我正在尝试从 Azure Key Vault 获取证书及其私钥,然后调用远程服务器并进行客户端证书身份验证。
第一部分效果很好(从 Key Vault 获取),但是我完全坚持将公共(public)和私有(private) Material 导入 KeyStore。
我试过了
keyStore.load(publicKey, null);
keyStore.load(new ByteArrayInputStream(privateKey.getBytes()),
"thePassphrase".toCharArray());
java.io.IOException: DER input, Integer tag error
at java.base/sun.security.util.DerInputStream.getInteger(DerInputStream.java:192)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1995)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl("https://<myvault>.vault.azure.net")
.credential(credential)
.buildClient();
CertificateClient certClient = new CertificateClientBuilder()
.vaultUrl("https://<myvault>.vault.azure.net")
.credential(credential)
.buildClient();
// Get the public part of the cert
KeyVaultCertificateWithPolicy certificate = certClient.getCertificate("Joes-Crab-Shack");
byte[] publicKey = certificate.getCer();
// Get the private key
KeyVaultSecret secret = secretClient.getSecret(
certificate.getName(),
certificate.getProperties().getVersion());
String privateKey = secret.getValue();
// ***************
// How do i get the cert and its private key into KeyStore?
KeyStore keyStore = KeyStore.getInstance("PKCS12");
// I've also tried "JKS" but that leads to
// java.io.IOException: Invalid keystore format
keyStore.load(...)
// ***************
// Do client certificate authentication
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null).build();
CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
response = httpClient.execute(new HttpGet("https://remote.that.asks.for.client.cert/"));
InputStream inputStream = response.getEntity().getContent();
body = IOUtils.readInputStreamToString(inputStream, Charsets.UTF_8);
最佳答案
有点晚了,但我想提出一个我在从 Azure Keyvault 检索证书然后将其放入 java Keystore 时实践过的解决方案。
我使用的依赖项如下。
com.azure:azure-security-keyvault-certificates:jar:4.1.3
com.azure:azure-identity:jar:1.0.4
com.azure:azure-security-keyvault-secrets:jar:4.1.1
public class RestTemplateProvider {
@Value("${azure.keyvault.service.cert-alias}")
private String alias;
@Value("${azure.keyvault.tenant-id}")
private String tenantId;
@Value("${azure.keyvault.client-key}")
private String clientSecret;
@Value("${azure.keyvault.client-id}")
private String clientId;
@Value("${azure.keyvault.uri}")
private String vaultUri;
public RestTemplate provideRestTemplate() {
char[] emptyPass = {};
CloseIoStream closeableIoStream = CloseIoStream.newInstance();
try {
// Azure KeyVault Credentials
ClientSecretCredential credential = new ClientSecretCredentialBuilder()
.tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.build();
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl(vaultUri)
.credential(credential)
.buildClient();
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(vaultUri)
.credential(credential)
.buildClient();
// Azure KeyVault Credentials
// Retrieving certificate
KeyVaultCertificateWithPolicy certificateWithPolicy = certificateClient.getCertificate(alias);
KeyVaultSecret secret = secretClient.getSecret(alias, certificateWithPolicy.getProperties().getVersion());
byte[] rawCertificate = certificateWithPolicy.getCer();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream certificateStream = new ByteArrayInputStream(rawCertificate);
Certificate certificate = cf.generateCertificate(certificateStream);
close(certificateStream);
// Retrieving certificate
// Retrieving private key
String base64PrivateKey = secret.getValue();
byte[] rawPrivateKey = Base64.getDecoder().decode(base64PrivateKey);
KeyStore rsaKeyGenerator = KeyStore.getInstance(KeyStore.getDefaultType());
ByteArrayInputStream keyStream = new ByteArrayInputStream(rawPrivateKey);
rsaKeyGenerator.load(keyStream, null);
close(keyStream);
Key rsaPrivateKey = rsaKeyGenerator.getKey(rsaKeyGenerator.aliases().nextElement(), emptyPass);
// Retrieving private key
// Importing certificate and private key into the KeyStore
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setKeyEntry(alias, rsaPrivateKey, emptyPass, new Certificate[] {certificate});
// Importing certificate and private key into the KeyStore
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
new SSLContextBuilder()
.loadTrustMaterial(null, new TrustAllStrategy())
.loadKeyMaterial(keyStore, emptyPass)
.build(),
NoopHostnameVerifier.INSTANCE);
// It is just a sample, except for the sslsocketfactory please use the configuration which is right for you.
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.setConnectionTimeToLive(1000, TimeUnit.MILLISECONDS)
.setKeepAliveStrategy((httpResponse, httpContext) -> 10 * 1000)
.build();
ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;
} catch (IOException | CertificateException
| NoSuchAlgorithmException | UnrecoverableKeyException
| KeyStoreException | KeyManagementException e) {
log.error("Error!!!")
}
return null;
}
private void close(Closeable c) {
if (c != null) {
try {
c.close();
} catch (IOException e) {
// log
}
}
}
}
关于java - 将证书和私钥加载到 Java KeyStore 中,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62701407/