java - 在 Windows 中使用 java 8u121 签署 XML 时出现问题

Question

我用java 8签署XML文档没有问题，直到我升级到Java 8u121版本，代码是:

    String xml_entrada = "D:\\CeslySoft\\Ivap_facturador\\CPE\\FirmaXML\\Schema-20480510144-RC-20170327-0001.xml";
    String xml_salida  = "D:\\CeslySoft\\Ivap_facturador\\CPE\\FirmaXML\\20480510144-RC-20170327-0001.xml";
    String certi_digital = "D:\\CeslySoft\\Ivap_facturador\\Certificados\\molchiclayo1.jks";        
    String clave = "9ghi0nmbR0ft";
    String alias = "1"; 
    String tipodoc = "09";      

    int indice = (tipodoc.equals("09")? 0: 1);      
    XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
    Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1,null),
            Collections.singletonList(fac.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)),
            null,null);     
    SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, 
            (C14NMethodParameterSpec) null), 
            fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
            Collections.singletonList(ref));

    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(certi_digital), clave.toCharArray());
    KeyStore.PrivateKeyEntry keyEntry 
        = (KeyStore.PrivateKeyEntry) ks.getEntry(alias, new KeyStore.PasswordProtection(clave.toCharArray()));

    X509Certificate cert = (X509Certificate) keyEntry.getCertificate();

    KeyInfoFactory kif = fac.getKeyInfoFactory();
    List<Object> x509content = new ArrayList<>();
    x509content.add(cert.getSubjectX500Principal().getName());
    x509content.add(cert);      
    X509Data xd = kif.newX509Data(x509content);
    KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);        
    //Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(xml_entrada));
    InputSource is = new InputSource(new InputStreamReader(new FileInputStream(xml_entrada), "ISO-8859-1"));
    Document doc = dbf.newDocumentBuilder().parse(is);

    Node nodePadre = doc.getElementsByTagName("ext:ExtensionContent").item(indice);     
    nodePadre.getNodeValue();
    DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), nodePadre);

    XMLSignature signature = fac.newXMLSignature(si, ki, null, "SignatureSP", null);
    signature.sign(dsc);

    OutputStream os = new FileOutputStream(xml_salida);
    TransformerFactory tf = TransformerFactory.newInstance();
    Transformer trans = tf.newTransformer();
    trans.setOutputProperty(OutputKeys.ENCODING, "ISO-8859-1");

    trans.transform(new DOMSource(doc), new StreamResult(os));      

错误出现在代码行中:

   signature.sign(dsc)

错误是:

javax.xml.crypto.XMLSignatureException: java.security.InvalidKeyException: Invalid RSA private key

……

对于 Java 8u121 之前的版本，不会出现任何错误。

Answer 1

这是由于 JDK 8u121 ( http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html ) 中的修复而导致的错误“在 DER 编码解析代码中添加了更多检查 在 DER 编码解析代码中添加了更多检查以捕获各种编码错误。此外，包含构造不定长编码的签名现在将在解析期间导致 IOException。请注意，使用 JDK 默认提供程序生成的签名不受此更改的影响。JDK-8168714(非公开)“

这个问题已经通过 JDK-8175251( https://bugs.openjdk.java.net/browse/JDK-8175251 ) 修复，将在下一个 JDK 更新中提供。 JDK 8u152 中已存在该修复程序，可以从 https://jdk8.java.net/download.html 下载其早期访问版本。