从密钥库获得私钥

Question

我有.cer这是由他人签名。从那我使用下面的工具创建私钥文件.jks。

keytool -importcert -file aaa.cer -keystore aaa.jks -alias abcd

输出：

Owner: CN=Sample, EMAILADDRESS=hello@gmail.com, C=IN, OU=Director, O=ABCDEF 
Issuer: C=IN, O=ABCDEF, CN=Owner 
Serial number: 1 
Valid from: Fri Feb 20 17:11:48 IST 2015 until: Mon Feb 19 17:11:48 IST 2018 
Certificate fingerprints: 
     MD5: 59:9A:1C:FA:F7:F3:45:CA:06:1D:FA:AA:13:B7:68:1C 
     SHA1: 3B:4E:4B:5A:57:9E:DC:D6:3E:3C:EB:18:91:60:B6:EA:9D:FB:6E:DA 
     SHA256: 37:04:49:08:0A:2E:1D:5D:58:51:0E:69:C3:85:5C:45:55:F0:D9:6B:27:EE:99:6B:E7:08:B7:4A:EA:E0:83:EC 
     Signature algorithm name: SHA1withRSA 
     Version: 3 
Trust this certificate? [no]: yes 
Certificate was added to keystore 

相同的证书，我需要签名XML的，我写了下面的代码，

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); 
dbf.setNamespaceAware(true); 
Document inputDocument = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(xmlDoc))); 
KeyStore ks = KeyStore.getInstance("JKS"); 
ks.load(new FileInputStream("../cer/aaa.jks"), "xxxxxxx".toCharArray()); 
KeyStore.PrivateKeyEntry keyEntry =(KeyStore.PrivateKeyEntry) ks.getEntry("abcd", new KeyStore.PasswordProtection("xxxxxxx".toCharArray())); 
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate(); 
X509Certificate x509Cert = (X509Certificate) keyEntry.getCertificate(); 
XMLSignatureFactory fac = XMLSignatureFactory.getInstance(MEC_TYPE); 
Reference ref = fac.newReference(WHOLE_DOC_URI, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac.newTransform(Transform.ENVELOPED,(TransformParameterSpec) null)), null, null); 
SignedInfo sInfo = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,(C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),Collections.singletonList(ref)); 
KeyInfo kInfo = getKeyInfo(x509Cert, fac); 
DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),inputDocument.getDocumentElement()); 
XMLSignature signature = fac.newXMLSignature(sInfo,kInfo); 
signature.sign(dsc); 
Node node = dsc.getParent(); 
Document signedDocument = node.getOwnerDocument(); 
StringWriter stringWriter = new StringWriter(); 
TransformerFactory tf = TransformerFactory.newInstance(); 
Transformer trans = tf.newTransformer(); 
trans.transform(new DOMSource(signedDocument), new StreamResult(stringWriter)); 
return stringWriter.getBuffer().toString(); 

但是我却越来越在行6号异常。

堆栈跟踪：

java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected 
    at java.security.KeyStoreSpi.engineGetEntry(Unknown Source) 
    at java.security.KeyStore.getEntry(Unknown Source) 

请帮助如何解决这个问题谢谢。

Answer 1

A .cer文件只包含公共密钥和来自CA的一些签名信息，因此您的密钥库中没有私钥可供检索。你对导入.cer文件所做的工作是将其添加到JVM将信任的证书集合中。

您需要使这项工作成为用于为此证书生成证书签署请求的私钥文件。如果它不是使用keytool在java-keystore中创建的，则可能需要执行一些额外步骤，因为您可以直接将私钥和证书导入.jks-文件，但例如，必须创建一个中间PKCS12密钥库。使用openssl可能会这样工作：

# Create PKCS12 keystore from private key and public certificate. 
openssl pkcs12 -export -name myservercert -in certificate.cer -inkey server.key -out keystore.p12 
# Convert PKCS12 keystore into a JKS keystore 
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias abcd