pkcs7签名始终无法验证,路径不与任何信任锚点链接

57hvy0tb  于 2021-06-30  发布在  Java
关注(0)|答案(0)|浏览(311)

在这两个测试和性能使用相同的p12和中间的pem证书。测试在上失败 validator.validate(certPath, params) 具有

java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

AdaptableX509CertSelector.match: subject key IDs don't match.

我重新检查了一下,两个证书都在那里,都是在signer中添加的相同的,但是subjectkeyid总是和原来的有点不同。
战斗已经2天了,需要一个新的眼睛。谢谢
属性:

data class Properties(
    val intermediate: Resource,    // Intermediate certificate to be in signature
    val keystore: Resource,        // p12 extracted from main certificate
    val keystorePassword: String   // password
)

签字人:

data class PKCS7Signer(private val properties: Properties) {

    private val keystore: KeyStore = KeyStore.getInstance("PKCS12")

    private lateinit var alias: String

    private lateinit var privateKey: PrivateKey

    private val intermediate = CertificateFactory.getInstance("X.509")
        .generateCertificate(properties.intermediate.inputStream) as X509Certificate

    private lateinit var certificates: MutableList<Certificate>

    private lateinit var certificate: X509Certificate

    init {
        keystore.load(properties.keystore.inputStream, properties.keystorePassword.toCharArray())
        val aliases = keystore.aliases()
        while (aliases.hasMoreElements()) {
            alias = aliases.nextElement()
            if (keystore.isKeyEntry(alias)) {
                break
            }
        }

        certificate = keystore.getCertificate(alias) as X509Certificate
        privateKey = keystore.getKey(alias, properties.keystorePassword.toCharArray()) as PrivateKey
        certificates = keystore.getCertificateChain(alias)
            .toMutableList()
        certificates.add(intermediate)
    }

    fun sign(content: ByteArray): ByteArray {
        val contentToSign: CMSTypedData = CMSProcessableByteArray(content)
        val gen = CMSSignedDataGenerator()
        gen.addCertificates(JcaCertStore(listOf(certificate)))
        val sha1Signer: ContentSigner = JcaContentSignerBuilder("SHA1withRSA")
            .setProvider("BC")
            .build(privateKey)

        gen.addSignerInfoGenerator(
            JcaSignerInfoGeneratorBuilder(
                JcaDigestCalculatorProviderBuilder()
                    .setProvider("BC")
                    .build()
            ).build(sha1Signer, certificate)
        )
        gen.addSignerInfoGenerator(
            JcaSignerInfoGeneratorBuilder(
                JcaDigestCalculatorProviderBuilder()
                    .setProvider("BC")
                    .build()
            ).build(sha1Signer, intermediate)
        )
        val signature: CMSSignedData = gen.generate(contentToSign)

        return signature.encoded
    }
}

测试:

val signature = pkcS7Signer.sign(classLoader.getResourceAsStream("manifest.json").readAllBytes())

val obj: BERSequence = ASN1InputStream(signature).readObject() as BERSequence
val contentInfo: ContentInfo = ContentInfo.getInstance(obj)
val signedData: SignedData = SignedData.getInstance(contentInfo.content)
val certificates = signedData.certificates.objects

val certificateFactory = CertificateFactory.getInstance("X.509")
val certList = mutableListOf<Certificate>()
while (certificates.hasMoreElements()) {
       val certObj = certificates.nextElement() as DLSequence
            certList.add(certificateFactory.generateCertificate(ByteArrayInputStream(certObj.encoded)))
}
val certPath: CertPath = certificateFactory.generateCertPath(certList)

val keyStore = KeyStore.getInstance("PKCS12")
keyStore.load(
     classLoader.getResourceAsStream("certificate/main_certificate.p12"),
     "secret".toCharArray()
)
val aliases = keyStore.aliases()
var alias = ""
while (aliases.hasMoreElements()) {
      alias = aliases.nextElement()
      if (keyStore.isKeyEntry(alias)) {
           break
      }
 }

 val params = PKIXParameters(
      setOf(
          TrustAnchor(keyStore.getCertificate(alias) as X509Certificate, null),
          TrustAnchor(certificateFactory.generateCertificate(classLoader.getResourceAsStream("certificate/intermediate.pem")) as X509Certificate, null)
      )
 )

 val validator = CertPathValidator.getInstance("PKIX")
 val result = validator.validate(certPath, params)

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题