I am trying to load certificate file into certificate object, but I am getting the below exception.
java.security.cert.CertificateParsingException: invalid DER-encoded certificate data
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1701)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:303)
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:532)
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:417)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:427)
Below is the code I am using to read the certificate file,
final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
final Collection<? extends Certificate> certs =
(Collection<? extends Certificate>) certFactory.generateCertificates(new ByteArrayInputStream(FileUtils.readFileToByteArray(serverCertFile)));
Below is the contents of certificate file,
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c1:cb:80:07:27:ce:4b:62
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=qw, ST=ewe, L=rew, O=rwerwe, OU=rwer, CN=rew/emailAddress=rewrew
Validity
Not Before: Jan 28 06:17:34 2013 GMT
Not After : Feb 27 06:17:34 2013 GMT
Subject: C=qw, ST=ewe, L=rew, O=rwerwe, OU=rwer, CN=rew/emailAddress=rewrew
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:d5:fd:01:2b:6d:ab:e2:da:a9:b4:a9:67:48:
ce:72:d9:15:de:66:22:8e:68:a8:7b:7e:55:06:97:
56:d2:bd:6a:2e:04:89:df:6a:36:9e:3d:ba:fc:32:
b2:8b:f0:69:5d:54:54:b6:3e:b5:55:38:89:1f:1c:
d0:4b:21:de:76:b3:be:fc:41:b5:62:b8:b8:3b:dc:
ad:6d:e1:fc:1c:56:6d:90:1a:b3:6c:57:7e:66:a0:
07:b9:16:99:cc:d4:c9:ee:05:7c:9d:1c:fb:6b:8f:
a3:4b:d6:1c:a9:aa:51:e1:41:0d:10:a9:fe:b6:1b:
f0:33:0c:ea:52:b9:9b:8e:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FF:24:75:B1:32:C2:74:6D:B4:CB:22:A9:92:CF:F4:B6:4A:5F:0B:56
X509v3 Authority Key Identifier:
keyid:FF:24:75:B1:32:C2:74:6D:B4:CB:22:A9:92:CF:F4:B6:4A:5F:0B:56
DirName:/C=qw/ST=ewe/L=rew/O=rwerwe/OU=rwer/CN=rew/emailAddress=rewrew
serial:C1:CB:80:07:27:CE:4B:62
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
46:14:65:27:c2:cd:55:ba:b4:0f:92:ac:8c:e4:bd:e5:e5:8d:
e3:3b:59:52:9b:40:6a:dc:e3:cf:2c:03:49:e4:56:33:88:f6:
94:10:de:64:00:2e:c6:2a:13:98:d0:16:71:25:8a:ea:04:3f:
14:af:bf:8d:e1:7f:aa:54:78:68:32:86:67:9d:1d:42:fc:cb:
1d:f2:7c:0b:1d:24:2f:e5:3f:bd:01:bd:d7:2d:74:4a:e9:7b:
2f:25:97:64:7e:10:ba:bf:dd:49:6d:8a:91:e4:50:d8:a3:04:
cc:37:8c:45:bd:13:b7:88:72:ef:24:20:b1:aa:05:6c:37:36:
05:c6
-----BEGIN CERTIFICATE-----
MIIDLjCCApegAwIBAgIJAMHLgAcnzktiMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAnF3MQwwCgYDVQQIEwNld2UxDDAKBgNVBAcTA3JldzEPMA0GA1UEChMGcndl
cndlMQ0wCwYDVQQLEwRyd2VyMQwwCgYDVQQDEwNyZXcxFTATBgkqhkiG9w0BCQEW
BnJld3JldzAeFw0xMzAxMjgwNjE3MzRaFw0xMzAyMjcwNjE3MzRaMG4xCzAJBgNV
BAYTAnF3MQwwCgYDVQQIEwNld2UxDDAKBgNVBAcTA3JldzEPMA0GA1UEChMGcndl
cndlMQ0wCwYDVQQLEwRyd2VyMQwwCgYDVQQDEwNyZXcxFTATBgkqhkiG9w0BCQEW
BnJld3JldzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAttX9ASttq+LaqbSp
Z0jOctkV3mYijmioe35VBpdW0r1qLgSJ32o2nj26/DKyi/BpXVRUtj61VTiJHxzQ
SyHedrO+/EG1Yri4O9ytbeH8HFZtkBqzbFd+ZqAHuRaZzNTJ7gV8nRz7a4+jS9Yc
qapR4UENEKn+thvwMwzqUrmbjl0CAwEAAaOB0zCB0DAdBgNVHQ4EFgQU/yR1sTLC
dG20yyKpks/0tkpfC1YwgaAGA1UdIwSBmDCBlYAU/yR1sTLCdG20yyKpks/0tkpf
C1ahcqRwMG4xCzAJBgNVBAYTAnF3MQwwCgYDVQQIEwNld2UxDDAKBgNVBAcTA3Jl
dzEPMA0GA1UEChMGcndlcndlMQ0wCwYDVQQLEwRyd2VyMQwwCgYDVQQDEwNyZXcx
FTATBgkqhkiG9w0BCQEWBnJld3Jld4IJAMHLgAcnzktiMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADgYEARhRlJ8LNVbq0D5KsjOS95eWN4ztZUptAatzjzywD
SeRWM4j2lBDeZAAuxioTmNAWcSWK6gQ/FK+/jeF/qlR4aDKGZ50dQvzLHfJ8Cx0k
L+U/vQG91y10Sul7LyWXZH4Qur/dSW2KkeRQ2KMEzDeMRb0Tt4hy7yQgsaoFbDc2
BcY=
-----END CERTIFICATE-----
If I use the same code with removing the contents in certificate file from top till BEGIN CERTIFICATE, its working fine. But my requirement is certificate file will have those contents. Have anyone faced this error ? Any help will be really appreciated.
The problem is that the CertificateFactory only reads a certificate in PEM format if it starts with -----BEGIN CERTIFICATE----- straight away. Some tools add extra information (here, the result of openssl x509 -text) first, but the certificate factory doesn't ignore it and treat it as a badly formed certificate.
Instead, use a BuffedReader and readLine() to read your file, ignoring any line until you get to -----BEGIN CERTIFICATE-----. Then, add all the lines until -----END CERTIFICATE----- to a temporary string variable (or similar, e.g. StringBuilder). Pass this to the CertificateFactory.
It looks to me like your certificate file may not be in the correct format.
The documentation for CertificateFactory.generateCertificates says,
In the case of a certificate factory for X.509 certificates, the certificate provided in inStream must be DER-encoded and may be supplied in binary or printable (Base64) encoding. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
I don't believe that the problem is as simple as adding the boundary markers to your existing certificate.
I've only ever used PEM format, which is base-64 encoded DER, so I don't know for sure that yours is the wrong format, but I'm guessing that a binary DER-encoded certificate is not human-readable text.
So, I'd suggest that you go back to the source certificate, and make sure that you get a copy with the correct format. If you have a different format for the original cert, you can convert it to pem format with openssl.
来源:https://stackoverflow.com/questions/14560489/load-certificate-file-into-certificate-object