由于密码原因无法打开PKCS12存储
薛焱
问题内容:
问题答案:
在充气城堡的示例中,我找到了以下代码:
package crypto;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.ContentInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.InputDecryptorProvider;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.operator.bc.BcDefaultDigestProvider;
import org.bouncycastle.pkcs.PKCS12PfxPdu;
import org.bouncycastle.pkcs.PKCS12PfxPduBuilder;
import org.bouncycastle.pkcs.PKCS12SafeBag;
import org.bouncycastle.pkcs.PKCS12SafeBagBuilder;
import org.bouncycastle.pkcs.PKCS12SafeBagFactory;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.bc.BcPKCS12MacCalculatorBuilderProvider;
import org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder;
import org.bouncycastle.pkcs.jcajce.JcePKCS12MacCalculatorBuilder;
import org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder;
import org.bouncycastle.pkcs.jcajce.JcePKCSPBEOutputEncryptorBuilder;
import org.bouncycastle.util.io.Streams;
public class PKCS12 {
public static void main(String[] args)
throws Exception
{
Security.addProvider(new BouncyCastleProvider());
KeyStore credentials = JcaUtils.createCredentials();
PrivateKey key = (PrivateKey)credentials.getKey(JcaUtils.END_ENTITY_ALIAS, JcaUtils.KEY_PASSWD);
Certificate[] chain = credentials.getCertificateChain(JcaUtils.END_ENTITY_ALIAS);
createPKCS12File(new FileOutputStream("id.p12"), key, chain);
//
// first do a "blow by blow" read of the PKCS#12 file.
//
PKCS12PfxPdu pfx = readPKCS12File(new FileInputStream("id.p12"));
//
// or alternately just load it up using a KeyStore
//
KeyStore pkcs12Store = KeyStore.getInstance("PKCS12", "BC");
pkcs12Store.load(new FileInputStream("id.p12"), JcaUtils.KEY_PASSWD);
System.out.println("########## KeyStore Dump");
for (Enumeration en = pkcs12Store.aliases(); en.hasMoreElements();)
{
String alias = (String)en.nextElement();
if (pkcs12Store.isCertificateEntry(alias))
{
System.out.println("Certificate Entry: " + alias + ", Subject: " + (((X509Certificate)pkcs12Store.getCertificate(alias)).getSubjectDN()));
}
else if (pkcs12Store.isKeyEntry(alias))
{
System.out.println("Key Entry: " + alias + ", Subject: " + (((X509Certificate)pkcs12Store.getCertificate(alias)).getSubjectDN()));
}
}
System.out.println();
}
private static void createPKCS12File(OutputStream pfxOut, PrivateKey key, Certificate[] chain)
throws Exception
{
OutputEncryptor encOut = new JcePKCSPBEOutputEncryptorBuilder(NISTObjectIdentifiers.id_aes256_CBC).setProvider("BC").build(JcaUtils.KEY_PASSWD);
PKCS12SafeBagBuilder taCertBagBuilder = new JcaPKCS12SafeBagBuilder((X509Certificate)chain[2]);
taCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Bouncy Primary Certificate"));
PKCS12SafeBagBuilder caCertBagBuilder = new JcaPKCS12SafeBagBuilder((X509Certificate)chain[1]);
caCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Bouncy Intermediate Certificate"));
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
PKCS12SafeBagBuilder eeCertBagBuilder = new JcaPKCS12SafeBagBuilder((X509Certificate)chain[0]);
eeCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Eric's Key"));
SubjectKeyIdentifier pubKeyId = extUtils.createSubjectKeyIdentifier(chain[0].getPublicKey());
eeCertBagBuilder.addBagAttribute(PKCS12SafeBag.localKeyIdAttribute, pubKeyId);
PKCS12SafeBagBuilder keyBagBuilder = new JcaPKCS12SafeBagBuilder(key, encOut);
keyBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Eric's Key"));
keyBagBuilder.addBagAttribute(PKCS12SafeBag.localKeyIdAttribute, pubKeyId);
PKCS12PfxPduBuilder builder = new PKCS12PfxPduBuilder();
builder.addData(keyBagBuilder.build());
builder.addEncryptedData(new JcePKCSPBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC).setProvider("BC").build(JcaUtils.KEY_PASSWD), new PKCS12SafeBag[]{eeCertBagBuilder.build(), caCertBagBuilder.build(), taCertBagBuilder.build()});
PKCS12PfxPdu pfx = builder.build(new JcePKCS12MacCalculatorBuilder(NISTObjectIdentifiers.id_sha256), JcaUtils.KEY_PASSWD);
// make sure we don't include indefinite length encoding
pfxOut.write(pfx.getEncoded(ASN1Encoding.DL));
pfxOut.close();
}
private static PKCS12PfxPdu readPKCS12File(InputStream pfxIn)
throws Exception
{
PKCS12PfxPdu pfx = new PKCS12PfxPdu(Streams.readAll(pfxIn));
if (!pfx.isMacValid(new BcPKCS12MacCalculatorBuilderProvider(BcDefaultDigestProvider.INSTANCE), JcaUtils.KEY_PASSWD))
{
System.err.println("PKCS#12 MAC test failed!");
}
ContentInfo[] infos = pfx.getContentInfos();
Map certMap = new HashMap();
Map certKeyIds = new HashMap();
Map privKeyMap = new HashMap();
Map privKeyIds = new HashMap();
InputDecryptorProvider inputDecryptorProvider = new JcePKCSPBEInputDecryptorProviderBuilder()
.setProvider("BC").build(JcaUtils.KEY_PASSWD);
JcaX509CertificateConverter jcaConverter = new JcaX509CertificateConverter().setProvider("BC");
for (int i = 0; i != infos.length; i++)
{
if (infos[i].getContentType().equals(PKCSObjectIdentifiers.encryptedData))
{
PKCS12SafeBagFactory dataFact = new PKCS12SafeBagFactory(infos[i], inputDecryptorProvider);
PKCS12SafeBag[] bags = dataFact.getSafeBags();
for (int b = 0; b != bags.length; b++)
{
PKCS12SafeBag bag = bags[b];
X509CertificateHolder certHldr = (X509CertificateHolder)bag.getBagValue();
X509Certificate cert = jcaConverter.getCertificate(certHldr);
Attribute[] attributes = bag.getAttributes();
for (int a = 0; a != attributes.length; a++)
{
Attribute attr = attributes[a];
if (attr.getAttrType().equals(PKCS12SafeBag.friendlyNameAttribute))
{
certMap.put(((DERBMPString)attr.getAttributeValues()[0]).getString(), cert);
}
else if (attr.getAttrType().equals(PKCS12SafeBag.localKeyIdAttribute))
{
certKeyIds.put(attr.getAttributeValues()[0], cert);
}
}
}
}
else
{
PKCS12SafeBagFactory dataFact = new PKCS12SafeBagFactory(infos[i]);
PKCS12SafeBag[] bags = dataFact.getSafeBags();
PKCS8EncryptedPrivateKeyInfo encInfo = (PKCS8EncryptedPrivateKeyInfo)bags[0].getBagValue();
PrivateKeyInfo info = encInfo.decryptPrivateKeyInfo(inputDecryptorProvider);
KeyFactory keyFact = KeyFactory .getInstance(info.getPrivateKeyAlgorithm().getAlgorithm().getId(), "BC");
PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(info.getEncoded()));
Attribute[] attributes = bags[0].getAttributes();
for (int a = 0; a != attributes.length; a++)
{
Attribute attr = attributes[a];
if (attr.getAttrType().equals(PKCS12SafeBag.friendlyNameAttribute))
{
privKeyMap.put(((DERBMPString)attr.getAttributeValues()[0]).getString(), privKey);
}
else if (attr.getAttrType().equals(PKCS12SafeBag.localKeyIdAttribute))
{
privKeyIds.put(privKey, attr.getAttributeValues()[0]);
}
}
}
}
System.out.println("########## PFX Dump");
for (Iterator it = privKeyMap.keySet().iterator(); it.hasNext();)
{
