使用Bouncy Castle在Java中创建自定义X509 v3扩展 [英] Creating Custom X509 v3 Extensions in Java with Bouncy Castle

问题描述

我已成功使用Bouncy Castle的X509v3CertificateBuilder Java类创建标准V3扩展的X509证书。我现在正在尝试使用自定义扩展创建证书。

I have successfully used the X509v3CertificateBuilder Java class from Bouncy Castle to create X509 certificates with standard V3 extensions. I am now trying to create certificates with custom extensions.

我可以使用addExtension（...）方法创建自定义扩展，但是，证书中的结果值不是我想要的。例如，我希望在自定义OID 1.2.3.4下的证书中列出这些确切的八位字节：00 00 00 00 FF FF FF FF。我尝试的所有内容都包含ASN1编码的八位字符串，结果为04 08 00 00 00 00 FF FF FF FF。

I can create a custom extension using the addExtension(...) method, however, the resulting value in the certificate is not what I want. For example, I would like these exact octets listed in the certificate under a custom OID 1.2.3.4: "00 00 00 00 FF FF FF FF". Everything I try wraps that octet string in ASN1 encoding and it ends up as "04 08 00 00 00 00 FF FF FF FF".

基本上，我想创建Java中的证书，其自定义扩展名与使用具有此配置的扩展文件使用OpenSSL创建时证书的外观相同：

Basically, I would like to create a certificate in Java with a custom extension that looks identical to how a certificate would look when created with OpenSSL using an extensions file that had this configuration:

1.2.3.4=DER:00:00:00:00:FF:FF:FF:FF

这是否可以使用X509v3CertificateBuilder类以干净的方式进行？

Is this possible to do in a clean way with the X509v3CertificateBuilder class?

下面是一段创建不正确值的代码。

Below is a snippet of code that creates the "incorrect" value.

  // Raw value to place in cert for OID 1.2.3.4.
  byte[] bytearray = {0, 0, 0, 0, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};

  ASN1ObjectIdentifier asn1oid = new ASN1ObjectIdentifier("1.2.3.4");

  Extension ext = new Extension(asn1oid, false, bytearray);

  X509v3CertificateBuilder certBldr = 
     new JcaX509v3CertificateBuilder(
        caCert, 
        serial,
        startDate, 
        endDate, 
        dn, 
        pubKey)
     .addExtension(
        new ASN1ObjectIdentifier("2.5.29.19"), 
        false,
        new BasicConstraints(false))
     .addExtension(
        new ASN1ObjectIdentifier("2.5.29.15"),
        true,
        new X509KeyUsage(
           X509KeyUsage.digitalSignature |
           X509KeyUsage.nonRepudiation   |
           X509KeyUsage.keyEncipherment  |
           X509KeyUsage.dataEncipherment))
     .addExtension(
        new ASN1ObjectIdentifier("1.2.3.4"),
        false,
        ext.getExtnValue());

  // Create and sign the certificate.
  X509CertificateHolder certHolder = certBldr.build(sigGen);

  X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)
     .getCertificate(certHolder);

推荐答案

尝试了很多不同的选择后，我不知道t认为可以使用X509v3CertificateBuilder创建具有原始（非ASN.1编码）值的扩展。 addExtension（）方法期望或更改输入值为ASN.1编码。

After trying a lot of different options, I don't think it's possible to use X509v3CertificateBuilder to create an extension with a raw (non-ASN.1 encoded) value. The addExtension() method expects or changes an input value to be ASN.1 encoded.

然而，在查看了X509v3CertificateBuilder使用的方法的Bouncy Castle源代码之后在场景中，我找到了一种方法来与其他课程一起完成。涉及更多的代码行，但它非常简单并且提供了所需的结果。

However, after looking at the Bouncy Castle source code for the methods that X509v3CertificateBuilder uses behind the scenes, I found a way to do it with other classes. There are more lines of code involved, but it is fairly straightforward and gives the results needed.

这是允许带有原始值的自定义扩展的代码。 / p>

Here is the code that will allow a custom extension with a raw value.

  // Raw value to place in cert for OID 1.2.3.4.
  byte[] bytearray = {0, 0, 0, 0, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};

  // Start creating the certificate beginning with the TBS certificate.      
  V3TBSCertificateGenerator tbsGen = new V3TBSCertificateGenerator();
  tbsGen.setSerialNumber(new ASN1Integer(serialNum));
  tbsGen.setIssuer(issuer);
  tbsGen.setStartDate(new Time(new Date(startDate)));
  tbsGen.setEndDate(new Time(new Date(endDate)));
  tbsGen.setSubject(new X500Name(dn));
  tbsGen.setSubjectPublicKeyInfo(SubjectPublicKeyInfo.getInstance(certPubKey.getEncoded()));
  tbsGen.setSignature(sigGen.getAlgorithmIdentifier());

  // The Key Usage extension:
  X509KeyUsage keyuse = new X509KeyUsage(
     X509KeyUsage.digitalSignature |
     X509KeyUsage.nonRepudiation   |
     X509KeyUsage.keyEncipherment  |
     X509KeyUsage.dataEncipherment);    
  Extension keyUsageExt =
     new Extension(
        Extension.keyUsage,
        true,
        keyuse.getEncoded());

  // The Basic Constraints extension:
  BasicConstraints basic = new BasicConstraints(false);
  Extension basicExt =
     new Extension(
        Extension.basicConstraints,
        false,
        basic.getEncoded());

  // The Custom extension:    
  ASN1ObjectIdentifier asn1iod =
     new ASN1ObjectIdentifier("1.2.3.4");      
  Extension customExt =
     new Extension(
        asn1iod,
        false, 
        bytearray);

  Extension[] extArray = {keyUsageExt, basicExt, customExt};
  tbsGen.setExtensions(new Extensions(extArray));

  // Create the TBS certificate.
  TBSCertificate tbsCert = tbsGen.generateTBSCertificate();

  // Sign the certificate.
  OutputStream ostream       = sigGen.getOutputStream();
  DEROutputStream derOstream = new DEROutputStream(ostream);
  derOstream.writeObject(tbsCert);
  ostream.close();      
  byte[] tbsSig = sigGen.getSignature();

  // Assemble the full X509 certificate. (TBS + Sig Alg + Sig)
  ASN1EncodableVector asnVector = new ASN1EncodableVector();
  asnVector.add(tbsCert);
  asnVector.add(sigGen.getAlgorithmIdentifier());
  asnVector.add(new DERBitString(tbsSig));
  X509CertificateHolder certHolder =
     new X509CertificateHolder(
        org.bouncycastle.asn1.x509.Certificate.getInstance(new DERSequence(asnVector)));

  X509Certificate cert =
     new JcaX509CertificateConverter()
        .setProvider(BC).getCertificate(certHolder);

这篇关于使用Bouncy Castle在Java中创建自定义X509 v3扩展的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！