Java 私钥算法与最终实体证书中的公钥算法不匹配(在索引0处)
我正在尝试将私钥和it证书链存储在密钥库中,但出现以下错误:私钥算法与最终实体证书中的公钥算法不匹配(在索引0处) 这是我生成密钥对的方式:Java 私钥算法与最终实体证书中的公钥算法不匹配(在索引0处),java,certificate,x509certificate,keystore,Java,Certificate,X509certificate,Keystore,我正在尝试将私钥和it证书链存储在密钥库中,但出现以下错误:私钥算法与最终实体证书中的公钥算法不匹配(在索引0处) 这是我生成密钥对的方式: public GenerateKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { Security.addProvider(new org.bouncycastle.jce.provider
public GenerateKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
//Generating and ECDSA KeyPair
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime239v3");
KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
g.initialize(ecSpec, new SecureRandom());
KeyPair keygen = g.generateKeyPair();
//Setting the ECDSA KeyGen
this.keygen = keygen;
}
这是我用来生成X509证书的方法:
public static X509Certificate GetCertificate_v3(KeyPair keygen, Date startDate, Date expiryDate,
String serial, String Certification_Aut_Id) throws InvalidKeyException, SecurityException, SignatureException{
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
v3CertGen.setIssuerDN(new X509Principal("CN=" + Certification_Aut_Id + ", O=o, L=L, ST=il, C= c"));
v3CertGen.setNotBefore(startDate);
v3CertGen.setNotAfter(expiryDate);
v3CertGen.setSubjectDN(new X509Principal("CN=" + Certification_Aut_Id + ", O=o, L=L, ST=il, C= c"));
v3CertGen.setPublicKey(keygen.getPublic());
v3CertGen.setSignatureAlgorithm("SHA256withECDSA");
X509Certificate cert = v3CertGen.generateX509Certificate(keygen.getPrivate());
return cert;
}
用于存储密钥对的代码为:
public static void storeKeypair(String KSpwd, String PKpwd, String KSname, X509Certificate certificate,
KeyPair keygen, String alias, String temp_local) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException{
//Before a keystore can be accessed, it must be loaded.
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] KSpassword = KSpwd.toCharArray();
FileInputStream fis = new java.io.FileInputStream(KSname);
ks.load(fis, KSpassword);
fis.close();
//writing the X509Certificate in a .cer file
FileOutputStream fos1 = new FileOutputStream(temp_local + alias + ".cer");
fos1.write( certificate.getEncoded() );
fos1.flush();
fos1.close();
// Load the certificate chain (in X.509 DER encoding).
FileInputStream certificateStream = new FileInputStream(temp_local + alias + ".cer");
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Certificate[] chain = {};
chain = certificateFactory.generateCertificates(certificateStream).toArray(chain);
// save my private key & certificate chain
char[] PKpassword = PKpwd.toCharArray();
ks.setEntry(alias, new KeyStore.PrivateKeyEntry(keygen.getPrivate(), chain),
new KeyStore.PasswordProtection(PKpassword)
);
//Store the KeyStore
// Write out the keystore
FileOutputStream fos = new FileOutputStream(KSname);
ks.store(fos, KSpassword);
fos.close();
}
生成的错误是:
Exception in thread "main" java.lang.IllegalArgumentException: private key algorithm does not match algorithm of public key in end entity certificate (at index 0)
at java.security.KeyStore$PrivateKeyEntry.<init>(KeyStore.java:408)
at SDSGeneration.keyStore.storeKeypair(keyStore.java:65)
at FinalTest.main(FinalTest.java:70)
线程“main”java.lang.IllegalArgumentException中的异常:私钥算法与最终实体证书中的公钥算法不匹配(在索引0处)
位于java.security.KeyStore$PrivateKeyEntry。(KeyStore.java:408)
在SDSGeneration.keyStore.storeKeypair(keyStore.java:65)
在FinalTest.main(FinalTest.java:70)
我在使用时遇到了同样的问题。我的问题是我使用密钥对来加密消息,而不是派生密钥
您可以找到一个完整的示例我在生成无趣键以启用Web推送时遇到了这个问题。 我想将生成的密钥存储到java密钥库中,该密钥库要求您拥有私钥证书 将算法从ECDSA更改为EC使工作正常。 Afaik EC是生成密钥的算法,ECDSA是EC密钥的签名算法
public static KeyPair generateVapidKeyPair() throws CryptoException {
try {
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime256v1");
KeyPairGenerator g = KeyPairGenerator.getInstance("EC", "BC");
g.initialize(ecSpec, new SecureRandom());
return g.generateKeyPair();
} catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException ex) {
throw new CryptoException("Could not generate VAPID keypair", ex);
}
}
之后,我使用SHA256withECDSA算法对密钥进行签名,并使用BC生成证书。这在很大程度上与RSA相同,因此我将省略这部分代码。在此之后,我可以从密钥库(以编程方式使用BC作为提供程序)中存储和检索密钥,而不会出现任何问题。大家好,请确实需要帮助,如果不解决此问题,我无法在项目中向前移动。我已尝试调试一个,我已获得以下信息:私钥算法:ECDSA-实体证书公钥算法:SHA256WITHECDSA。我认为问题是因为两者不匹配,我如何使它们匹配,或者有人不能向我提供一个证书生成代码来修改算法名称以匹配私钥名称?我也遇到了这个问题。当私钥算法为“ECDSA”时,Bouncy Castle实现会将公钥中的id ecPublicKey OID与“EC”匹配,从而导致错误。我已经侵入了Bouncy Castle并将硬编码值修改为“ECDSA”,但是我仍然有一些问题。另外,openssl没有正确读取私钥,我不知道为什么。openssl给出的错误是什么?