尝试做一些看似非常简单但却无法正常工作的事情。我将Java密钥库证书和私钥导出到.pem文件,以便我可以将它们加载到C ++ SSL客户端。我使用了这些命令。
C:\temp> keytool -importkeystore -srckeystore client.jks \
-destkeystore client.p12 -srcstoretype jks \
-deststoretype pkcs12
C:\temp> openssl pkcs12 -in client.p12 -out client.pem
然后我将证书和私钥分成不同的.pem文件。我把私钥放入client-privkey.pem。这是它的内容。
Bag Attributes
friendlyName: clientkeys
localKeyID: 54 69 6D 65 20 31 34 30 32 35 39 35 37 37 32 39 32 34
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIMHOgKXfKXvQCAggA
MBQGCCqGSIb3DQMHBAjjCn0xeVGbcASCAoC4M4hC1ZdeW7Ldz5wStGydIiEZzsGg
VeFvzrLCNBMuW1aB6lrmxHpIfWqCe71fm8+wiKXE1eu+LzLwuUFoKfv9zFhADdxv
pKvlJdai0UOliFdykvSoW/+SWQUzdu/MS6ajLu0dv4awaIpNyU+WlhvgzxZBaHya
h7zLwH2Teb9ZR8YmLYHe52TpjucZNVn2DFNO13fx5WQm8/EkcXh2W019vCh1psgo
9xd5JFm+v2OPncz/cZvi0FYzmDevA3RIdWFNR9mCgti8PPrdoNA4HkfZoG3fQaZj
P8sOMhjYYF3ULtmnRoSBN7pkJq1ewrWFiFmQVxe1ItKh6qX2woq2U3Gt9NyZkuOy
Ms/fKpSt/EcZLXuHlgUwbFCBq2SWTdEo4VBjBQIE+ODcn3Ve/EbsLwN6bpFRwSYg
3AJr9bq6ujJdLm5epF8zFlaPZyi4gnAanOBQj2SoHmSLejTgGfAxg4T5ybnP+7Wc
S7yjXeR5e4/wygldgfp1j4WK0YrlyO5WghFmrqqPe3uFJRyakq7TkahQazUhgUyw
q8QTa4Z9ipS7J+ZfFksV4Oo2AiLDcj/eEF3JmEEnPoWV56NK8C3HJXFAT3nyq2MJ
vQEXCXhrvoAjkSALDSINM0hqypQABgopeAO5+ApjHHg+PsOQ8Wmq0NH+KUUcZDfp
lLCZIRjOZralueNutQAo+bimelom+ldByFxzAWLvWvaqFceMn3deSmBQIEKG00xZ
LqZAnsTUHZmysgY8hywNDgbc6J2w6Px7Q1IrYOhn9OaaifVDMV5IphptKm/PHtFs
BChOpKUeBsOohaeewaZ3CNhip0sBNUaA5CuI47qY2rW/Re0FaPQqJDon
-----END ENCRYPTED PRIVATE KEY-----
在我的C ++客户端中,我像这样加载了证书和密钥
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
X509 *server_cert;
SSL_library_init();
/* Load the error strings for SSL & CRYPTO APIs */
SSL_load_error_strings();
/* Create an SSL_METHOD structure (choose an SSL/TLS protocol version) */
meth = SSLv3_method();
/* Create an SSL_CTX structure */
ctx = SSL_CTX_new(meth);
RETURN_NULL(ctx);
char pkpassphrase[] = "password";
int pkpplen = strlen (pkpassphrase);
if( pkpplen > 0 )
{
SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) pkpassphrase);
}
/* Load the client certificate into the SSL_CTX structure */
if (SSL_CTX_use_certificate_file(ctx, "certs\\client-cert.pem", SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the private-key corresponding to the client certificate */
if (SSL_CTX_use_PrivateKey_file(ctx, "certs\\client-privkey.pem", SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
exit(1);
}
证书加载没有错误。但是SSL_CTX_use_certificate_file()调用会返回这些错误。
4640:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:.\crypto\evp\evp_pbe.c:89:TYPE=PBES2
4640:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:.\crypto\pkcs12\p12_decr.c:83:
4640:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:.\crypto\pkcs12\p12_decr.c:123:
4640:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:.\crypto\pem\pem_pkey.c:125:
4640:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:.\ssl\ssl_rsa.c:669:
我在Java客户端中使用Java密钥库中的这些证书和密钥没有问题。 我错过了什么?你是怎么做到这一点的?任何帮助将受到高度赞赏。谢谢。