1. 首页
  2. 问答
  3. KeyUsage不允许数字签名

KeyUsage不允许数字签名

2013-03-12 128 views
5

我试图从我的Java EE程序向需要证书身份验证的主机发送HTTPS请求。我有一个适当的密钥库文件,带导入CA的信任库,两者的列表显示了证书在里面。KeyUsage不允许数字签名

但我收到以下错误:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures 
    at ... 

... 

Caused by: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures 
    at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:270) 
    at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:141) 
    at sun.security.validator.Validator.validate(Validator.java:264) 
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) 
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) 
    at  sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) 
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319) 
... 29 more

在扩展的一部分,我看到下面的查看证书内容:

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 33 87 72 1D 09 2F DF FF 1A A7 D1 C0 E1 CF C5 FA 3.r../.......... 
0010: A4 19 54 2E          ..T. 
] 
] 

#2: ObjectId: 2.16.840.1.113730.1.1 Criticality=false 
NetscapeCertType [ 
    SSL client 
] 

#3: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: 74 9F 43 07 CC 75 FA D3 D0 13 0F 65 36 CC 4A 9A t.C..u.....e6.J. 
0010: E0 8E 9C 52          ...R 
] 
] 

#4: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://test.az:7447/Test%20CA.crl] 
]] 

#5: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    DigitalSignature 
]

所以我的证书确实含有密钥使用[的DigitalSignature]

引发异常的地方的代码片段如下所示:

private final static int KU_SIGNATURE = 0; 

... 

private void checkTLSServer(X509Certificate cert, String parameter) 
     throws CertificateException { 
    Set<String> exts = getCriticalExtensions(cert); 

    ... 

    } else if (KU_SERVER_SIGNATURE.contains(parameter)) { 
     if (checkKeyUsage(cert, KU_SIGNATURE) == false) { 
      throw new ValidatorException 
        ("KeyUsage does not allow digital signatures", 
        ValidatorException.T_EE_EXTENSIONS, cert); 
     } 
    } 

    ... 
}

checkKeyUsage功能:

private boolean checkKeyUsage(X509Certificate cert, int bit) 
     throws CertificateException { 
    boolean[] keyUsage = cert.getKeyUsage(); 
    if (keyUsage == null) { 
     return true; 
    } 
    return (keyUsage.length > bit) && keyUsage[bit]; 
}

它在回报(keyUsage.length>位)失败& &的keyUsage [比特];

问题是为什么上述表达式的结果= false?当bit = 0且cert.getKeyUsage()必须返回布尔型[true,false,false,false,false,false,false,false]的数组时

来源

2013-03-12 chaplean

+0

您是否检查过链中的所有证书(特别是CA证书)? – Bruno 2013-03-12 12:09:49

+0

是的,实际上我使用运行JRE6的旧服务器中的密钥库和信任库,并且没有问题,但带有JRE7的新服务器会抛出异常。 – chaplean 2013-03-12 12:39:42

+0

使用'-Djavax.net.debug = all'时,你会得到更精确的结果吗? – Bruno 2013-03-12 12:41:12

回答

6

该错误实际上来自验证服务器的证书。该证书的密钥用法部分不包含digitalSignature位。

某些密码套件需要数字签名位,特别是Diffie-Hellman密钥交换(DHE_RSA和ECDHE_RSA)。您可以通过避免使用这些密码类型来避免此错误。否则,服务器证书需要支持它。

来源

2013-12-18 22:04:12

+2

如何避免在java中使用这些密码? – 2017-01-17 04:54:20

相关问题

 相关问题