为什么我的 PKCS#12(由 openssl 生成)不能被 java 读取

问题描述 投票:0回答:0

OpenSSL 1.0.2k-fips

openjdk-17.0.1

我使用 Openssl 生成 PKCS12 文件。我的 java 密钥库无法读取它。

我的 openssl 命令:(rootca.key 是私钥,rootca.crt 是自签名证书。)

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout out.key -out out.csr -subj /C=CN/CN=-1040310296

openssl x509 -req -CA rootca.crt -CAkey rootca.key -days 365 -in out.csr -out out.crt -CAcreateserial -extensions v3_ca -extfile ./openssl.cnf

openssl pkcs12 -export -in out.crt -inkey out.key -chain -CAfile rootca.crt -name server -out out.p12 -password pass:Ff5evzT0tr

当我使用我的 java 程序读取此 PKCS12 文件时,捕获到异常:

Java代码:

KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(p12keyI, "Ff5evzT0tr".toCharArray());

例外情况:

java.io.IOException: Tag number over 30 is not supported
        at java.base/sun.security.util.DerValue.<init>(DerValue.java:414)
        at java.base/sun.security.util.DerValue.<init>(DerValue.java:459)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2012)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)

我可以通过 openssl cmd 读取它: 

openssl pkcs12 -in out.p12 -password pass:Ff5evzT0tr -info -nodes

我无法通过 java 程序和 keytool cmd 读取它: 

keytool -list -v -storetype PKCS12 -keystore output.p12 -storepass Ff5evzT0tr

keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:946)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: java.io.IOException: Only named ECParameters supported
        ... 6 more

我想知道导致这个问题的原因以及如何解决它。 谢谢大家

java openssl keytool pkcs#12
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.