使用Bouncy Castle在Java中创建自定义X509 v3扩展 [英] Creating Custom X509 v3 Extensions in Java with Bouncy Castle
问题描述
我已成功使用Bouncy Castle的X509v3CertificateBuilder Java类创建标准V3扩展的X509证书。我现在正在尝试使用自定义扩展创建证书。
I have successfully used the X509v3CertificateBuilder Java class from Bouncy Castle to create X509 certificates with standard V3 extensions. I am now trying to create certificates with custom extensions.
我可以使用addExtension(...)方法创建自定义扩展,但是,证书中的结果值不是我想要的。例如,我希望在自定义OID 1.2.3.4下的证书中列出这些确切的八位字节:00 00 00 00 FF FF FF FF。我尝试的所有内容都包含ASN1编码的八位字符串,结果为04 08 00 00 00 00 FF FF FF FF。
I can create a custom extension using the addExtension(...) method, however, the resulting value in the certificate is not what I want. For example, I would like these exact octets listed in the certificate under a custom OID 1.2.3.4: "00 00 00 00 FF FF FF FF". Everything I try wraps that octet string in ASN1 encoding and it ends up as "04 08 00 00 00 00 FF FF FF FF".
基本上,我想创建Java中的证书,其自定义扩展名与使用具有此配置的扩展文件使用OpenSSL创建时证书的外观相同:
Basically, I would like to create a certificate in Java with a custom extension that looks identical to how a certificate would look when created with OpenSSL using an extensions file that had this configuration:
1.2.3.4=DER:00:00:00:00:FF:FF:FF:FF
这是否可以使用X509v3CertificateBuilder类以干净的方式进行?
Is this possible to do in a clean way with the X509v3CertificateBuilder class?
下面是一段创建不正确值的代码。
Below is a snippet of code that creates the "incorrect" value.
// Raw value to place in cert for OID 1.2.3.4.
byte[] bytearray = {0, 0, 0, 0, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
ASN1ObjectIdentifier asn1oid = new ASN1ObjectIdentifier("1.2.3.4");
Extension ext = new Extension(asn1oid, false, bytearray);
X509v3CertificateBuilder certBldr =
new JcaX509v3CertificateBuilder(
caCert,
serial,
startDate,
endDate,
dn,
pubKey)
.addExtension(
new ASN1ObjectIdentifier("2.5.29.19"),
false,
new BasicConstraints(false))
.addExtension(
new ASN1ObjectIdentifier("2.5.29.15"),
true,
new X509KeyUsage(
X509KeyUsage.digitalSignature |
X509KeyUsage.nonRepudiation |
X509KeyUsage.keyEncipherment |
X509KeyUsage.dataEncipherment))
.addExtension(
new ASN1ObjectIdentifier("1.2.3.4"),
false,
ext.getExtnValue());
// Create and sign the certificate.
X509CertificateHolder certHolder = certBldr.build(sigGen);
X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)
.getCertificate(certHolder);
推荐答案
尝试了很多不同的选择后,我不知道t认为可以使用X509v3CertificateBuilder创建具有原始(非ASN.1编码)值的扩展。 addExtension()方法期望或更改输入值为ASN.1编码。
After trying a lot of different options, I don't think it's possible to use X509v3CertificateBuilder to create an extension with a raw (non-ASN.1 encoded) value. The addExtension() method expects or changes an input value to be ASN.1 encoded.
然而,在查看了X509v3CertificateBuilder使用的方法的Bouncy Castle源代码之后在场景中,我找到了一种方法来与其他课程一起完成。涉及更多的代码行,但它非常简单并且提供了所需的结果。
However, after looking at the Bouncy Castle source code for the methods that X509v3CertificateBuilder uses behind the scenes, I found a way to do it with other classes. There are more lines of code involved, but it is fairly straightforward and gives the results needed.
这是允许带有原始值的自定义扩展的代码。 / p>
Here is the code that will allow a custom extension with a raw value.
// Raw value to place in cert for OID 1.2.3.4.
byte[] bytearray = {0, 0, 0, 0, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
// Start creating the certificate beginning with the TBS certificate.
V3TBSCertificateGenerator tbsGen = new V3TBSCertificateGenerator();
tbsGen.setSerialNumber(new ASN1Integer(serialNum));
tbsGen.setIssuer(issuer);
tbsGen.setStartDate(new Time(new Date(startDate)));
tbsGen.setEndDate(new Time(new Date(endDate)));
tbsGen.setSubject(new X500Name(dn));
tbsGen.setSubjectPublicKeyInfo(SubjectPublicKeyInfo.getInstance(certPubKey.getEncoded()));
tbsGen.setSignature(sigGen.getAlgorithmIdentifier());
// The Key Usage extension:
X509KeyUsage keyuse = new X509KeyUsage(
X509KeyUsage.digitalSignature |
X509KeyUsage.nonRepudiation |
X509KeyUsage.keyEncipherment |
X509KeyUsage.dataEncipherment);
Extension keyUsageExt =
new Extension(
Extension.keyUsage,
true,
keyuse.getEncoded());
// The Basic Constraints extension:
BasicConstraints basic = new BasicConstraints(false);
Extension basicExt =
new Extension(
Extension.basicConstraints,
false,
basic.getEncoded());
// The Custom extension:
ASN1ObjectIdentifier asn1iod =
new ASN1ObjectIdentifier("1.2.3.4");
Extension customExt =
new Extension(
asn1iod,
false,
bytearray);
Extension[] extArray = {keyUsageExt, basicExt, customExt};
tbsGen.setExtensions(new Extensions(extArray));
// Create the TBS certificate.
TBSCertificate tbsCert = tbsGen.generateTBSCertificate();
// Sign the certificate.
OutputStream ostream = sigGen.getOutputStream();
DEROutputStream derOstream = new DEROutputStream(ostream);
derOstream.writeObject(tbsCert);
ostream.close();
byte[] tbsSig = sigGen.getSignature();
// Assemble the full X509 certificate. (TBS + Sig Alg + Sig)
ASN1EncodableVector asnVector = new ASN1EncodableVector();
asnVector.add(tbsCert);
asnVector.add(sigGen.getAlgorithmIdentifier());
asnVector.add(new DERBitString(tbsSig));
X509CertificateHolder certHolder =
new X509CertificateHolder(
org.bouncycastle.asn1.x509.Certificate.getInstance(new DERSequence(asnVector)));
X509Certificate cert =
new JcaX509CertificateConverter()
.setProvider(BC).getCertificate(certHolder);
这篇关于使用Bouncy Castle在Java中创建自定义X509 v3扩展的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!