我正在尝试配置使用除cacerts之外的密钥库,但是我得到以下错误:
javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:966) ~[sunjce_provider.jar:1.8.0_60]
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824) ~[sunjce_provider.jar:1.8.0_60]
at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:399) ~[sunjce_provider.jar:1.8.0_60]
at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:431) ~[sunjce_provider.jar:1.8.0_60]
at javax.crypto.Cipher.doFinal(Cipher.java:2165) ~[na:1.8.0_60]
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:348) ~[na:1.8.0_60]
... 18 common frames omitted
Wrapped by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:410) ~[na:1.8.0_60]
at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_60]
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_60]
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_60]
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_60]
at org.springframework.boot.context.embedded.undertow.UndertowEmbeddedServletContainerFactory.getKeyManagers(UndertowEmbeddedServletContainerFactory.java:304) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
... 13 common frames omitted
Wrapped by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded
at org.springframework.boot.context.embedded.undertow.UndertowEmbeddedServletContainerFactory.getKeyManagers(UndertowEmbeddedServletContainerFactory.java:308) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.context.embedded.undertow.UndertowEmbeddedServletContainerFactory.configureSsl(UndertowEmbeddedServletContainerFactory.java:258) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.context.embedded.undertow.UndertowEmbeddedServletContainerFactory.createBuilder(UndertowEmbeddedServletContainerFactory.java:244) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.context.embedded.undertow.UndertowEmbeddedServletContainerFactory.getEmbeddedServletContainer(UndertowEmbeddedServletContainerFactory.java:221) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.createEmbeddedServletContainer(EmbeddedWebApplicationContext.java:158) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.onRefresh(EmbeddedWebApplicationContext.java:130) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
... 8 common frames omitted
Wrapped by: org.springframework.context.ApplicationContextException: Unable to start embedded container; nested exception is java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.onRefresh(EmbeddedWebApplicationContext.java:133) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:531) ~[spring-context-4.2.1.RELEASE.jar:4.2.1.RELEASE]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:118) ~[spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:667) [spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.SpringApplication.doRun(SpringApplication.java:342) [spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:273) [spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:980) [spring-boot-1.3.0.M5.jar:1.3.0.M5]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:969) [spring-boot-1.3.0.M5.jar:1.3.0.M5]
正确设置了所有javax.net.ssl.*属性。
我为生成密钥库而采取的步骤是:
首先生成私钥:
openssl genrsa -out KEY_FILE.key -aes128 -passout pass:KEY_PASS 2048
CSR:
openssl req -new -sha256 -key KEY_FILE.key -out CSR_FILE.csr
在我的内部CA签名后,我使用生成的CERT_FILE.crt创建密钥库:
openssl pkcs12 -export -in CERT_FILE.crt -inkey KEY_FILE.key -name NAME -certfile ROOT_CERT.crt -caname ROOT_NAME -passin pass:KEY_PASS -passout pass:STORE_PASS -out keystore.pfx
从我到目前为止所读到的,该错误通常是由密码问题引起的,但我的代码使用密钥和密钥库的正确密码。此外,还有:
openssl pkcs12 -info -in keystore.pfx
使用STORE_PASS和KEY_PASS我可以正确查看密钥库中的所有内容。
有关我应该在哪里进一步调查的任何提示?
答案 0 :(得分:3)
仅使用STORE_PASS。
Java并不像在JKS中那样支持PKCS#12中的单独storepass和keypass。实际上keytool试图阻止你指定不同的密码,虽然直到最近它至少错过了一个我知道的案例。在这里它甚至没有涉及。
更重要的是,openssl pkcs12 -export 仅使用一个密码创建 PKCS#12。 -passin仅用于解密输入密钥文件;它不用于输出PKCS#12,仅使用-passout。 pkcs12 -export -twopass确实使用了两个密码(必须提示),一个用于MAC,一个用于两个blob,但是如果你这样做,那么Java无法读取结果。
或者,如果您确实需要不同的密码,请转换为JKS:
keytool -importkeystore -srckeystore ks.p12 -srcstoretype PKCS12 \
-srcstorepass STORE_PASS -destkeystore ks.jks -deststorepass STORE_PASS
keytool -keypasswd -alias 1 -keystore ks.jks -storepass STORE_PASS -new KEY_PASS