ssl javax.crypto.BadPaddingException:填充长度无效:239

dxpyg8gm  于 2023-10-19  发布在  Java
关注(0)|答案(1)|浏览(140)

在SSL通信期间,在客户端和服务器之间的握手过程中,会报告错误:

Server write IV:
0000: 85 80 28 A4 CA 34 3A 5B   A5 C5 7E 71 5A A9 02 1F  ..(..4:[...qZ...
HTTP-Dispatcher, READ: GMSSLv1.1 Change Cipher Spec, length = 1
HTTP-Dispatcher, READ: GMSSLv1.1 Handshake, length = 80
HTTP-Dispatcher, fatal error: 80: problem unwrapping net record
java.lang.ArrayIndexOutOfBoundsException: javax.crypto.BadPaddingException: Padding length invalid: 239
%% Invalidated:  [Session-1, ECC_SM4_CBC_SM3]
HTTP-Dispatcher, SEND GMSSLv1.1 ALERT:  fatal, description = internal_error
HTTP-Dispatcher, WRITE: GMSSLv1.1 Alert, length = 2
HTTP-Dispatcher, called closeInbound()
HTTP-Dispatcher, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
HTTP-Dispatcher, called closeOutbound()
HTTP-Dispatcher, closeOutboundInternal()
javax.crypto.BadPaddingException: Padding length invalid: 239

有人遇到过这个问题吗?我最初怀疑这是keyStore构造的问题,但我找不到具体的问题。

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType(), BouncyCastleProvider.PROVIDER_NAME);
keyStore.load(null, null);
keyStore.setKeyEntry("signPrivateKey", signPrivateKey, "".toCharArray(),
                        new Certificate[]{signX509Certificate});
keyStore.setKeyEntry("encPrivateKey", encPrivateKey, "".toCharArray(),
                        new Certificate[]{encX509Certificate});
kmpatx3s

kmpatx3s1#

主要是因为KeyStore加载问题

String password = "";
// 此处不能指定为 BC 的 Provider,否则在通信过程中会握手失败
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType(), GMJSSE.NAME);
keyStore.load(null, null);
keyStore.setKeyEntry("signCert", signPrivateKey, password.toCharArray(),
                    new Certificate[]{signX509Certificate});
keyStore.setKeyEntry("encCert", encPrivateKey, password.toCharArray(),
                    new Certificate[]{encX509Certificate});

// GMSSL 在启用 SSL 通信时,需要先 store 再重新 load,否则通信时会有 Padding 的异常
ByteArrayOutputStream byteArrayOutputStream = new     ByteArrayOutputStream();
keyStore.store(byteArrayOutputStream, password.toCharArray());

// 重新加载 KeyStore
ByteArrayInputStream byteArrayInputStream = new     ByteArrayInputStream(byteArrayOutputStream.toByteArray());
// 此处不能指定为 BC 的 Provider,否则在通信过程中会握手失败
keyStore = KeyStore.getInstance(KeyStore.getDefaultType(), GMJSSE.NAME);
keyStore.load(byteArrayInputStream, password.toCharArray());

相关问题