Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

使用openssl生成的RSA证书在console控制台上使用遇到证书加载错误 #817

Open
liuxinfeng96 opened this issue Aug 23, 2023 · 6 comments
Open

使用openssl生成的RSA证书在console控制台上使用遇到证书加载错误 #817

liuxinfeng96 opened this issue Aug 23, 2023 · 6 comments
Labels
resolved The issue has been resolved v2.x

Comments

@liuxinfeng96
Copy link

我自己使用openssl生成的RSA证书,使用go sdk开发的程序配置上此套密钥证书,并没有连接加载问题,能够正常获取链上数据和订阅区块链。但是,当我想要使用console控制台发送交易,将RSA证书密钥配置到console,启动console start脚本,出现读取密钥失败的错误,如图:
49115_1692778754_hd
我的证书密钥:
conf.zip
@kyonRay
Copy link
Member

kyonRay commented Sep 7, 2023

Hi @liuxinfeng96
请提供链的版本号、链文件夹底下sdk的ca证书(确认手动生成的证书是使用同一个ca证书),以及openssl生成证书的详细命令。

@liuxinfeng96
Copy link
Author

liuxinfeng96 commented Sep 7, 2023
edited
Loading

链版本号:2.9.1
sdk的ca证书在issue的最下面conf.zip里
openssl命令:
genSk = openssl genrsa -out + skPath + 2048
genPk = openssl rsa -in + skPath + -inform pem -pubout -out + pkPath

genCert :=
openssl x509 -req -days + dayStr + -sha256 -CA + caCertPath + -CAkey + caKeyPath +
-in + csrPath + -out + certPath + -set_serial + snStr + -extfile + opensslConfigPath + -extensions + v3Str

@liuxinfeng96
Copy link
Author

liuxinfeng96 commented Sep 7, 2023
edited
Loading

首先,这个错误提示说我的私钥无效,还没到证书,其次是我用openssl解析过我的私钥是没问题的。然后,我用go语言标准库生成的密钥证书,也是报这个问题。但是,我用go的sdk加载这个密钥证书去连接节点,订阅节点是没问题的,我怀疑是java sdk这边解析密钥的时候,是不是因为编码格式不符合给拦截了

@kyonRay
Copy link
Member

kyonRay commented Sep 7, 2023
edited
Loading

私钥格式应该是pkcs8,所以最后一步应该将私钥转换成pkcs8格式。详细步骤如下:

openssl genrsa -out ./sdk1/sdk.key 2048

openssl req -new -sha256 -subj /CN=FISCO-BCOS/O=fisco-bcos/OU=agency -key ./sdk1/sdk.key -out ./sdk1/sdk.csr

openssl x509 -req -days 36500 -sha256 -CA /temp/nodes/cert/agency/channel/ca.crt -CAkey /temp/nodes/cert/agency/channel/ca.key -CAcreateserial -in ./sdk1/sdk.csr -out ./sdk1/sdk.crt -extensions v4_req

openssl pkcs8 -topk8 -in ./sdk1/sdk.key -out ./sdk1/pkcs8_node.key -nocrypt

mv ./sdk1/pkcs8_node.key ./sdk1/sdk.key

@liuxinfeng96
Copy link
Author

好的明白了,感谢解答~

@kyonRay
Copy link
Member

kyonRay commented Sep 7, 2023

Java SDK目前只支持PKCS8格式的原因是,Java SDK在网络建连的时候依赖于Netty,Netty目前加载私钥时只支持PKCS8格式的私钥,详情可见链接:https://netty.io/wiki/sslcontextbuilder-and-private-key.html

理论上只要是RSA的私钥都是能支持,只是Java SDK受限于Netty使用。后续版本会考虑支持兼容PKCS1。

@kyonRay kyonRay added resolved The issue has been resolved v2.x labels Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolved The issue has been resolved v2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kyonRay @liuxinfeng96