的无法弄清楚为什么会这样。 我已经检查了content [0]
的类型是com.sun.security.cert.internal.x509.X509V1CertImpl
,它绝对扩展了X509Certificate
。
我做错了什么? 我希望我忽略了某些东西或者我正在做一些完全非法的事情。
任何帮助都将不胜感激。
提前致谢。
更新
虽然我仍然想知道这是为什么,但考虑到时间,我已经按照这里的例子进行了操作(http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html),它会加载证书正文本身,但您首先必须将证书转换为密钥库(这可能有所帮助:在Java密钥库中导入现有的x509证书和私钥以用于ssl)。
此外,如果您只想加载序列号信息而不是证书正文本身,请尝试类似于以下内容:
String dn = cert.getIssuerDN().toString();
BigInteger sn = cert.getSerialNumber();
X509IssuerSerial xd = kif.newX509IssuerSerial(dn, sn);
// next commented line was the original, replaced with the above line
//javax.xml.crypto.dsig.keyinfo.X509Data xd = kif.newX509Data(x509Content);
javax.xml.crypto.dsig.keyinfo.KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kif.newX509Data(Collections.singletonList(xd))));