KeyStoreException：在密钥库中未找到带有 not-yet-commons-ssl-0.3.11.jar 的私钥

发布于 2024-12-23 09:27:56 字数 3164 浏览 2 评论 0原文

在使用客户端证书进行身份验证的过程中，我决定使用尚未-commons-ssl-0.3.11.jar。这导致了另一个问题 - 调用 EasySSLProtocolSocketFactory 或 StrictSSLProtocolSocketFactory 上的构造函数的简单行为将产生异常。

代码，在一个简单的命令行应用程序中隔离：

public class CertTest {

public static void main(String[] args) {

    System.setProperty("javax.net.debug", "ssl,handshake"); // SSL DEBUG INFO
    String keystore = "/usr/java/jdk1.6.0_11/jre/lib/security/cacerts";
    String keystorePassword = "changeit";

System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
//        System.setProperty("javax.net.ssl.trustStore", keystore);
//        System.setProperty("javax.net.ssl.trustStorePassword", keystorePassword);

    try {
        org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory factory = 
            new     org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory();
    }
    catch (Exception e) {
        System.out.println (e);
    }

} not-yet -

为了隔离旧库的问题，我将上面的代码放在包含这些 jar 的目录中（这些是类路径中唯一的 jar）：

httpclient-4.0.1.jar
commons-ssl-0.3.11.jar
commons-httpclient-3.1.jar
httpcore-4.0.1.jar

因此，通过 cacerts 密钥库中的一些客户端证书，我得到：如果

我使用 keytool 删除所有我已加载的客户端证书，然后异常更改为

**由以下原因引起：java.security.KeyStoreException：在密钥库中找不到私钥！**
在 org.apache.commons.ssl.KeyStoreBuilder.validate(KeyStoreBuilder.java:269)
在 org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:129)
在 org.apache.commons.ssl.KeyMaterial。(KeyMaterial.java:179)
在 org.apache.commons.ssl.KeyMaterial。(KeyMaterial.java:170)
在 org.apache.commons.ssl.KeyMaterial。(KeyMaterial.java:160)
在 org.apache.commons.ssl.KeyMaterial。(KeyMaterial.java:64)
在 org.apache.commons.ssl.KeyMaterial。(KeyMaterial.java:114)
在 org.apache.commons.ssl.KeyMaterial。(KeyMaterial.java:89)
位于 org.apache.commons.ssl.SSL。(SSL.java:142)
在 org.apache.commons.ssl.SSLClient.(SSLClient.java:59)
在 org.apache.commons.ssl.HttpSecureProtocol。（HttpSecureProtocol.java:55）
在 org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory。（EasySSLProtocolSocketFactory.java:94）

输出中的片段：

密钥库是：/usr/java/jdk1.6.0_11/jre/lib/security/cacerts
keyStore 类型是：jks
keyStore 提供商是：
初始化密钥库
SunX509 类型的初始化密钥管理器
trustStore 是：/usr/java/jdk1.6.0_11/jre/lib/security/cacerts
trustStore 类型是：jks
trustStore 提供商是：
初始化信任库
添加为可信证书：
主题：CN=SwissSign Platinum CA - G2、O=SwissSign AG、C=CH
发行人：CN=SwissSign Platinum CA - G2、O=SwissSign AG、C=CH
算法：RSA；序列号：0x4eb200670c035d4f

一大堆默认的受信任证书被剪断在这里......
SecureRandom 的触发播种
完成 SecureRandom 播种
@@@@@@@@@@ 异常
java.security.KeyStoreException：在密钥库中找不到私钥！

有什么想法吗？

原文

In the course of using Client certificates for authentication, I decided to use not-yet-commons-ssl-0.3.11.jar. That has resulted in another issue - the simple act of invoking the constructor on EasySSLProtocolSocketFactory or StrictSSLProtocolSocketFactory will produce an exception.

The code, as isolated in a simple cmd line app:

public class CertTest {

public static void main(String[] args) {

    System.setProperty("javax.net.debug", "ssl,handshake"); // SSL DEBUG INFO
    String keystore = "/usr/java/jdk1.6.0_11/jre/lib/security/cacerts";
    String keystorePassword = "changeit";

System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
//        System.setProperty("javax.net.ssl.trustStore", keystore);
//        System.setProperty("javax.net.ssl.trustStorePassword", keystorePassword);

    try {
        org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory factory = 
            new     org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory();
    }
    catch (Exception e) {
        System.out.println (e);
    }

}
}

To isolate issues with older libs, I put the above code in a directory with these jars (these are the ONLY jars in the classpath):

httpclient-4.0.1.jar
not-yet-commons-ssl-0.3.11.jar
commons-httpclient-3.1.jar
httpcore-4.0.1.jar

So, with some client certificates in the cacerts keystore, I get:
org.apache.commons.ssl.ProbablyBadPasswordException: Probably bad JKS-Key password: java.security.UnrecoverableKeyException: Password must not be null

If I use keytool to delete all the client certificates that I have loaded, then the exception changes to

**Caused by: java.security.KeyStoreException: No private keys found in keystore!**
at org.apache.commons.ssl.KeyStoreBuilder.validate(KeyStoreBuilder.java:269)
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:129)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:179)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:170)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:160)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:64)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:114)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:89)
at org.apache.commons.ssl.SSL.(SSL.java:142)
at org.apache.commons.ssl.SSLClient.(SSLClient.java:59)
at org.apache.commons.ssl.HttpSecureProtocol.(HttpSecureProtocol.java:55)
at org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory.(EasySSLProtocolSocketFactory.java:94)

Snippets in the output:

keyStore is : /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
whole bunch of default trusted certs snipped here...
trigger seeding of SecureRandom
done seeding SecureRandom
@@@@@@@@@@ EXCEPTION
java.security.KeyStoreException: No private keys found in keystore!