Keystore Alias Null Error

橙三吉。 提交于 2019-12-24 01:53:45

问题


I am trying to configure a product called Hermes for a digital signature.

I have a file MyCert.pfx which I specified in its configuration as follows:

<component id="keystore-manager-for-signature" name="Key Store Manager for Digital Signature">
    <class>hk.hku.cecid.piazza.commons.security.KeyStoreManager</class>
    <parameter name="keystore-location" value="/opt/mycompany/certs/MyCert.pfx"/>
    <parameter name="keystore-password" value="12345678"/>
    <!-- parameter name="key-alias" value="joeblank"/-->
    <!-- parameter name="key-password" value="12345678"/-->
    <parameter name="keystore-type" value="PKCS12"/>
    <parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>

Hermes throws an exception like this:

hk.hku.cecid.ebms.spa.task.MessageValidationException: Cannot sign the ebxml message
    by hk.hku.cecid.ebms.pkg.SignatureException: [10204] Cannot sign message Exception: java.lang.NullPointerException Message: null
    Try to retreive key alias[null] from keystore[/opt/mycompany/certs/MyCert.pfx]
    by java.lang.NullPointerException

I don't have the alias for the pfx file. I didn't need to specify one when I used it in Tomcat's server.xml.

It was also suggested that I should use a command like this to import the certificate into a jsk store:

keytool -importkeystore -deststorepass [password] -destkeystore [JKS keystore file] -deststoretype JKS -destalias [alias] -srckeystore [p12 keystore file] -srcstoretype PKCS12 -srcstorepass [password] -srcalias [alias]

I had to remove the -srcalias portion since I didn't have that, which required me to remove the -destalias as well. So in this case, I don't have a known alias to reference in mycompany.jks

Either way I don't have an alias. I tried importing the pfx file using keytool -import, but that throws a " Input not an X.509 certificate".

What do you guys suggest I should try next?


回答1:


It sounds like your application doesn't use a default alias when none is specified. It's quite common for applications/libraries (including Apache Tomcat) to pick the first alias they find when none is specified. However, yours seems to need one.

You can find it using keytool -list -storetype PKCS12 -keystore (if needed, use -v too to see the alias more clearly). The alias name should be the first part of the line that says something like 2, Jan 12, 2012, PrivateKeyEntry (here "2"), just before the fingerprint.

keystore -import is indeed just for certificates.

keytool -importkeystore could be used for converting the PKCS#12 store into a JKS store, but you shouldn't need it, since you're able to specify the PKCS12 type.



来源:https://stackoverflow.com/questions/8831332/keystore-alias-null-error

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!