java.security证书factory.getInstance随机失败
我遇到了一个奇怪的问题,导致我的测试随机失败。请参阅以下示例:
val certificateFactory = CertificateFactory.getInstance("X509")
我正在尝试获取证书工厂的实例,以便从我的测试资源文件夹中的文件中生成x509certificate。在进行了几次测试之后,我发现这是随机失败的,除了以下例外:
X509 not found
java.security.cert.CertificateException: X509 not found
at java.base@17/java.security.cert.CertificateFactory.getInstance
在互联网上进行了一些研究之后,我发现有些人倾向于使用X.509代替了X509。 更改证书factory.getInstance(“ x509”) cetide> certiftfactory.getInstance(“ x.509”) 带来了完全相同的行为:大约75%的测试通过了。 ,在其他情况下没有。
我的最终尝试是在尝试获得x509失败的实例时,将重新归还X.509,例如:
val certificateFactory = try {
CertificateFactory.getInstance("X509")
} catch (ex: CertificateException) {
println("CertificateFactory instance for X509 not found, attempting with X.509")
CertificateFactory.getInstance("X.509")
}
这并没有改变测试的结果。
从这个小实验结束时,看来证书案例有时确实包含一个“ x509”和“ x.509”的实例,有时它都不包含这些实例。 有时证书因素是否有可能无法正确初始化,或者有可能?
该代码是用Kotlin编写的,在以下Java版本上运行:
openjdk version "17" 2021-09-14
OpenJDK Runtime Environment Temurin-17+35 (build 17+35)
OpenJDK 64-Bit Server VM Temurin-17+35 (build 17+35, mixed mode, sharing)
我在Internet上找不到有关此用例的太多,因此我在这里尝试运气。提前致谢。
I encountered a weird issue that results in my tests failing randomly. Please see the following example:
val certificateFactory = CertificateFactory.getInstance("X509")
I am trying to get an instance of the certificate factory in order to generate an X509Certificate from a file in my test resources folder. After running the tests a few times, I found out that this randomly fails, with the following exception:
X509 not found
java.security.cert.CertificateException: X509 not found
at java.base@17/java.security.cert.CertificateFactory.getInstance
After some research on the internet, I found out that some people tend to use X.509 in stead of X509.
Changing CertificateFactory.getInstance("X509") to CertificateFactory.getInstance("X.509") resulted in the exact same behaviour: About 75% of the time the tests passed, in the other cases it did not.
My final attempt was to fall back on X.509 when attempting to get an instance of X509 failed, like so:
val certificateFactory = try {
CertificateFactory.getInstance("X509")
} catch (ex: CertificateException) {
println("CertificateFactory instance for X509 not found, attempting with X.509")
CertificateFactory.getInstance("X.509")
}
This did not change the result of the tests.
Concluding from this little experiment, it appears that the CertificateFactory sometimes does contain an instance of both "X509" and "X.509", and sometimes it contains neither of those.
Is there a possibility that CertificateFactory sometimes doesn't get initialised properly, or something of the sort?
The code is written in Kotlin, running on the following Java versions:
openjdk version "17" 2021-09-14
OpenJDK Runtime Environment Temurin-17+35 (build 17+35)
OpenJDK 64-Bit Server VM Temurin-17+35 (build 17+35, mixed mode, sharing)
I could not find much about this use case on the internet, so I'm trying my luck here. Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
META:不是真正的答案,至少还没有,而是为了评论太多。如有必要,我将删除。
我忽略了Kotlin,因为我不认为它在这里做任何相关的事情,尽管我可能错了。在任何情况下,您都应该能够轻松地在普通Java中测试此特定功能。
JCA-Standard类型(又称算法)证书案例的名称
“ x.509”带有点 ,并且始终是(至少回到Java 5)。我不确定PKCS11提供商是否可以支持此API,但是如果这样,它会因基础P11设备或库而有所不同。 (传统 P11设备,即真正的HSM,不参与证书管理,而仅参与了有限的处理,但是随着时间的流逝,P11已被使用或滥用,因为我犹豫不决对此提出任何一般性的主张。)如果您有 >已安装,它确实提供了
“ x509”作为别名/同义词,除了“ x.509”(但从未作为替代) 。我建议您在尝试/失败的地方检查哪些提供商已配置了什么 -
如果存在太阳或bc,
getInstance(“ x.509”)应该有效,如果没有,我看不到您想做的几乎其他任何事情都可以在JVM上起作用。Meta: not really an answer, at least not yet, but too much for comments. I will delete if necessary.
I'm ignoring Kotlin because I don't think it does anything relevant here, though I could be wrong. In any case you should be able to test this specific feature in plain Java easily enough.
The JCA-standard type (aka algorithm) name for CertificateFactory is
"X.509"with the dot and always has been (back to Java 5 at least). I'm not sure if the PKCS11 provider can support this API, but if so it would vary depending on the underlying P11 device or library. (Traditional P11 devices, i.e. real HSMs, weren't involved in cert management and only limited processing, but over time P11 has been used, or perhaps abused, for such a wide range of things I hesitate to make any general claim about it.)If you have the BouncyCastle provider installed, it does provide
"X509"as an alias/synonym in addition to"X.509"(but never as a substitute).I suggest you check at the point of attempt/failure what providers are configured -- something like
If either SUN or BC is present,
getInstance("X.509")should work, and if neither, I don't see how almost anything else you want to do in that JVM will work.