InvalidKeyException: 无效的密钥格式 java

InvalidKeyException: Invalid key format java

我正在尝试从 Vault 中检索 public 密钥。它被秘密存储。

我正在尝试将检索到的字符串转换为 PUBLIC KEY 以验证签名。

示例 public 密钥字符串如下所示

-----BEGIN PUBLIC KEY----- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBWeqVZ8Ub/o4VQ8nnm888B /Ydqv2IN5bObxupZ7njMKuT/WPgwlK8+Wc0Xjhy82E51XW6E4/0um8sIQ1cxvoSO QsrfkRagD+O9OrjQbb2TqrilDDhFx9EGjXuZpR3brDUufCG6SkypqiKSaMuoVoax c82TZ1uAIp5OSroWt1IdUkvam24X/7zDIf1l8XWCmbfCDrBb73hBYA4MgTjsSckC 5nz+GLcWTfz0wze4lwHCi1KYFv+1+WcYHWPLbqLtc8nzVqkuP5Ne/9HAFkaEAIw5 fKLccksaT/TLyIcrALcfuABlgX1yeBulVcbTAp+WiYRvo9+FKK23pbwkh+uy0tq1 AgMBAAE= -----END PUBLIC KEY-----

我在我的秘密值中添加了相同的内容,但没有格式化。

但是使用下面的代码我在行中遇到错误 InvalidKeyException: INVALID KEY FORMAT

 PublicKey publicKey = fact.generatePublic(pubKeySpec);

代码如下:

            String publicKeyAsString = secretClient.getSecret("key-name").getValue();
    
            byte[] keyContentAsBytes = publicKeyAsString.getBytes();
    
            KeyFactory fact = KeyFactory.getInstance("RSA");
            X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(keyContentAsBytes);
            PublicKey publicKey = fact.generatePublic(pubKeySpec);

使用堆栈跟踪编辑:

Caused by: java.security.InvalidKeyException: invalid key format
    at sun.security.x509.X509Key.decode(X509Key.java:386) ~[?:?]
    at sun.security.x509.X509Key.decode(X509Key.java:401) ~[?:?]
    at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:122) ~[?:?]
    at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:330) ~[?:?]
    at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:235) ~[?:?]

编辑:PUBLIC 测试密钥:

-----BEGIN PUBLIC KEY----- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBWeqVZ8Ub/o4VQ8nnm888B /Ydqv2IN5bObxupZ7njMKuT/WPgwlK8+Wc0Xjhy82E51XW6E4/0um8sIQ1cxvoSO QsrfkRagD+O9OrjQbb2TqrilDDhFx9EGjXuZpR3brDUufCG6SkypqiKSaMuoVoax c82TZ1uAIp5OSroWt1IdUkvam24X/7zDIf1l8XWCmbfCDrBb73hBYA4MgTjsSckC 5nz+GLcWTfz0wze4lwHCi1KYFv+1+WcYHWPLbqLtc8nzVqkuP5Ne/9HAFkaEAIw5 fKLccksaT/TLyIcrALcfuABlgX1yeBulVcbTAp+WiYRvo9+FKK23pbwkh+uy0tq1 AgMBAAE= -----END PUBLIC KEY-----

PublicKeyAsString 的值如下所示:

-----BEGIN PUBLIC KEY----- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBWeqVZ8Ub/o4VQ8nnm888B /Ydqv2IN5bObxupZ7njMKuT/WPgwlK8+Wc0Xjhy82E51XW6E4/0um8sIQ1cxvoSO QsrfkRagD+O9OrjQbb2TqrilDDhFx9EGjXuZpR3brDUufCG6SkypqiKSaMuoVoax c82TZ1uAIp5OSroWt1IdUkvam24X/7zDIf1l8XWCmbfCDrBb73hBYA4MgTjsSckC 5nz+GLcWTfz0wze4lwHCi1KYFv+1+WcYHWPLbqLtc8nzVqkuP5Ne/9HAFkaEAIw5 fKLccksaT/TLyIcrALcfuABlgX1yeBulVcbTAp+WiYRvo9+FKK23pbwkh+uy0tq1 AgMBAAE= -----END PUBLIC KEY-----

