您的位置: 首页  >  技术问答  >  HSM错误|私钥必须是RSAPrivate(Crt)密钥的实例或具有PKCS#8

HSM错误|私钥必须是RSAPrivate(Crt)密钥的实例或具有PKCS#8

分类: 技术问答 2022-03-09 23:21:08

HSM错误|私钥必须是RSAPrivate(Crt)密钥的实例或具有PKCS#8

问题描述:

从HSM检索私钥时解密数据时收到错误。HSM错误|私钥必须是RSAPrivate(Crt)密钥的实例或具有PKCS#8

我在java.security中添加了sunpkcs11提供程序。 因此,不通过代码添加提供者。 文本被成功加密。 然而,尽管以低于行解密加密的文本,我得到以下错误:

cipher.init(Cipher.DECRYPT_MODE, privateKey);

什么是我在这里失踪?

错误:

Caused by: java.security.InvalidKeyException: Private key must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding 
     at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:101) [sunpkcs11.jar:1.7.0_85] 
     at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:132) [sunpkcs11.jar:1.7.0_85] 
     at sun.security.pkcs11.P11KeyFactory.convertKey(P11KeyFactory.java:65) [sunpkcs11.jar:1.7.0_85] 
     at sun.security.pkcs11.P11RSACipher.implInit(P11RSACipher.java:199) [sunpkcs11.jar:1.7.0_85] 
     at sun.security.pkcs11.P11RSACipher.engineInit(P11RSACipher.java:168) [sunpkcs11.jar:1.7.0_85] 
     at javax.crypto.Cipher.init(Cipher.java:1068) [jce.jar:1.7.0_85] 
     at javax.crypto.Cipher.init(Cipher.java:1012) [jce.jar:1.7.0_85]enter code here

下面是代码:

import java.io.ByteArrayOutputStream; 
import java.security.KeyStore; 
import java.security.PrivateKey; 
import java.security.PublicKey; 
import java.security.cert.Certificate; 

import javax.crypto.Cipher; 
import javax.xml.bind.DatatypeConverter; 

import sun.security.pkcs11.SunPKCS11; 

public class App { 

    public static void main(String[] args) throws Exception { 

     try { 
      String passphrase = "mysecretkey"; 
      SunPKCS11 provider = new SunPKCS11("/home/user/pkcs11.cfg"); 
      KeyStore keystore = KeyStore.getInstance("PKCS11", provider); 
      keystore.load(null, passphrase.toCharArray()); 
      String textToEncrypt = "this is my text"; 
      Certificate cert = keystore.getCertificate("my-SHA1WITHRSA-2048-bits-key"); 
      PublicKey publicKey = cert.getPublicKey(); 
      Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", provider); 
      cipher.init(Cipher.ENCRYPT_MODE, publicKey); 
      String encryptedData = DatatypeConverter.printBase64Binary(cipher.doFinal(textToEncrypt.getBytes())); 

      PrivateKey privateKey = (PrivateKey) keystore.getKey("my-SHA1WITHRSA-2048-bits-key", 
        passphrase.toCharArray()); 
      cipher.init(Cipher.DECRYPT_MODE, privateKey); 
      byte[] decodedEncryptedData = DatatypeConverter.parseBase64Binary(encryptedData); 
      ByteArrayOutputStream stream = new ByteArrayOutputStream(); 
      int blocks = decodedEncryptedData.length/256; 
      int offset = 0; 
      for (int blockIndex = 0; blockIndex < blocks; blockIndex++) { 
       byte[] nextBlock = getNextBlock(decodedEncryptedData, offset); 
       stream.write(cipher.doFinal(nextBlock)); 
       offset += 256; 
      } 
     } catch (Exception e) { 
      e.printStackTrace(); 
     } 

    } 

    private static byte[] getNextBlock(byte[] cipherText, int offset) { 
     byte[] block = new byte[256]; 
     System.arraycopy(cipherText, offset, block, 0, 256); 
     return block; 
    } 

}

如何解决:

这个问题的

根本原因是sunpkcs11供应商处得到装载两个静态和动态。

即在java.security中的 ,已经添加了提供程序条目以及cfg路径。

另外,在代码中,提供者被再次用cfg文件初始化。

这是造成这个问题。

变化后:

SunPKCS11 provider = new SunPKCS11("/home/user/pkcs11.cfg");

TO:

SunPKCS11 sunPKCS11Provider = (SunPKCS11) Security.getProvider("SunPKCS11");

问题得到了解决。

相关推荐