String alias = (String)it.next();
System.out.println("Key Entry: " + alias + ", Subject: " + (((X509Certificate)certKeyIds.get(privKeyIds.get(privKeyMap.get(alias)))).getSubjectDN()));
}
for (Iterator it = certMap.keySet().iterator(); it.hasNext();)
{
String alias = (String)it.next();
System.out.println("Certificate Entry: " + alias + ", Subject: " + (((X509Certificate)certMap.get(alias)).getSubjectDN()));
}
System.out.println();
return pfx;
}
}
当我使用此代码编写p12时,我尝试使用openssl或钥匙串将其打开,并提示我输入密码。我用他们的密码
public static char[] KEY_PASSWD = "keyPassword".toCharArray();
尝试打开P12,但是它不起作用。此外,当我按原样运行此主要功能时,将执行此行
System.err.println("PKCS#12 MAC test failed!");
为了正确地在p12上输入密码,他们的示例有问题吗?我基本上是想做相当于
openssl pkcs12 -export -des3
如果有其他想法,也可以使用Bouncy Castle在Java中使用。
编辑
看NISTObjectIdentifiers可供选择,我看不到p12pbmac / sha1。这是我看到的:
public interface NISTObjectIdentifiers {
ASN1ObjectIdentifier nistAlgorithm = new ASN1ObjectIdentifier("2.16.840.1.101.3.4");
ASN1ObjectIdentifier hashAlgs = nistAlgorithm.branch("2");
ASN1ObjectIdentifier id_sha256 = hashAlgs.branch("1");
ASN1ObjectIdentifier id_sha384 = hashAlgs.branch("2");
ASN1ObjectIdentifier id_sha512 = hashAlgs.branch("3");
ASN1ObjectIdentifier id_sha224 = hashAlgs.branch("4");
ASN1ObjectIdentifier id_sha512_224 = hashAlgs.branch("5");
ASN1ObjectIdentifier id_sha512_256 = hashAlgs.branch("6");
ASN1ObjectIdentifier id_sha3_224 = hashAlgs.branch("7");
ASN1ObjectIdentifier id_sha3_256 = hashAlgs.branch("8");
ASN1ObjectIdentifier id_sha3_384 = hashAlgs.branch("9");
ASN1ObjectIdentifier id_sha3_512 = hashAlgs.branch("10");
ASN1ObjectIdentifier id_shake128 = hashAlgs.branch("11");
ASN1ObjectIdentifier id_shake256 = hashAlgs.branch("12");
ASN1ObjectIdentifier id_hmacWithSHA3_224 = hashAlgs.branch("13");
ASN1ObjectIdentifier id_hmacWithSHA3_256 = hashAlgs.branch("14");
ASN1ObjectIdentifier id_hmacWithSHA3_384 = hashAlgs.branch("15");
ASN1ObjectIdentifier id_hmacWithSHA3_512 = hashAlgs.branch("16");
ASN1ObjectIdentifier aes = nistAlgorithm.branch("1");
ASN1ObjectIdentifier id_aes128_ECB = aes.branch("1");
ASN1ObjectIdentifier id_aes128_CBC = aes.branch("2");
ASN1ObjectIdentifier id_aes128_OFB = aes.branch("3");
ASN1ObjectIdentifier id_aes128_CFB = aes.branch("4");
ASN1ObjectIdentifier id_aes128_wrap = aes.branch("5");
ASN1ObjectIdentifier id_aes128_GCM = aes.branch("6");
ASN1ObjectIdentifier id_aes128_CCM = aes.branch("7");
ASN1ObjectIdentifier id_aes128_wrap_pad = aes.branch("8");
ASN1ObjectIdentifier id_aes192_ECB = aes.branch("21");
ASN1ObjectIdentifier id_aes192_CBC = aes.branch("22");
ASN1ObjectIdentifier id_aes192_OFB = aes.branch("23");
ASN1ObjectIdentifier id_aes192_CFB = aes.branch("24");
ASN1ObjectIdentifier id_aes192_wrap = aes.branch("25");
ASN1ObjectIdentifier id_aes192_GCM = aes.branch("26");
ASN1ObjectIdentifier id_aes192_CCM = aes.branch("27");
ASN1ObjectIdentifier id_aes192_wrap_pad = aes.branch("28");
ASN1ObjectIdentifier id_aes256_ECB = aes.branch("41");
ASN1ObjectIdentifier id_aes256_CBC = aes.branch("42");
ASN1ObjectIdentifier id_aes256_OFB = aes.branch("43");
ASN1ObjectIdentifier id_aes256_CFB = aes.branch("44");
ASN1ObjectIdentifier id_aes256_wrap = aes.branch("45");
ASN1ObjectIdentifier id_aes256_GCM = aes.branch("46");
ASN1ObjectIdentifier id_aes256_CCM = aes.branch("47");
ASN1ObjectIdentifier id_aes256_wrap_pad = aes.branch("48");
