创建x.509证书时出错 [英] Error while creating x.509 certificate
问题描述
我想创建x.509证书,
,因此我从Wrox复制以下代码,使用Java的Beggining Cryptography第6章。
I would like to create x.509 certificate, so I copy the following codes from Wrox, Beggining Cryptography with Java, chapter 6.
import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import chapter6.PKCS10ExtensionExample;
import chapter6.X509V1CreateExample;
//example of a basic CA
public class PKCS10CertCreateExample
{
public static X509Certificate[] buildChain() throws Exception
{
//create the certification request
KeyPair pair = chapter7.Utils.generateRSAKeyPair();
PKCS10CertificationRequest request = PKCS10ExtensionExample.generateRequest(pair);
//create a root certificate
KeyPair rootPair=chapter7.Utils.generateRSAKeyPair();
X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair);
//validate the certification request
if(!request.verify("BC"))
{
System.out.println("request failed to verify!");
System.exit(1);
}
//create the certificate using the information in the request
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis()+50000));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
//extract the extension request attribute
ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();
for(int i=0;i!=attributes.size();i++)
{
Attribute attr = Attribute.getInstance(attributes.getObjectAt(i));
//process extension request
if(attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest))
{
X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
Enumeration<?> e = extensions.oids();
while(e.hasMoreElements())
{
DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement();
X509Extension ext = extensions.getExtension(oid);
certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
}
}
}
X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate());
return new X509Certificate[]{issuedCert, rootCert};
}
public static void main(String[] args) throws Exception
{
X509Certificate[] chain = buildChain();
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(chain[0]);
pemWrt.writeObject(chain[1]);
pemWrt.close();
}
}
线程main中的异常java.lang.IllegalArgumentException:extension 2.5.29.15已在org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension中添加
(未知源)
at org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(未知源)
at org.bouncycastle.x509.X509V3CertificateGenerator.addExtension(未知源)
at PKCS10CertCreateExample.buildChain (PKCS10CertCreateExample.java:68)
at PKCS10CertCreateExample.main(PKCS10CertCreateExample.java:100)
Exception in thread "main" java.lang.IllegalArgumentException: extension 2.5.29.15 already added at org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(Unknown Source) at org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(Unknown Source) at org.bouncycastle.x509.X509V3CertificateGenerator.addExtension(Unknown Source) at PKCS10CertCreateExample.buildChain(PKCS10CertCreateExample.java:68) at PKCS10CertCreateExample.main(PKCS10CertCreateExample.java:100)
请帮助我..
推荐答案
Googling 扩展2.5.29.15 会告诉你, KeyUsage
Googling extension 2.5.29.15 will tell you that refers to KeyUsage
搜索 X509V3CertificateGenerator 的源代码显示 addExtension )调用 X509ExtensionsGenerator.addExtension()如果已提供的扩展已添加,则会抛出异常。
Googling the source code for X509V3CertificateGenerator shows that addExtension() calls X509ExtensionsGenerator.addExtension() which throws an exception if the extension provided has already been added.
您在上面提供的源代码只是这样,并抛出异常:
The source code you provide above does just that, and the exception is thrown:
certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
这是代码中的错误。您需要删除其中的一个。我猜是第一个。
This is a bug in the code. You need to remove one of them. I would guess the first.
这篇关于创建x.509证书时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
