1

我目前正在努力让 Java 应用程序 (JRE 1.5+) 与 Windows 2008 OCSP 响应程序通信,并且在尝试读取响应程序的签名证书时遇到一个奇怪的错误。

我在尝试执行 OCSP 验证时遇到以下异常。

Caused by: java.security.cert.CertificateParsingException: java.io.IOException: short read on DerValue buffer
    at sun.security.x509.X509CertInfo.<init>(Unknown Source)
    at sun.security.x509.X509CertImpl.parse(Unknown Source)
    at sun.security.x509.X509CertImpl.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
    ... 6 more
Caused by: java.io.IOException: short read on DerValue buffer
    at sun.security.util.DerValue.getOctetString(Unknown Source)
    at sun.security.x509.Extension.<init>(Unknown Source)
    at sun.security.x509.CertificateExtensions.init(Unknown Source)
    at sun.security.x509.CertificateExtensions.<init>(Unknown Source)
    at sun.security.x509.X509CertInfo.parse(Unknown Source)
    ... 11 more

这表明读取签名证书时出现问题,因此我尝试使用类似于以下的方法单独导入:

    public static List<Certificate> readCerts(String certFile,
        CertificateFactory cf, boolean withCRL) throws Exception {
    FileInputStream fis = new FileInputStream(certFile);
    BufferedInputStream bis = new BufferedInputStream(fis);

    List<Certificate> certs = new LinkedList<Certificate>();

    while (bis.available() > 0) {
        Certificate cert = cf
                .generateCertificate(bis);
        X509Certificate cx509 = (X509Certificate) cert;
        certs.add(cert);
    }

    return certs;
}

这给了我同样的错误。这似乎只发生在从 OCSP 签名模板生成的证书上,用户证书可以很好地读取。

有没有其他人在 Java 中遇到过类似的 X509 支持问题?

问候,汤姆

更新:我遇到问题的证书如下:

-----BEGIN CERTIFICATE-----
MIIDzDCCArSgAwIBAgIKYQWrDAAAAAAABjANBgkqhkiG9w0BAQUFADBFMRMwEQYK
CZImiZPyLGQBGRYDaW50MRUwEwYKCZImiZPyLGQBGRYFbG9ucWExFzAVBgNVBAMT
DmxvbnFhLVRFLUNBLUNBMB4XDTA5MDkyMTE2NDIxNloXDTA5MTAwNTE2NDIxNlow
GjEYMBYGA1UEAxMPdGUtY2EubG9ucWEuaW50MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA6rYO7X/PztBE2Do9u95ws3Ob86cySJ1iLrHLSF+VjvTQkZ3J
e0uKxoK4doSikqCZH9zXZ6qFFVMZlzq/FnIP9TLhv3uFom0y+Z0HmPAW7RtrZ8R6
1EAmcQDGpyRhzCWJqrEzgbW1v1QtF854kium97GwUWnVijGv3jQqT3hbmD7++9lh
9ILaLXMAKdTFpL1ao2eHWYf2mChRpuAox2juO1g4xjot9GXsEMhTwAg9F/pZnbKE
hhpeo1c0kgP3uus7ULlwdRnZ4O+tp79GeVKsdJbphmnC6Fc/PdT0KuHSk9Q0v192
Ger5nTQaZk/dmsyGBd8g4Q+0g0Ri+wgpUUsykQIDAQABo4HoMIHlMDYGCSsGAQQB
gjcVBwQpMCcGHysGAQQBgjcVCIHPgWyXxQ2ChYcyg8LhMoWky3ppASACAWUCAQAw
EwYDVR0lBAwwCgYIKwYBBQUHAwkwDgYDVR0PAQH/BAQDAgeAMBsGCSsGAQQBgjcV
CgQOMAwwCgYIKwYBBQUHAwkwDQYJKwYBBQUHMAEFBAAwHQYDVR0OBBYEFNblspp7
Hu07mraeMSyuBUTUnbl3MB8GA1UdIwQYMBaAFK/r521FB+GNls/fe8hrNE8UpQhv
MBoGA1UdEQQTMBGCD3RlLWNhLmxvbnFhLmludDANBgkqhkiG9w0BAQUFAAOCAQEA
FASEVcUJQlrmCD/ysycOxAIAoc2BVLhteOMoZ7V65a5/+Q5JM7Od+gKqoxLVrjb2
BDLlDFp5U8CirQ4lyWV5i1gQpLFTDcjgonp9Ky50KA0Ginn5CmTELB2THwFSQwfm
OFenSaV1mAcEzdyp/hi2xSuMqhveSanQFD0r6y45oZsd9ubdFEWI6nBRrj4hhfw0
Wo2GKUgslXqAqEezdin5JNgsPdj3qsi4+U4llyrd3gG20eoWzGHF4h7wfFiQV+fs
yEPY06Rg9G9m3GlIv+7Gp3sixb+cvZe+e0gO32mVRydTXMaAZu7ZiFk3M6AqxfDw
dO//eCu2dZCLTw6xTbUc9A==
-----END CERTIFICATE-----
4

1 回答 1

3

我假设你的工厂是这样的,

  cf = CertificateFactory.getInstance("X509");

默认的 X509 工厂有很多限制。看起来您的证书包含工厂不知道如何解析的扩展。如果您发布证书,我可以帮助您识别有问题的扩展名。

编辑:有问题的扩展是

1.3.6.1.5.5.7.48.1.5-id-pkix-ocsp-nocheck

唯一的选择是使用 Java 内置 JCE 从证书中删除它。您还可以尝试其他 JCE,例如 BouncyCastle。

于 2009-09-30T12:08:43.460 回答