我已按照 Oracle 指南尝试在 Ubuntu 16.04 中将智能卡中的 PKCS#11 密钥库导入文件系统中的 JKS 密钥库。我安装了 Oracle JDK 7,以及我的 Izenpe 卡的驱动程序文件。
http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
我在 Open JDK 7 中遇到了这个错误:
带有 opensc pkcs#11 提供程序的 java keytool 仅适用于启用调试选项
声明使用 Open JDK 的实现有一个错误,你应该绕过它。这篇文章没有解决我的问题,我切换到 Oracle JDK 7,我可以在我的卡中列出私钥条目:
keytool -keystore NONE -storetype PKCS11 \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg $JAVA_HOME/config.ini \
-v -list
在哪里config.ini
:
name=Izenpe-static
library=/usr/lib/libbit4ipki.so
showInfo=true
所以,我得到:
easternfox@easternfox-Ubuntu:~/下载/electronic-wechat-production$ keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/easternfox/文档/config.ini -v -list
Information for provider SunPKCS11-Izenpe-static
Library info:
cryptokiVersion: 2.20
manufacturerID: bit4id srl
flags: 0
libraryDescription: bit4id PKCS#11
libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00
manufacturerID: unknown
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: IZENPE
manufacturerID: Oberthur Technologies
model: Cosmo ID ONE (L)
serialNumber: 1550001000002654
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
......
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-Izenpe-static
Your keystore contains 1 entry
Alias name: CIUDADANO FICTICIO ACTIVO
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: SERIALNUMBER=92920000T, SURNAME=FICTICIO, GIVENNAME=CIUDADANO, CN=CIUDADANO FICTICIO ACTIVO, DNQ=-dni 92920000T, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Herritar ziurtagiria - Certificado de ciudadano, OU=Ziurtagiri onartua - Certificado reconocido, C=ES
Issuer: CN=Herritar eta Erakundeen CA - CA de Ciudadanos y Entidades (4), OU=NZZ Ziurtagiri publikoa - Certificado publico SCI, O=IZENPE S.A., C=ES
......
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 00 DE A8 79 08 14 F9 FA 05 2C BF 8B 65 99 69 91 ...y.....,..e.i.
0010: EA 5D 70 45 .]pE
]
]
*******************************************
*******************************************
而且,当我尝试时keytool -importkeystore
,我有几个错误:
跑步keytool -importkeystore --help
给了我很多有用的信息:
keytool -importkeystore [OPTION]...
Imports one or all entries from another keystore
Options:
-srckeystore <srckeystore> source keystore name
-destkeystore <destkeystore> destination keystore name
-srcstoretype <srcstoretype> source keystore type
-deststoretype <deststoretype> destination keystore type
-srcstorepass <arg> source keystore password
-deststorepass <arg> destination keystore password
-srcprotected source keystore password protected
-srcprovidername <srcprovidername> source keystore provider name
-destprovidername <destprovidername> destination keystore provider name
-srcalias <srcalias> source alias
-destalias <destalias> destination alias
-srckeypass <arg> source key password
-destkeypass <arg> destination key password
-noprompt do not prompt
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
Use "keytool -help" for all available commands
如果我省略srckeypass
/ destkeypass
,我有:
easternfox@easternfox-Ubuntu:$ keytool -srckeystore NONE -srcstoretype PKCS11 \
-destkeystore /home/easternfox/my.new.jks -deststoretype jks -deststorepass qwerqwer \
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg $JAVA_HOME/config.ini
-v -importkeystore
Information for provider SunPKCS11-Izenpe-static
Library info:
cryptokiVersion: 2.20
manufacturerID: bit4id srl
flags: 0
libraryDescription: bit4id PKCS#11
libraryVersion: 1.02
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
slotDescription: Cherry GmbH SmartBoard XX44 [Smart Card Reader USB] 00 00
manufacturerID: unknown
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: IZENPE
manufacturerID: Oberthur Technologies
model: Cosmo ID ONE (L)
serialNumber: 1550001000002654
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: 65535
....
Enter source keystore password:
Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: non-null password required to create PrivateKeyEntry.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
Do you want to quit the import process? [no]: n
Import command completed: 0 entries successfully imported, 1 entries failed or cancelled
[Storing /home/easternfox/my.new.jks]
所以,我看到了non-null password required
错误,我尝试指定srckeypass
and destkeypass
,并得到另一个错误:
keytool error: java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
java.lang.Exception: if alias not specified, destalias, srckeypass, and destkeypass must not be specified
at sun.security.tools.KeyTool.doImportKeyStore(KeyTool.java:1864)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:1024)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
所以,我必须添加srcalias
. 所以我这样做了,并且:
Problem importing entry for alias CIUDADANO FICTICIO ACTIVO: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded.
Entry for alias CIUDADANO FICTICIO ACTIVO not imported.
[Storing /home/easternfox/my.new.jks]
发生了另一个错误,表明卡中的私钥不是 PKCS#8 编码的。
如何解决这个问题?这是一个错误吗?还是只是制造商相关的问题?
我试过的:
- 我试图指定
-providerpath
要更改为sunpkcs11.jar
Oracle JDK 8 的另一个参数,但无济于事。 - 我将卡附带的驱动程序更改为另一个版本。不工作。
编辑:</p>
我尝试编写一些代码并得到相同的错误,并带有一些堆栈跟踪:
java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
at sun.security.provider.KeyProtector.protect(KeyProtector.java:174)
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:259)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.constructJKSKeyStore(PKCS11KeyStoreConstuctor.java:66)
at com.JSILTRA.logic.PKCS11KeyStoreConstuctor.main(PKCS11KeyStoreConstuctor.java:22)