我有一个CA证书,由openssl生成,带有“trustout”,因此它以“----- BEGIN TRUSTED CERTIFICATE -----”开头,当我尝试用Java读取它时,异常抛出。 Java是否支持这种格式的证书?如果是这样,如何阅读?
public class TestReadCerts {
public static void main(String[] args) {
// TODO Auto-generated method stub
String sslrootcertfile = "F:\\javaworkspace\\opensource\\certs\\ca.pem";
FileInputStream fis=null;
try {
fis = new FileInputStream(sslrootcertfile); // NOSONAR
} catch (FileNotFoundException ex) {
ex.printStackTrace();
}
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Object[] certs = cf.generateCertificates(fis).toArray(new Certificate[]{});
} catch (Exception e) {
e.printStackTrace();
}
}
}
例外:java.security.cert.CertificateException:无法初始化,
java.io.IOException: extra data given to DerValue constructor
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:191)
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
at TestReadCerts.main(TestReadCerts.java:21)
Caused by: java.io.IOException: extra data given to DerValue constructor
at java.base/sun.security.util.DerValue.init(DerValue.java:409)
at java.base/sun.security.util.DerValue.<init>(DerValue.java:294)
at java.base/sun.security.util.DerValue.<init>(DerValue.java:305)
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
... 4 more
证书如下:
-----BEGIN TRUSTED CERTIFICATE-----
MIICATCCAWoCCQDjKSwZBsrQwTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTE5MDQwMzE0NDcwMVoXDTIwMDQwMjE0NDcwMVowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyRCB
rbB/FqN6e9IAJ86WUUGxM+8vEyfQ7cn2HWca220NB/Ns3Q+QtvztSe48PUzn9w6s
MNOwsDW4+8lenPLd78J32lG59x1P1R1jpjL3GcjNTwuewW1jIsex8jALzfU9hJzO
prraO/6X+UbKbazXt6GiB7mOlUvneKsWuoGpF5MCAwEAATANBgkqhkiG9w0BAQsF
AAOBgQCN1UJF/FdT84bzEn1kmg77b+LCCrU11DsFg/s/ABvo5TKV+OmilBPj1vML
dbZ4GDQSaXKZAOyJiAp0S5BzHXlXz5YfX9sM4mfhaqZt736WAnKVSnzd55CjMlEk
GxW3TkRFL5cVm5my1UQs3Mfg4MC5QPaoer5kc+0UhMHmTlgyvTAMMAoGCCsGAQUF
BwMB
-----END TRUSTED CERTIFICATE-----
PEM类型'TRUSTED CERTIFICATE'是一种特定于OpenSSL的非标准格式,Java无法开箱即用。它实际上包含标准X.509证书作为一个DER块和另一个OpenSSL定义的DER信任信息块。
如果您有OpenSSL,最简单的方法是使用openssl x509 <in >out转换为标准的'CERTIFICATE'格式。你可以像Misantorp那样添加-outform DER,但不需要它; CertificateFactory可以读取DER或PEM中的标准格式,因为OpenSSL不恰当地调用它们。
如果你有或者可以从https://www.BouncyCastle.org获得并使用bcpkix和bcprov,它们包含处理这个OpenSSL PEM格式的例程(以及许多其他格式):
// assumes filename in args[0], adjust as needed
Object both = new PEMParser(new FileReader(args[0])).readObject();
// should close the FileReader, maybe using try-resources
byte[] cert = ((X509TrustedCertificateBlock)both).getCertificateHolder().getEncoded();
X509Certificate good = (X509Certificate) CertificateFactory.getInstance("X.509")
.generateCertificate(new ByteArrayInputStream(cert));
System.out.println (good.getSubjectX500Principal().getName());
否则,可以用手分解DER,但是笨拙且不可靠:
String in1 = new String(Files.readAllBytes(new File(args[0]).toPath()));
byte[] both = Base64.getMimeDecoder().decode(in1.replaceAll("-----[A-Z ]*-----\\r?\\n",""));
if( both[0]!=0x30 || both[1]!=(byte)0x82 ) throw new Exception("wrong!"); // or other handling
byte[] cert = Arrays.copyOf(both, (both[2]<<8 | both[3]&0xFF) + 4);
X509Certificate good = (X509Certificate) CertificateFactory.getInstance("X.509")
.generateCertificate(new ByteArrayInputStream(cert));
System.out.println (good.getSubjectX500Principal().getName());
请查看dave_thompson_085的答案,因为它指出了我的理解中的一些不准确之处,因此这个答案
您的问题是尝试使用PEM读取CertificateFactory编码的证书,该证书需要DER中所述的the documentation编码
对于X.509证书的证书工厂,inStream中提供的证书必须是DER编码的,并且可以以二进制或可打印(Base64)编码提供。
我认为读取证书的最快方法是将证书转换为适当的编码。由于您已经提到使用openssl生成证书,您可以将当前证书编码为DER
$ openssl x509 -in /F/javaworkspace/opensource/certs/ca.pem -outform DER -out /F/javaworkspace/opensource/certs/ca.der
(根据需要调整ca.pem和ca.der的路径)
最后,不要忘记更新sslrootcertfile变量
String sslrootcertfile = "F:\\javaworkspace\\opensource\\certs\\ca.der";