从 Java 6 升级到 Java 7/8 后,Apple 无法推送
Apple pushes not working after upgrading from Java 6 to Java 7/8
我正在将通过 APNS 向 Apple 设备发送推送通知的应用程序从 Java 6 升级到 Java 8。
当 运行 在 Java 6 和 Java 8 下工作的同一个 JAR 使用相同的 PKCS12 证书文件时,如果我尝试发送推送,我会返回状态代码 8 (令牌无效)。
可能是什么原因造成的?
此问题是由 PKCS12 文件的内容和 Java 将 PKCS12 文件读取到 Java 6 和 7 之间的 KeyStore 对象的方式发生变化引起的.
运行 openssl pkcs12 -in filename 在有问题的 pkcs12 文件上产生以下内容:
Enter Import Password:
MAC verified OK
Bag Attributes
friendlyName: Apple Development IOS Push Services: app.id.1
localKeyID: .... snip ....
subject=/UID=app.id.1/CN=Apple Development IOS Push Services: app.id.1/OU=PRXXXXXXXX/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
... snip ...
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Apple Development IOS Push Services: app.id.2
localKeyID: .... snip ....
subject=/UID=app.id.2/CN=Apple Development IOS Push Services: app.id.2/OU=PRXXXXXXXX/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
... snip ...
-----END CERTIFICATE-----
Bag Attributes
friendlyName: User Name
localKeyID: ... snip ...
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
... snip ...
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: User Name
localKeyID: ... snip ...
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
... snip ...
-----END ENCRYPTED PRIVATE KEY-----
你可以在这里看到PKCS12文件包含2个证书和2个私钥(实际上是同一个密钥的2个副本),每个对应一个不同的App ID。列出的第一个是预期的应用程序 ID,而第二个是我们使用的不同应用程序。
此文件被读入 KeyStore,随后传递给 SSLSocket 以连接到 Apple。这是按如下方式完成的:
String password = "my_password";
KeyStore.ProtectionParameter pwParam = new KeyStore.PasswordProtection(password.toCharArray());
KeyStore keystore = KeyStore.getInstance("PKCS12");
System.out.println("keystore classname: " + keystore.getClass().getName());
FileInputStream fileStream = new FileInputStream("certificate_file.p12");
keystore.load(fileStream, password.toCharArray());
for (Enumeration<String> e = keystore.aliases(); e.hasMoreElements(); ) {
String alias = e.nextElement();
System.out.println("*** entry name: " + alias);
KeyStore.Entry entry = keystore.getEntry(alias, pwParam);
System.out.println("entry as string: " + entry.toString());
for (Certificate cert: keystore.getCertificateChain(alias)) {
System.out.println("*** cert: " + cert);
}
}
在 Java 6 下,运行 以上为我们提供了以下内容:
keystore classname: java.security.KeyStore
*** entry name: User Name
entry as string: Private key entry and certificate chain with 1 elements:
[
[
Version: V3
Subject: C=US, OU=PRXXXXXXXX, CN=Apple Development IOS Push Services: app.id.1, UID=app.id.1
....
在 Java 7 或 8 下,我们得到:
keystore classname: java.security.KeyStore
*** entry name: User Name
entry as string: Private key entry and certificate chain with 1 elements:
[
[
Version: V3
Subject: C=US, OU=PRXXXXXXXX, CN=Apple Development IOS Push Services: app.id.2, UID=app.id.2
因此,因为两个证书都引用相同的私钥,一个会覆盖另一个,因此 KeyStore 仅包含两个证书之一。 Java6下保留第一个证书,而Java7和8下保留第二个证书。因此,当连接到 Apple 时,它会发送错误的证书,并且发送的任何推送都被视为无效,因为发送的推送令牌的 App ID 与用于连接的证书的 App ID 不匹配。
要解决此问题,生成的 PKCS12 文件应仅包含预期的 App ID。这可确保读取并随后使用正确的证书连接到 Apple。
我正在将通过 APNS 向 Apple 设备发送推送通知的应用程序从 Java 6 升级到 Java 8。
当 运行 在 Java 6 和 Java 8 下工作的同一个 JAR 使用相同的 PKCS12 证书文件时,如果我尝试发送推送,我会返回状态代码 8 (令牌无效)。
可能是什么原因造成的?
此问题是由 PKCS12 文件的内容和 Java 将 PKCS12 文件读取到 Java 6 和 7 之间的 KeyStore 对象的方式发生变化引起的.
运行 openssl pkcs12 -in filename 在有问题的 pkcs12 文件上产生以下内容:
Enter Import Password:
MAC verified OK
Bag Attributes
friendlyName: Apple Development IOS Push Services: app.id.1
localKeyID: .... snip ....
subject=/UID=app.id.1/CN=Apple Development IOS Push Services: app.id.1/OU=PRXXXXXXXX/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
... snip ...
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Apple Development IOS Push Services: app.id.2
localKeyID: .... snip ....
subject=/UID=app.id.2/CN=Apple Development IOS Push Services: app.id.2/OU=PRXXXXXXXX/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
... snip ...
-----END CERTIFICATE-----
Bag Attributes
friendlyName: User Name
localKeyID: ... snip ...
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
... snip ...
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: User Name
localKeyID: ... snip ...
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
... snip ...
-----END ENCRYPTED PRIVATE KEY-----
你可以在这里看到PKCS12文件包含2个证书和2个私钥(实际上是同一个密钥的2个副本),每个对应一个不同的App ID。列出的第一个是预期的应用程序 ID,而第二个是我们使用的不同应用程序。
此文件被读入 KeyStore,随后传递给 SSLSocket 以连接到 Apple。这是按如下方式完成的:
String password = "my_password";
KeyStore.ProtectionParameter pwParam = new KeyStore.PasswordProtection(password.toCharArray());
KeyStore keystore = KeyStore.getInstance("PKCS12");
System.out.println("keystore classname: " + keystore.getClass().getName());
FileInputStream fileStream = new FileInputStream("certificate_file.p12");
keystore.load(fileStream, password.toCharArray());
for (Enumeration<String> e = keystore.aliases(); e.hasMoreElements(); ) {
String alias = e.nextElement();
System.out.println("*** entry name: " + alias);
KeyStore.Entry entry = keystore.getEntry(alias, pwParam);
System.out.println("entry as string: " + entry.toString());
for (Certificate cert: keystore.getCertificateChain(alias)) {
System.out.println("*** cert: " + cert);
}
}
在 Java 6 下,运行 以上为我们提供了以下内容:
keystore classname: java.security.KeyStore
*** entry name: User Name
entry as string: Private key entry and certificate chain with 1 elements:
[
[
Version: V3
Subject: C=US, OU=PRXXXXXXXX, CN=Apple Development IOS Push Services: app.id.1, UID=app.id.1
....
在 Java 7 或 8 下,我们得到:
keystore classname: java.security.KeyStore
*** entry name: User Name
entry as string: Private key entry and certificate chain with 1 elements:
[
[
Version: V3
Subject: C=US, OU=PRXXXXXXXX, CN=Apple Development IOS Push Services: app.id.2, UID=app.id.2
因此,因为两个证书都引用相同的私钥,一个会覆盖另一个,因此 KeyStore 仅包含两个证书之一。 Java6下保留第一个证书,而Java7和8下保留第二个证书。因此,当连接到 Apple 时,它会发送错误的证书,并且发送的任何推送都被视为无效,因为发送的推送令牌的 App ID 与用于连接的证书的 App ID 不匹配。
要解决此问题,生成的 PKCS12 文件应仅包含预期的 App ID。这可确保读取并随后使用正确的证书连接到 Apple。