为什么Symantec CSR检查器认为我的CSR在AlgorithmIdentifier中缺少NULL值？ RFC3279 [英] Why does the Symantec CSR checker think my CSR is missing a NULL value in AlgorithmIdentifier? RFC3279

查看：119 发布时间：2020/9/23 1:19:31 java certificate bouncycastle asn.1

本文介绍了为什么Symantec CSR检查器认为我的CSR在AlgorithmIdentifier中缺少NULL值？ RFC3279的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

由于许多不愉快的原因，我一直试图使用bouncycastle API手动建立自己的证书签名请求。

For a number of unpleasant reasons, I have been attempting to build my own Certificate Signing Request manually using the bouncycastle API.

表面上，我选择这样做是因为我需要使用CSR的预签名版本，以便使用存储在HSM中的密钥生成sha256withRSA签名，该密钥在LMK下加密，因此在CSR创建时无法立即使用。

Ostensibly I chose to do this because I needed the pre-signed version of the CSR in order to generate the sha256withRSA signature using a key that is stored in an HSM, encrypted under an LMK, and therefore not immediately available at the point of CSR creation.

无论如何，这有点偶然。

Anyway, that's sort of incidental at this point.

我已经设法通过与使用openSSL生成的其他CSR进行比较来创建CSR结构，添加所需的信息，将其发送给HSM以使用私钥生成签名，取回该签名，然后将其附加到CSR。

I have managed to create a CSR structure by comparing with other CSRs generated using openSSL, add the required information to it, send it off to the HSM to generate a signature using the private key, get that signature back and then append it to the CSR.

I然后将我生成的证书粘贴到一些CSR检查器中，特别是Symantec（赛门铁克）检查器，因为我相信这是我们的CA，必须对此进行签名。

I've then stuck my generated certificate into a few CSR checkers, notably the Symantec one as this is, I believe, our CA who will have to sign this.

symantec企业社会责任检查员自信地告诉我t：

The symantec CSR checker confidently informs me that:

CSR在其AlgorithmIdentifier参数中缺少NULL值

The CSR is missing a NULL value in its AlgorithmIdentifier parameter

嗯。好的。

然后给出一个好的例子：

It then gives an example of what a good one would look like:

以下是我将此特定的NULL值添加到AlgorithmIdentifier对象的代码段：

Here's the bit of code where I added this particular NULL value to the AlgorithmIdentifier object:

    ASN1EncodableVector topLevelPublicKeySequenceVector = new ASN1EncodableVector();
    ASN1EncodableVector publicKeySequenceVector = new ASN1EncodableVector();
    AlgorithmIdentifier rsaEncryptionOid = new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE);      

    ASN1Integer pkModulus = new ASN1Integer(publicKey.getModulus());
    ASN1Integer pkExponent = new ASN1Integer(publicKey.getPublicExponent());
    publicKeySequenceVector.add(pkModulus);
    publicKeySequenceVector.add(pkExponent);
    DERSequence publicKeySequence = new DERSequence(publicKeySequenceVector);
    DERBitString publicKeyBitString = null;
    try {
        publicKeyBitString = new DERBitString(publicKeySequence);
    } catch (IOException e1) {
        e1.printStackTrace();
    }

    topLevelPublicKeySequenceVector.add(rsaEncryptionOid);
    topLevelPublicKeySequenceVector.add(publicKeyBitString);

    DERSequence topLevelPublicKeySequence = new DERSequence(topLevelPublicKeySequenceVector);

因此，如果我将我的CSR并放入ASN.1解码器中，在这个AlgorithmIdentifier参数处，并验证它确实缺少此NULL值，我得到以下输出（为了使StackOverflow受益，使用了虚假值完成），这表明我的NULL值似乎就在那里，在我期望的位置会是：

So, if I take my CSR and pop it into an ASN.1 decoder, to take a look at this AlgorithmIdentifier parameter and verify that it is indeed missing this NULL value, I get the following output (complete with spurious values for the benefit of StackOverflow), which shows that my NULL value appears to be right there, where I'd expect it to be:

SEQUENCE(3 elem)
   SEQUENCE(3 elem)
   INTEGER 0
   SEQUENCE(7 elem)
      SET(1 elem)
         SEQUENCE(2 elem)
            OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
            PrintableString GB
      SET(1 elem)
         SEQUENCE(2 elem)
            OBJECT IDENTIFIER 2.5.4.8 stateOrProvinceName (X.520 DN component)
            UTF8String Sol
      SET(1 elem)
         SEQUENCE(2 elem)
            OBJECT IDENTIFIER 2.5.4.7 localityName (X.520 DN component)
            UTF8String Earth
      SET(1 elem)
         SEQUENCE(2 elem)
            OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
            UTF8String Stackoverflow
      SET(1 elem)
         SEQUENCE(2 elem)
            OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
            UTF8String Stackoverflow
      SET(1 elem)
         SEQUENCE(2 elem)
            OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
            UTF8String common.name.for.stackoverflow
      SET(1 elem)
         SEQUENCE(2 elem)
         OBJECT IDENTIFIER 1.2.840.113549.1.9.1 emailAddress (PKCS #9)
         IA5String duff.value@forstackoverflow.com
   SEQUENCE(2 elem)
      SEQUENCE(2 elem)
         OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1)
         NULL
      BIT STRING(1 elem)
         SEQUENCE(2 elem)
            INTEGER(2048 bit) 231457529965blahblahetc
            INTEGER65537
   SEQUENCE(2 elem)
      OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
      NULL
   BIT STRING(2048 bit) 1011010etc etc...

因此，对于我所描述的略带circuit回的方式表示歉意，没有人有最雾的想法为什么我的CSR无法通过缺少字段的验证，即会出现，但实际上并未丢失？

So, with apologies for the slightly circuitous way I've described this, does anyone have even the foggiest idea why my CSR would fail validation for a missing field that is, it would appear, not actually missing?

编辑：
这是实际请求（或位于至少，出于这个问题的目的，我生成了一个带有相同症状的废话值）

Here is the actual request (or at least, one I've generated with nonsense values that shares the same symptom, for the purposes of this question)

为什么Symantec CSR检查器认为我的CSR在AlgorithmIdentifier中缺少NULL值？ RFC3279 [英] Why does the Symantec CSR checker think my CSR is missing a NULL value in AlgorithmIdentifier? RFC3279

问题描述

推荐答案

相关文章

Java开发最新文章

热门教程

热门工具

登录关闭

为什么Symantec CSR检查器认为我的CSR在AlgorithmIdentifier中缺少NULL值？ RFC3279 [英] Why does the Symantec CSR checker think my CSR is missing a NULL value in AlgorithmIdentifier? RFC3279

问题描述

推荐答案

相关文章

Java开发最新文章

热门教程

热门工具

登录 关闭

登录关闭