Windows-MY中的某些证书​​私钥未被检测到 [英] Some certificates private keys in Windows-MY not detected

问题描述

使用Windows 7，JDK 6（和7）。

Using Windows 7, JDK 6 (and 7).

我正在尝试获取存储在Windows MSCAPI密钥库中的个人证书及其基本属性（按顺序使用私钥进行签名）。但是，有些别名被识别为没有私钥（isKeyEntry == false），尽管它实际上有一个。

I'm trying to get personal certificates stored in Windows MSCAPI key store and it's basic properties (in order to use private key for signing). However some aliases are identified not having private key (isKeyEntry == false) although it acctually has one.

有关如何处理这个功能的任何建议吗？

Any suggestions how to deal with this "feature"?

带证书的P12文件（已被撤销）&具有此奇怪属性的私钥可以从 http://download.upce.cz/terena下载-public.pfx 。密码是密码。

The P12 file with certificate (already revoked) & private key having this weird "property" can be downloaded from http://download.upce.cz/terena-public.pfx. Password is "password".

KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
ks.load(null, null);
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements()) {
    String alias = (String) aliases.nextElement();
    X509CertImpl certificate = (X509CertImpl)ks.getCertificate(alias);
    System.out.println("Alias: " + alias);
    System.out.println("  Subject: " + certificate.getSubjectDN());
    System.out.println("  Issued By: " + certificate.getIssuerDN());
    if (ks.isKeyEntry(alias)) {
        System.out.println("  Has private key");
    }
}

推荐答案

我将您的pfx文件导入Mozilla Thunderbird并将其导出为p12文件。现在我可以通过MSCAPI看到它。原始证书中必须有一些东西阻止MSCAPI查看私钥。

I imported your pfx-file into Mozilla Thunderbird and exported it as p12-file. Now I can see it through MSCAPI. There must be something in the original certificate that prevents MSCAPI to see the private key.

我比较了文件，我注意到在原始文件中使用了密钥用法部分。

I compared the files and I noticed that in the original file the Key Usage section is used.

原始pfx：

Bag Attributes
   localKeyID: 01 00 00 00
   friendlyName: le-b6311e84-87e7-4e02-9cf6-4012518e0541
   Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
   X509v3 Key Usage: 90

转换后的p12：

Bag Attributes
   friendlyName: le-b6311e84-87e7-4e02-9cf6-4012518e0541
   localKeyID: 47 E4 D3 F0 75 48 9D 77 07 E9 51 A4 F1 B6 DF E9 40 80 26 7A
Key Attributes: <No Attributes>

这两个文件有很多不同之处，但我不确定哪一个会导致不必要的行为。

There are more differences in the two files, but I'm not sure which one causes the unwanted behaviour.

这篇关于Windows-MY中的某些证书​​私钥未被检测到的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！