java 公钥验证总是返回“签名不匹配”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12156734/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Public key verification always returns "Signature does not match"
提问by Java_bear
I am trying to verify the public key of a certificate. The certificate has been imported into a keystore using this command:
我正在尝试验证证书的公钥。已使用以下命令将证书导入密钥库:
keytool -importcert -file cert.cer -keystore kstore.jks -alias mycert -storepass changeit
This is the java code I use to verify the public key:
这是我用来验证公钥的java代码:
File keyStore = new File("kstore.jks");
String keyStorePassword = "changeit";
KeyStore ks = null;
try {
ks = KeyStore.getInstance("jks");
ks.load(keyStore.toURI().toURL().openStream(), keyStorePassword.toCharArray());
} catch (Exception e) {
e.printStackTrace();
}
try {
Certificate cert = ks.getCertificate("mycert");
PublicKey pk = cert.getPublicKey();
cert.verify(pk);
//cert.verify(pk, "SunRsaSign");
System.out.println("Keys verified");
} catch (Exception e) {
e.printStackTrace();
}
The exception I get is:
我得到的例外是:
java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:389)
at VerifyEBXMLSignature.runIt3(VerifyEBXMLSignature.java:62)
at VerifyEBXMLSignature.main(VerifyEBXMLSignature.java:41)
The certificate contains a public key and I do not have access to the private key. Is it at all possible to verify the public key against this certificate that I import into a keystore? The public key comes from the certificate itself, so it should be correct.
该证书包含一个公钥,而我无权访问私钥。是否有可能根据我导入密钥库的这个证书来验证公钥?公钥来自证书本身,所以它应该是正确的。
What more should I look for with the certificate?
我还应该用证书寻找什么?
I just got some more iformation about the certificate: It is exported from the private key. Is there anything in that process that may have be done wrong?
我刚刚获得了有关证书的更多信息:它是从私钥导出的。在这个过程中是否有任何可能做错的事情?
采纳答案by Marcus Adams
You shouldn't be passing in the public key that you extracted from the certificate. You should be passing in the public key of the issuer's certificate to verify the signature.
您不应传入从证书中提取的公钥。您应该传入颁发者证书的公钥以验证签名。
So, as Robert pointed out in comments, your above code only works if it's a self-signed certificate (the certificate is signed with itself).
因此,正如罗伯特在评论中指出的那样,您上面的代码仅在它是自签名证书(证书是用自己签名的)时才有效。
回答by Harbeer Kadian
The public key verify method internally uses X509Certificate implementation.
公钥验证方法在内部使用X509证书实现。
So it can only verify those certificates which are generated as per X509standards.
所以它只能验证那些按照X509标准生成的证书。
For more info Visit http://en.wikipedia.org/wiki/X.509
欲了解更多信息,请访问http://en.wikipedia.org/wiki/X.509