最初我认为您的问题与 Azure KeyVault Secret API 返回的信息类型有关,通常编码为 base 64。

在那种情况下,您需要在尝试执行实际密钥 material 处理之前执行适当的 base 64 解码:

String publicKeyAsString = secretClient.getSecret("key-name").getValue();
    
byte[] keyContentAsBytes = Base64.getDecoder().decode(publicKeyAsString);

但 Azure 客户端似乎以纯文本形式向您提供信息。

在这种情况下,秘密是一个 pem 编码的 public 密钥。

标准 KeyFactory 不允许您开箱即用地处理返回的信息,但可以稍作修改。例如,尝试以下操作:

// Actually
// String publicKeyAsString = secretClient.getSecret("key-name").getValue();

String publicKeyAsString =
    "-----BEGIN PUBLIC KEY-----\n" +
    "MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBWeqVZ8Ub/o4VQ8nnm888B\n" +
    "/Ydqv2IN5bObxupZ7njMKuT/WPgwlK8+Wc0Xjhy82E51XW6E4/0um8sIQ1cxvoSO\n" +
    "QsrfkRagD+O9OrjQbb2TqrilDDhFx9EGjXuZpR3brDUufCG6SkypqiKSaMuoVoax\n" +
    "c82TZ1uAIp5OSroWt1IdUkvam24X/7zDIf1l8XWCmbfCDrBb73hBYA4MgTjsSckC\n" +
    "5nz+GLcWTfz0wze4lwHCi1KYFv+1+WcYHWPLbqLtc8nzVqkuP5Ne/9HAFkaEAIw5\n" +
    "fKLccksaT/TLyIcrALcfuABlgX1yeBulVcbTAp+WiYRvo9+FKK23pbwkh+uy0tq1\n" +
    "AgMBAAE=\n" +
    "-----END PUBLIC KEY-----";

String publicKeyPem = publicKeyAsString
    .replace("-----BEGIN PUBLIC KEY-----", "")
    .replaceAll("\n", "")
    .replace("-----END PUBLIC KEY-----", "");

byte[] keyContentAsBytes =  Base64.getDecoder().decode(publicKeyPem);

try {
  KeyFactory fact = KeyFactory.getInstance("RSA");
  X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(keyContentAsBytes);
  PublicKey publicKey = fact.generatePublic(pubKeySpec);
  System.out.println(publicKey);
}catch (Throwable t) {
  t.printStackTrace();
}

或者更好,使用 BouncyCastle PemReader 完成此任务:

try (
    Reader reader = new StringReader(publicKeyAsString);
    PemReader pemReader = new PemReader(reader)
) {
  KeyFactory fact = KeyFactory.getInstance("RSA");
  PemObject pemObject = pemReader.readPemObject();
  byte[] keyContentAsBytesFromBC = pemObject.getContent();
  X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(keyContentAsBytesFromBC);
  PublicKey publicKey = fact.generatePublic(pubKeySpec);
  System.out.println(publicKey);
} catch (Throwable t) {
  t.printStackTrace();
}

请注意,我在变量 publicKeyAsString 的定义中包含了几个回车符 returns,它们是程序处理信息所必需的。

请验证 Azure 是否以类似的方式返回 pem 编码密钥:如果不是这样,很可能是问题的原因。

此外,请注意 Azure KeyVault 会在您上传时返回秘密:也许问题就在那里。请改为尝试以下操作:

PublicKey publicKey = ...
StringWriter writer = new StringWriter();
PemWriter pemWriter = new PemWriter(writer);
pemWriter.writeObject(
  new PemObject("PUBLIC KEY", publicKey.getEncoded())
);
pemWriter.flush();
pemWriter.close();
String publicKeyAsString = writer.toString();
// Upload to Azure KeyVault