在这两个测试和性能使用相同的p12和中间的pem证书。测试在上失败 validator.validate(certPath, params)
具有
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
AdaptableX509CertSelector.match: subject key IDs don't match.
我重新检查了一下,两个证书都在那里,都是在signer中添加的相同的,但是subjectkeyid总是和原来的有点不同。
战斗已经2天了,需要一个新的眼睛。谢谢
属性:
data class Properties(
val intermediate: Resource, // Intermediate certificate to be in signature
val keystore: Resource, // p12 extracted from main certificate
val keystorePassword: String // password
)
签字人:
data class PKCS7Signer(private val properties: Properties) {
private val keystore: KeyStore = KeyStore.getInstance("PKCS12")
private lateinit var alias: String
private lateinit var privateKey: PrivateKey
private val intermediate = CertificateFactory.getInstance("X.509")
.generateCertificate(properties.intermediate.inputStream) as X509Certificate
private lateinit var certificates: MutableList<Certificate>
private lateinit var certificate: X509Certificate
init {
keystore.load(properties.keystore.inputStream, properties.keystorePassword.toCharArray())
val aliases = keystore.aliases()
while (aliases.hasMoreElements()) {
alias = aliases.nextElement()
if (keystore.isKeyEntry(alias)) {
break
}
}
certificate = keystore.getCertificate(alias) as X509Certificate
privateKey = keystore.getKey(alias, properties.keystorePassword.toCharArray()) as PrivateKey
certificates = keystore.getCertificateChain(alias)
.toMutableList()
certificates.add(intermediate)
}
fun sign(content: ByteArray): ByteArray {
val contentToSign: CMSTypedData = CMSProcessableByteArray(content)
val gen = CMSSignedDataGenerator()
gen.addCertificates(JcaCertStore(listOf(certificate)))
val sha1Signer: ContentSigner = JcaContentSignerBuilder("SHA1withRSA")
.setProvider("BC")
.build(privateKey)
gen.addSignerInfoGenerator(
JcaSignerInfoGeneratorBuilder(
JcaDigestCalculatorProviderBuilder()
.setProvider("BC")
.build()
).build(sha1Signer, certificate)
)
gen.addSignerInfoGenerator(
JcaSignerInfoGeneratorBuilder(
JcaDigestCalculatorProviderBuilder()
.setProvider("BC")
.build()
).build(sha1Signer, intermediate)
)
val signature: CMSSignedData = gen.generate(contentToSign)
return signature.encoded
}
}
测试:
val signature = pkcS7Signer.sign(classLoader.getResourceAsStream("manifest.json").readAllBytes())
val obj: BERSequence = ASN1InputStream(signature).readObject() as BERSequence
val contentInfo: ContentInfo = ContentInfo.getInstance(obj)
val signedData: SignedData = SignedData.getInstance(contentInfo.content)
val certificates = signedData.certificates.objects
val certificateFactory = CertificateFactory.getInstance("X.509")
val certList = mutableListOf<Certificate>()
while (certificates.hasMoreElements()) {
val certObj = certificates.nextElement() as DLSequence
certList.add(certificateFactory.generateCertificate(ByteArrayInputStream(certObj.encoded)))
}
val certPath: CertPath = certificateFactory.generateCertPath(certList)
val keyStore = KeyStore.getInstance("PKCS12")
keyStore.load(
classLoader.getResourceAsStream("certificate/main_certificate.p12"),
"secret".toCharArray()
)
val aliases = keyStore.aliases()
var alias = ""
while (aliases.hasMoreElements()) {
alias = aliases.nextElement()
if (keyStore.isKeyEntry(alias)) {
break
}
}
val params = PKIXParameters(
setOf(
TrustAnchor(keyStore.getCertificate(alias) as X509Certificate, null),
TrustAnchor(certificateFactory.generateCertificate(classLoader.getResourceAsStream("certificate/intermediate.pem")) as X509Certificate, null)
)
)
val validator = CertPathValidator.getInstance("PKIX")
val result = validator.validate(certPath, params)
暂无答案!
目前还没有任何答案,快来回答吧!