使用DEROctetString与纯扩展 [英] Using DEROctetString vs pure Extension
问题描述
我正在使用充气城堡librarires向我的X509V3Certificate证书添加扩展名。假设我想向我的证书添加 ExtendedKeyUsage 扩展名。我正在使用X509V3CertificateBuilder类和addExtension()方法,因此
I am using bouncy castle librarires to add extensions to my X509V3Certificate certificate.Let's say that I want to add ExtendedKeyUsage extension to my certificate.I am using X509V3CertificateBuilder class and addExtension() method so I do this.
X509V3CertificateBuilder cf=...;
ExtendedKeyUsage eku = new ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage);
cf.addExtension(Extension.ExtendedKeyUsage, false , eku);
但是我在网络上的某些示例中看到的是人们在做下一件事
But what I am seeing in some examples all over the web , people are doing next thing
cf.addExtension(Extension.ExtendedKeyUsage, false, new DEROctetString(eku));
当我使用第一个方法(没有DEROctetString)时,没有从编译器收到任何警告,但是我没有不知道有什么区别,哪种方法更好,它们都正确吗?
I don't get any warnings from compiler when I use first method(without DEROctetString) but I don't know what is the difference, which way is better, and are they both correct?
推荐答案
TLDR:您的(第一种)方法是正确的
TLDR: your (first) method is correct
背景,X.509证书(正文中的 TBSCertificate
)中的实际扩展名
字段表示/编码该值每个扩展名作为OCTET STRING包装实际值的DER编码。
For background, the actual extensions
field in (the body=TBSCertificate
of) an X.509 certificate represents/encodes the value of each extension as an OCTET STRING 'wrapping' the DER encoding of the actual value.
但是在Bouncy中,调用较旧的 X509v3CertificateBuilder.addExtension
的重载时,其第三个参数为 ASN1Encodable
(值对象)或 byte []
(其编码),您无需自己进行OCTET STRING;构建器内部使用的 ExtensionsGenerator
会为您完成此操作。实际上,在这里自己创建 DEROctetString
实际上会创建(包含证书的)扩展名,其值是双重包装的-一个OCTET STRING包含另一个OCTET STRING的DER,该扩展名包含
But in Bouncy when calling the older overloads of X509v3CertificateBuilder.addExtension
whose third paramater is either ASN1Encodable
(the value object) or byte[]
(its encoding) you don't need to do the OCTET STRING yourself; the ExtensionsGenerator
used internally by the builder does it for you. In fact, creating DEROctetString
yourself here actually creates (a cert containing) an extension whose value is 'double wrapped' -- an OCTET STRING containing the DER of another OCTET STRING containing the DER of the actual value, which is wrong.
但是,最新版本(1.53以上)包含另一个重载,而不是单独的OID(布尔值),值只需要一个 org.bouncycastle.asn1.x509.Extension
对象,其中包含这三个对象-创建该对象是不同的:其构造函数采用编码(并包装)或<$ c您创建自己的$ c> DEROctetString 对象,该对象的构造函数又采用编码或可编码。 (它实际上被声明为超类 ASN1OctetString
,但您想使用 DER
子类,因为证书正文必须完全为DER 。)因此,以下任何一项也都是正确的:
However, recent versions (1.53 up) contain another overload which instead of separate OID, boolean, value takes a single org.bouncycastle.asn1.x509.Extension
object which contains those three -- and creating that object is different: its constructors take either the encoding (and wrap it) or a DEROctetString
object you create yourself, and whose constructors in turn take either the encoding or the encodable. (It's actually declared as the superclass ASN1OctetString
but you want to use the DER
subclass because cert bodies need to be entirely DER.) Thus (any of) the following are also correct:
certbuilder.addExtension(new Extension(Extension.extendedKeyUsage, false, eku.getEncoded()))
certbuilder.addExtension(new Extension(Extension.extendedKeyUsage, false, new DEROctetString(eku)))
certbuilder.addExtension(new Extension(Extension.extendedKeyUsage, false, new DEROctetString(eku.getEncoded())))
您确定它不是后两者之一你在其他地方看到过?
Are you sure it is not one of the latter two that you saw elsewhere?
这篇关于使用DEROctetString与纯扩展的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!