Xades4j:密钥库无法初始化

时间:2019-01-28 15:08:40

标签: java certificate keystore xades4j

我正在尝试将Windows中最近安装的证书导入到Java中,以便与xades4j一起使用。不幸的是,关于证书和密钥之类的东西,我还很陌生。

但是,每次运行程序时,都会出现以下错误:

>xades4j.verification.UnexpectedJCAException: The keystore couldn't be initialized
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:179)
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.getSigningCertificateChain(KeyStoreKeyingDataProvider.java:189)
    at xades4j.production.SignerBES.sign(SignerBES.java:159)
    at xades4j.production.SignerBES.sign(SignerBES.java:130)
    at com.logic.test.signBes(test.java:138)
    at com.logic.test.<init>(test.java:80)
    at com.view.FrmMenu.<init>(FrmMenu.java:41)
    at com.view.FrmMenu$9.run(FrmMenu.java:289)
    at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
    at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
    at java.awt.EventQueue.access$500(EventQueue.java:97)
    at java.awt.EventQueue$3.run(EventQueue.java:709)
    at java.awt.EventQueue$3.run(EventQueue.java:703)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
    at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
    at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
    at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
Caused by: java.security.KeyStoreException: KeyStore instantiation failed
    at java.security.KeyStore$Builder$FileBuilder.getKeyStore(KeyStore.java:1862)
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:175)
    ... 21 more
Caused by: java.io.IOException: DER input, Integer tag error
    at sun.security.util.DerInputStream.getInteger(DerInputStream.java:192)
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1940)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at java.security.KeyStore$Builder$FileBuilder$1.run0(KeyStore.java:1848)
    at java.security.KeyStore$Builder$FileBuilder$1.run(KeyStore.java:1807)
    at java.security.KeyStore$Builder$FileBuilder$1.run(KeyStore.java:1796)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.KeyStore$Builder$FileBuilder.getKeyStore(KeyStore.java:1858)
    ... 22 more
>

我需要使用XaDeS-BES格式签署XML文档。我已经从光盘中导入了密钥(或证书?),并且它在Windows可信根证书颁发机构证书中。我从Windows证书管理器(certmgr.msc)将其导出到C驱动器的根目录上。

我发现one post on this website提到尝试通过以下方法初始化KeyStore:

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(null, null);

不幸的是,没有变化。

我基于the example wiki使用的代码:

private static final String CERT_FOLDER = "C:/";
private static final String CERT        = "testkey.cer";

private static final String PASS        = "test1234"; //the same in cert and keystorage
private static final String SIGNED      = "persistent/xml/001-001-000000000new1.xml";
private static final String DOCUMENT    = "persistent/xml/001-001-000000000.xml";

private static void signBes() throws Exception {
    Document doc = DocumentBuilderFactory
            .newInstance()
            .newDocumentBuilder()
            .parse(new File(DOCUMENT));
    Element elem = doc.getDocumentElement();
    DOMHelper.useIdAsXmlId(elem);

    KeyingDataProvider kdp = new FileSystemKeyStoreKeyingDataProvider(
            "pkcs12",
            CERT_FOLDER + CERT,
            new FirstCertificateSelector(),
            new DirectPasswordProvider(PASS),
            new DirectPasswordProvider(PASS),
            true);
    DataObjectDesc obj = new DataObjectReference("#" + elem.getAttribute("Id"))
            .withTransform(new EnvelopedSignatureTransform());
    SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj);

//        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
//        ks.load(null, null);

    XadesSigner signer = new XadesBesSigningProfile(kdp).newSigner();
    signer.sign(dataObjs, elem);

    TransformerFactory tFactory = TransformerFactory.newInstance();
    Transformer transformer = tFactory.newTransformer();
    DOMSource source = new DOMSource(doc);        
    StreamResult result = new StreamResult(new File(SIGNED));
    transformer.transform(source, result);
}

谢谢您的帮助。

2 个答案:

答案 0 :(得分:0)

要执行签名操作,您需要密钥/证书配对,即PKCS12容器。在Windows上,该对通常是.pfx.p12文件。我不确定是什么问题,但是以下一些注意事项可能会对您有所帮助:

  • 用于签名的证书通常是“个人”证书,而不是受信任的机构根证书。
  • 根证书是属于通常向其他主体发出证书的实体的证书。
  • 验证证书过程的一部分是建立从主题证书到根证书的信任链。在Windows上,可信根证书位于您提到的商店中:“ Windows可信根证书颁发机构”。您的签名证书可能不应该在那里。
  • 由于您正在执行签名操作(用于BES签名)并使用FileSystemKeyStoreKeyingDataProvider,因此信任链实际上不那么相关。当您验证签名时,它将变得很重要。
  • 从您的代码看来,您似乎只有证书文件(.cer)。我不知道您最初是如何获得证书的,但是应该与密钥一起提供的,可能是捆绑在受密码保护的.pfx文件中。
  • 创建FileSystemKeyStoreKeyingDataProvider时,您应该 传递PKCS12文件(例如.pfx
  • 如果您已在其他Windows商店中安装了证书,请尝试使用密钥将其导出(如果可能的话,取决于首先导入的方式)。

希望这会有所帮助。

答案 1 :(得分:0)

在我的情况下,密码错误

相关问题
最新问题