我有一个由openssl生成的带有“ trustout”的CA证书,所以它以“ ----- BEGIN TRUSTED CERTIFICATE -----”开头,当我尝试使用Java读取它时,抛出异常。 Java是否支持这种格式的证书?如果是这样,如何阅读?
public class TestReadCerts {
public static void main(String[] args) {
// TODO Auto-generated method stub
String sslrootcertfile = "F:\\javaworkspace\\opensource\\certs\\ca.pem";
FileInputStream fis=null;
try {
fis = new FileInputStream(sslrootcertfile); // NOSONAR
} catch (FileNotFoundException ex) {
ex.printStackTrace();
}
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Object[] certs = cf.generateCertificates(fis).toArray(new Certificate[]{});
} catch (Exception e) {
e.printStackTrace();
}
}
}
例外: java.security.cert.CertificateException:无法初始化,
java.io.IOException: extra data given to DerValue constructor
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:191)
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
at TestReadCerts.main(TestReadCerts.java:21)
Caused by: java.io.IOException: extra data given to DerValue constructor
at java.base/sun.security.util.DerValue.init(DerValue.java:409)
at java.base/sun.security.util.DerValue.<init>(DerValue.java:294)
at java.base/sun.security.util.DerValue.<init>(DerValue.java:305)
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
... 4 more
证书如下:
-----BEGIN TRUSTED CERTIFICATE-----
MIICATCCAWoCCQDjKSwZBsrQwTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTE5MDQwMzE0NDcwMVoXDTIwMDQwMjE0NDcwMVowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyRCB
rbB/FqN6e9IAJ86WUUGxM+8vEyfQ7cn2HWca220NB/Ns3Q+QtvztSe48PUzn9w6s
MNOwsDW4+8lenPLd78J32lG59x1P1R1jpjL3GcjNTwuewW1jIsex8jALzfU9hJzO
prraO/6X+UbKbazXt6GiB7mOlUvneKsWuoGpF5MCAwEAATANBgkqhkiG9w0BAQsF
AAOBgQCN1UJF/FdT84bzEn1kmg77b+LCCrU11DsFg/s/ABvo5TKV+OmilBPj1vML
dbZ4GDQSaXKZAOyJiAp0S5BzHXlXz5YfX9sM4mfhaqZt736WAnKVSnzd55CjMlEk
GxW3TkRFL5cVm5my1UQs3Mfg4MC5QPaoer5kc+0UhMHmTlgyvTAMMAoGCCsGAQUF
BwMB
-----END TRUSTED CERTIFICATE-----
答案 0 :(得分:3)
PEM类型“ TRUSTED CERTIFICATE”是Java无法开箱即用的特定于OpenSSL的非标准格式。它实际上包含标准的X.509证书,作为一个DER块 plus 另一个OpenSSL定义的DER信任信息块。
如果您具有OpenSSL,最简单的方法是使用openssl x509 <in >out转换为标准的'CERTIFICATE'格式。您可以像Misantorp一样 添加-outform DER,但这不是必需的; CertificateFactory可以读取DER或PEM中的标准格式,因为OpenSSL不精确地调用它们。
如果您从https://www.BouncyCastle.org获得或可以使用bcpkix和bcprov,则它们包括处理此OpenSSL PEM格式(以及许多其他格式)的例程:
// assumes filename in args[0], adjust as needed
Object both = new PEMParser(new FileReader(args[0])).readObject();
// should close the FileReader, maybe using try-resources
byte[] cert = ((X509TrustedCertificateBlock)both).getCertificateHolder().getEncoded();
X509Certificate good = (X509Certificate) CertificateFactory.getInstance("X.509")
.generateCertificate(new ByteArrayInputStream(cert));
System.out.println (good.getSubjectX500Principal().getName());
否则,可以手工分解DER,但笨拙且不稳固:
String in1 = new String(Files.readAllBytes(new File(args[0]).toPath()));
byte[] both = Base64.getMimeDecoder().decode(in1.replaceAll("-----[A-Z ]*-----\\r?\\n",""));
if( both[0]!=0x30 || both[1]!=(byte)0x82 ) throw new Exception("wrong!"); // or other handling
byte[] cert = Arrays.copyOf(both, (both[2]<<8 | both[3]&0xFF) + 4);
X509Certificate good = (X509Certificate) CertificateFactory.getInstance("X.509")
.generateCertificate(new ByteArrayInputStream(cert));
System.out.println (good.getSubjectX500Principal().getName());
答案 1 :(得分:2)
也请查看dave_thompson_085的答案,因为它指出了我的理解上的一些错误,因此,此答案也如此
您的问题是尝试使用PEM读取CertificateFactory编码的证书,该证书期望the documentation中所述的DER编码
对于X.509证书的证书工厂, inStream中提供的证书必须经过DER编码,并且可能是 以二进制或可打印(Base64)编码提供。
我认为读取证书的最快方法是将证书转换为适当的编码。由于您已经提到使用openssl生成证书,因此可以将当前证书编码为DER
$ openssl x509 -in /F/javaworkspace/opensource/certs/ca.pem -outform DER -out /F/javaworkspace/opensource/certs/ca.der
(根据需要调整到ca.pem和ca.der的路径)
最后,不要忘记更新sslrootcertfile变量
String sslrootcertfile = "F:\\javaworkspace\\opensource\\certs\\ca.der";