将IBM JDK与通过Oracle JCE代码签名CA签名的JCE提供程序一起使用

时间:2019-06-12 09:23:22

标签: jce ibm-jdk

我正在尝试将定制JCE提供程序与IBM JDK 1.8一起使用。 JCE提供者已使用Oracle Code Signing CA进行了签名,但是JDK在验证jar的签名时遇到了问题。

我的猜测是,在jdk软件包中的某个地方有一个密钥库,其中有一个旧的Oracle JCE代码签名CA,由于提供者最近使用较新的证书进行了签名,因此我可能不得不用较新的CA证书来替换CA证书。而且它不在cacerts商店中。 请注意,相同的代码和提供程序可与Oracle jdk 7,8和11正常工作。

导致错误的示例代码(实际代码不同,但具有相同的症状)

import javax.crypto.KeyGenerator;

public class Main {

    public static void main(String[] args) {
        try {
            KeyGenerator kg = KeyGenerator.getInstance("AES", "nCipherKM");
            System.out.println("Provider: " + kg.getProvider().toString());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

输出:

java.security.NoSuchProviderException: JCE cannot authenticate the provider nCipherKM
    at javax.crypto.b.a(Unknown Source)
    at javax.crypto.KeyGenerator.getInstance(Unknown Source)
    at Main.main(Main.java:7)
Caused by: java.util.jar.JarException: file:/opt/ibm/java-x86_64-80/jre/lib/ext/nCipherKM.jar is not signed by a trusted signer.
    at javax.crypto.a.a(Unknown Source)
    at javax.crypto.a.a(Unknown Source)
    at javax.crypto.a.a(Unknown Source)
    at javax.crypto.b.b(Unknown Source)
    at javax.crypto.b.a(Unknown Source)
    ... 3 more

Process finished with exit code 0
我尝试验证提供程序签名时的

jarsigner输出:

$ /opt/ibm/java-x86_64-80/bin/java -version
java version "1.8.0_211"
Java(TM) SE Runtime Environment (build 8.0.5.35 - pxa6480sr5fp35-20190418_01(SR5 FP35))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20190417_414854 (JIT enabled, AOT enabled)
OpenJ9   - 777635f
OMR      - 16b77d7
IBM      - 72459d3)
JCL - 20190409_01 based on Oracle jdk8u211-b25

$ /opt/ibm/java-x86_64-80/bin/jarsigner -verify -certs /opt/ibm/java-x86_64-80/jre/lib/ext/nCipherKM.jar 

jar verified.

Warning: 
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error

Re-run with the -verbose and -certs options for more details.

0 个答案:

没有答案
相关问题
最新问题