1

我已按照 Oracle 指南尝试在 Ubuntu 16.04 中将智能卡中的 PKCS#11 密钥库导入文件系统中的 JKS 密钥库。我安装了 Oracle JDK 7,以及我的 Izenpe 卡的驱动程序文件。

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

我在 Open JDK 7 中遇到了这个错误:

带有 opensc pkcs#11 提供程序的 java keytool 仅适用于启用调试选项

声明使用 Open JDK 的实现有一个错误,你应该绕过它。这篇文章没有解决我的问题,我切换到 Oracle JDK 7,我可以在我的卡中列出私钥条目:

keytool -keystore NONE -storetype PKCS11 \
        -providerClass sun.security.pkcs11.SunPKCS11 \
            -providerArg $JAVA_HOME/config.ini \
        -v -list

在哪里config.ini

name=Izenpe-static
library=/usr/lib/libbit4ipki.so
showInfo=true

所以,我得到:

easternfox@easternfox-Ubuntu:~/下载/electronic-wechat-production$ keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/easternfox/文档/config.ini -v -list 

Information for provider SunPKCS11-Izenpe-static
Library info:
  cryptokiVersion: 2.20
  manufacturerID: bit4id srl                      
  flags: 0
  libraryDescription: bit4id PKCS#11                  
  libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
  slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00       
  manufacturerID: unknown                         
  flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
  hardwareVersion: 0.00
  firmwareVersion: 0.00
Token info for token in slot 0:
  label: IZENPE                          
  manufacturerID: Oberthur Technologies           
  model: Cosmo ID ONE (L)
  serialNumber: 1550001000002654
  flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
  ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
  ulSessionCount: 0
  ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
  ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
  ......

Enter keystore password:  

Keystore type: PKCS11
Keystore provider: SunPKCS11-Izenpe-static

Your keystore contains 1 entry

Alias name: CIUDADANO FICTICIO ACTIVO
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: SERIALNUMBER=92920000T, SURNAME=FICTICIO, GIVENNAME=CIUDADANO, CN=CIUDADANO FICTICIO ACTIVO, DNQ=-dni 92920000T, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Herritar ziurtagiria - Certificado de ciudadano, OU=Ziurtagiri onartua - Certificado reconocido, C=ES
Issuer: CN=Herritar eta Erakundeen CA - CA de Ciudadanos y Entidades (4), OU=NZZ Ziurtagiri publikoa - Certificado publico SCI, O=IZENPE S.A., C=ES
......

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 00 DE A8 79 08 14 F9 FA   05 2C BF 8B 65 99 69 91  ...y.....,..e.i.
0010: EA 5D 70 45                                        .]pE
]
]

*******************************************
*******************************************

而且,当我尝试时keytool -importkeystore,我有几个错误:

跑步keytool -importkeystore --help给了我很多有用的信息:

keytool -importkeystore [OPTION]...

Imports one or all entries from another keystore

Options:

 -srckeystore <srckeystore>            source keystore name
 -destkeystore <destkeystore>          destination keystore name
 -srcstoretype <srcstoretype>          source keystore type
 -deststoretype <deststoretype>        destination keystore type
 -srcstorepass <arg>                   source keystore password
 -deststorepass <arg>                  destination keystore password
 -srcprotected                         source keystore password protected
 -srcprovidername <srcprovidername>    source keystore provider name
 -destprovidername <destprovidername>  destination keystore provider name
 -srcalias <srcalias>                  source alias
 -destalias <destalias>                destination alias
 -srckeypass <arg>                     source key password
 -destkeypass <arg>                    destination key password
 -noprompt                             do not prompt
 -providerclass <providerclass>        provider class name
 -providerarg <arg>                    provider argument
 -providerpath <pathlist>              provider classpath
 -v                                    verbose output

Use "keytool -help" for all available commands

如果我省略srckeypass/ destkeypass,我有:

easternfox@easternfox-Ubuntu:$ keytool -srckeystore NONE -srcstoretype PKCS11 \
    -destkeystore /home/easternfox/my.new.jks -deststoretype jks -deststorepass qwerqwer \
    -providerClass sun.security.pkcs11.SunPKCS11 \
         -providerArg $JAVA_HOME/config.ini 
    -v -importkeystore


Information for provider SunPKCS11-Izenpe-static
Library info:
  cryptokiVersion: 2.20
  manufacturerID: bit4id srl                      
  flags: 0
  libraryDescription: bit4id PKCS#11                  
  libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
  slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00       
  manufacturerID: unknown                         
  flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
  hardwareVersion: 0.00
  firmwareVersion: 0.00
Token info for token in slot 0:
  label: IZENPE                          
  manufacturerID: Oberthur Technologies           
  model: Cosmo ID ONE (L)
  serialNumber: 1550001000002654
  flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
  ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
  ulSessionCount: 0
  ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
  ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
  ulMaxPinLen: 8
  ulMinPinLen: 4
  ulTotalPublicMemory: 65535
  ....
Enter source keystore password:  
Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: non-null password required to create PrivateKeyEntry.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
Do you want to quit the import process? [no]:  n
Import command completed:  0 entries successfully imported, 1 entries failed or cancelled
[Storing /home/easternfox/my.new.jks]

所以,我看到了non-null password required错误,我尝试指定srckeypassand destkeypass,并得到另一个错误:

keytool error: java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
    at sun.security.tools.KeyTool.doImportKeyStore(KeyTool.java:1864)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:1024)
    at sun.security.tools.KeyTool.run(KeyTool.java:340)
    at sun.security.tools.KeyTool.main(KeyTool.java:333)

所以,我必须添加srcalias. 所以我这样做了,并且:

Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
[Storing /home/easternfox/my.new.jks]

发生了另一个错误,表明卡中的私钥不是 PKCS#8 编码的。

如何解决这个问题?这是一个错误吗?还是只是制造商相关的问题?


我试过的:

  • 我试图指定-providerpath要更改为sunpkcs11.jarOracle JDK 8 的另一个参数,但无济于事。
  • 我将卡附带的驱动程序更改为另一个版本。不工作。

编辑:</p>

我尝试编写一些代码并得到相同的错误,并带有一些堆栈跟踪:

java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
    at sun.security.provider.KeyProtector.protect(KeyProtector.java:174)
    at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:259)
    at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
    at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
    at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.constructJKSKeyStore(PKCS11KeyStoreConstuctor.java:66)
    at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.main(PKCS11KeyStoreConstuctor.java:22)
4

0 回答 0