以PEM格式读取PKCS8:找不到提供程序 [英] Reading PKCS8 in PEM format: Cannot find provider
问题描述
尝试使用以下内容读取PEM格式的PKCS8私钥:
Trying to read a PKCS8 private key in PEM format with the following:
private static PrivateKey loadPrivateKey()
throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
FileReader fileReader = new FileReader(certsRoot + "/pep-client-key.pem");
PEMParser keyReader = new PEMParser(fileReader);
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
InputDecryptorProvider decryptionProv = new JceOpenSSLPKCS8DecryptorProviderBuilder().build("mypassword".toCharArray());
Object keyPair = keyReader.readObject();
PrivateKeyInfo keyInfo;
if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
keyInfo = ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(decryptionProv); // Exception thrown from here
keyReader.close();
return converter.getPrivateKey(keyInfo);
}
return null;
}
会产生此错误:
org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7
at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
我已经在OpenSSL中进行了检查可以使用提供的密码将文件作为PKCS8 PEM处理。
I've checked with OpenSSL that the file can be processed as PKCS8 PEM, with the password provided.
有什么想法吗?我不介意是否有不涉及BouncyCastle的库的解决方案。
Any idea? I don't mind if there is a solution not involving BouncyCastle's libraries.
推荐答案
1.2.840.113549.3.7是 PKCS5 = rfc2898秒B.2.2 。 (1.2.840.113549.1.5.13是所有PBES2变体的外部 OID。)
1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)
Sun-now-Oracle (默认)提供程序确实支持使用CBC和PKCS5 / 7填充的DES-EDE3算法(aka TripleDES或TDEA密钥选项1),但是没有此OID映射。 BouncyCastle提供程序确实具有该映射,因此,如果您将BC提供程序用于此操作,它将起作用。可以通过在 JRE / lib / security中配置(更新:在j9 + security.provider。< i> 来为所有JVM完成
*。 /java.security JRE / conf / security / java.security 中)或
* JVM通过 java.lang.security.Provider.addProvider(新的BouncyCastleProvider())或
*为此操作添加 .setProvider()带有BC提供者的名称或对象到您的 JceOpenSSLPKCS8DecryptorProviderBuilder 调用
The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation
注意,TripleDES的BC似乎要求j8u151以下的Oracle Java具有无限强度策略;请参见由于密码而无法打开PKCS12存储和InvalidKeyException非法密钥大小和许多其他伪造。
Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.
这篇关于以PEM格式读取PKCS8:找不到提供程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
