我正在尝试使用Java Keystore将PKCS12证书解析为x509和私钥:
final KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(pkcs12Certificate, password.toCharArray());
final Enumeration<String> aliases = keystore.aliases();
final String alias = aliases.nextElement();
final PrivateKey key = (PrivateKey) keystore.getKey(alias,
password.toCharArray());
final X509Certificate publicCertificate = (X509Certificate) keystore
.getCertificate(alias);
return create(clientId, key, publicCertificate);`
这适用于由windows-server-2012构建的证书。我们已将VM更新为windows-server-2016,该代码已破坏此代码,并出现以下错误:
Exception in thread "main" java.io.IOException: Integrity check failed:
java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2146)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at com.company.AsymmetricKeyCredential.create(AsymmetricKeyCredential.java:164)
at com.company.Main.main(Main.java:29)
Caused by: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2142)
... 3 more`
经过一番挖掘后,似乎windows-server-2016改变了他们格式化PKCS12和PFX证书的方式。具体做法是:
Pre-RS1,PKCS7 EncryptedData用于CertBag;在RS1中,切换到PKCS7数据。 CertBag中有多种AUthSafe内容选项:
AuthenticatedSafe ::= SEQUENCE OF ContentInfo
-- Data if unencrypted
-- EncryptedData if password-encrypted
-- EnvelopedData if public key-encrypted
看起来这个开关可能导致Java Keystore失败,但我不确定如何修复它。我可以用open ssl解析证书,所以我知道它不是证书本身的问题。我们必须支持来自WS2016的证书,因此非常感谢您的任何见解。