ASN1ObjectIdentifier sigAlgs = nistAlgorithm.branch("3");
ASN1ObjectIdentifier id_dsa_with_sha2 = sigAlgs;
ASN1ObjectIdentifier dsa_with_sha224 = sigAlgs.branch("1");
ASN1ObjectIdentifier dsa_with_sha256 = sigAlgs.branch("2");
ASN1ObjectIdentifier dsa_with_sha384 = sigAlgs.branch("3");
ASN1ObjectIdentifier dsa_with_sha512 = sigAlgs.branch("4");
ASN1ObjectIdentifier id_dsa_with_sha3_224 = sigAlgs.branch("5");
ASN1ObjectIdentifier id_dsa_with_sha3_256 = sigAlgs.branch("6");
ASN1ObjectIdentifier id_dsa_with_sha3_384 = sigAlgs.branch("7");
ASN1ObjectIdentifier id_dsa_with_sha3_512 = sigAlgs.branch("8");
ASN1ObjectIdentifier id_ecdsa_with_sha3_224 = sigAlgs.branch("9");
ASN1ObjectIdentifier id_ecdsa_with_sha3_256 = sigAlgs.branch("10");
ASN1ObjectIdentifier id_ecdsa_with_sha3_384 = sigAlgs.branch("11");
ASN1ObjectIdentifier id_ecdsa_with_sha3_512 = sigAlgs.branch("12");
ASN1ObjectIdentifier id_rsassa_pkcs1_v1_5_with_sha3_224 = sigAlgs.branch("13");
ASN1ObjectIdentifier id_rsassa_pkcs1_v1_5_with_sha3_256 = sigAlgs.branch("14");
ASN1ObjectIdentifier id_rsassa_pkcs1_v1_5_with_sha3_384 = sigAlgs.branch("15");
ASN1ObjectIdentifier id_rsassa_pkcs1_v1_5_with_sha3_512 = sigAlgs.branch("16");
}
问题答案:
元:这是一种解决方法,不能解决所提出的Q问题,但需要格式化。
要创建PKCS12的简单方法, 只需KeyStore按照其javadoc中的说明 使用即可 ,它应该在您的IDE
或Oracle网站上提供。这是一个最小的示例,结合了javadoc中的代码。由于您的Q不会显示您
从 何处获取createCredentials数据,对于本示例,我只是从现有的JKS中读取;根据需要更改此设置。并使用更好的密码! __
我将使用默认提供程序(SunJSSE)和BC提供程序进行演示。我在最终测试中发现了一个警告:BC需要在Oracle
Java上安装“无限强度策略”-至少到j8。据说这个“功能”终于在j9中被删除了,但是我还没有测试。即使TDES 强度
只有112,应该允许,它也可能将168的TDES密钥大小视为超过128 。
char[] pw = "password".toCharArray(); // dummy for test
boolean useBC = System.getProperty("useBC")!=null;
KeyStore jks = KeyStore.getInstance("JKS");
InputStream f1 = new FileInputStream ("old.jks"); jks.load(f1, pw); f1.close();
PrivateKey pkey = (PrivateKey)jks.getKey("mykey", pw);
Certificate[] chain = jks.getCertificateChain("mykey");
// only needed once, and not at all if pre-configured in java.security
if(useBC) Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// then do something like this
KeyStore p12 = useBC? KeyStore.getInstance("PKCS12","BC"): KeyStore.getInstance("PKCS12");
p12.load(null); p12.setKeyEntry("mykey", pkey, pw, chain);
OutputStream f2 = new FileOutputStream ("new.p12"); p12.store(f2,pw); f2.close();
类似资料:
-
问题内容: 在XCode 6.3和XCode 7中使用快速代码运行项目时,出现以下错误: 由于您无权查看文件“ ***。app”,因此无法打开 我的应用程序不再启动。我检查了编译器设置是否正确。可执行名称和捆绑包名称也正确。 几次清理了项目,也删除了XCtest目标。 问题答案: 有时可能是由于文件中的错误损坏所致。尝试创建一个具有相同名称的新项目,然后用新的项目替换当前的项目。
-
问题内容: 我试图通过使用spring hibernatetemplate将我的hibernate示例移植到spring,但出现此错误,原因是:java.io.FileNotFoundException:无法打开ServletContext资源[/applicationContext.xml]。请建议我运行我的项目。我在公司里更新鲜 我的web.xml文件 我的applicationContext
-
我正在尝试用PHP上传一个文件!我试过上传PNG、JPG、PDF、TXT文件,这些上传只在文件大小为20kb左右时有效。当我尝试上载大小约为150KB的文件时,它会打印,文件名为“1234.png”,其中tmp\u名称为空,图像本身也是空的!这是我的密码 我尝试了多种解决方案,例如更改和的值,而不是32M 以下是尝试上载4KB txt文件的结果: 上传PNG文件127KB的结果: 警告:file_
-
在Websphere Application Sever8.5和RAD 8.5.1上尝试配置JMS队列连接工厂/激活规范时,我得到以下错误:
-
然后我会得到这样的错误消息:“一个错误已经发生。请参阅日志文件{日志文件的路径}” 当我检查日志文件时,我发现根本原因是找不到WToolkitHookQTJA类: 原因:java.lang.ClassNotFoundException:org.eclipse.swt_3.103.1.v20140903-1938在org.eclipse.osgi.internal.loader.bundleLoad
-
问题内容: 我只是重新启动了计算机,没有进行任何更改。突然我无法打开Eclipse。相反,我收到此错误消息: 而且我看到我所有的环境变量都被删除了。,,,等不工作。我现在该怎么办,该如何解决? 问题答案: 这是答案,对不起..但是您的解决方案不正确 paxdiablo 是否重写了该错误,或者您获得了某种从图像读取文本的软件(如果有)?