如何使用给定的私钥通过ca证书签署最终实体证书 [英] how to sign an end entity certeficate by a ca cert using a given private key

问题描述

我已经用java（使用充气城堡库）编码了我的CA证书。现在我想用给定的私钥签署最终实体证书。
这是我的代码：

I have coded in java (using bouncy castle library)my CA certificate. and now I want to sign an end entity certificate with a given private key. here is my code :

           X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");
           X500Principal dnNameSubject = dnName;
           serialNumber = new BigInteger("123127956789") ;
           keyus = new KeyUsage(KeyUsage.digitalSignature); 

           ContentSigner  signer =   new JcaContentSignerBuilder("SHA512withECDSA").build(myprivateKey);



           Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
           Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
           AuthorityKeyIdentifier AKI = new AuthorityKeyIdentifier(keyBytesPublic); 

           X509v3CertificateBuilder certBldr =  new JcaX509v3CertificateBuilder(certroot,serialNumber, D1, D2, dnName, mypublicKey);
           certBldr.addExtension(X509Extension.authorityKeyIdentifier, true, AKI); 
           certBldr.addExtension(X509Extension.subjectAlternativeName, false,new GeneralNames(new GeneralName(GeneralName.rfc822Name,"PNeODZ3wV5m2UXmJiovxdwPKZdCkB87ESsk7H8vTZKU=")));
           certBldr.addExtension(X509Extensions.KeyUsage, true, keyus);
           certBldr.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false));


                  // Build/sign the certificate.
                  X509CertificateHolder certHolder = certBldr.build(signer);

                  X509Certificate Endcert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
                 `

我遇到了错误在此处输入图片描述

能帮帮我吗。或者，当有人通过CA证书用另一种方式签署最终实体证书时，这对我来说很高兴。

Can you help me. Or when someone have another way to sign an end entity certificate by a CA certificate that will be a pleasure for me.

谢谢

推荐答案

该错误是由于无法解决的依赖性引起的。您需要与此类似的东西

The error is due to an unresolved dependency. You need something similar to this

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
    <version>1.49</version>
</dependency>

您的代码中有一些错误

X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");

避免创建字符串。使用从X509中提取的ca证书颁发者名称

Avoid creating strings. Use the ca certificate issuer name extracted from X509

 X509Certificate cacert =...
 X500Name issuer = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded());

此日期为过去

Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);

创建与此类似的内容（+1天）

Create something similar to this (+ 1 day)

Date D1 = new Date();
Date D2 = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);

在keyUsage中添加keyEncipherment也很常见

It's also common to add keyEncipherment to keyUsage

keyus = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment);

并使用cacert创建AuthorityKeyIdentifier

And also create authorityKeyIdentifier with cacert

 X509ExtensionUtils extUtils = new X509ExtensionUtils( 
 new SHA1DigestCalculator()); 
 certBldr.addExtension(Extension.authorityKeyIdentifier, false,  
  extUtils.createAuthorityKeyIdentifier(caCert))  

您在项目ejbca中有一个完整的CA示例。 此是您需要的类。

You have a full example of CA in project ejbca. This is the class you need.

这也是创建最终实体证书的完整示例（摘录自此处）

Also here is a full example to create e final entity cert (extracted from here)

public static X509CertificateHolder buildEndEntityCert(X500Name subject,
        AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey, 
        X509CertificateHolder caCert, String ufn) throws Exception
{
    SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.
            createSubjectPublicKeyInfo(entityKey);

    if(subject==null)
        subject = new X500Name("CN = BETaaS Gateway Certificate");

    X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(
            caCert.getSubject(),
       BigInteger.valueOf(1),
       new Date(System.currentTimeMillis()),
       new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
       subject,
       entityKeyInfo);

    X509ExtensionUtils extUtils = new X509ExtensionUtils(
            new SHA1DigestCalculator());

   certBldr.addExtension(Extension.authorityKeyIdentifier, false, 
        extUtils.createAuthorityKeyIdentifier(caCert))
    .addExtension(Extension.subjectKeyIdentifier, false, 
            extUtils.createSubjectKeyIdentifier(entityKeyInfo))
     .addExtension(Extension.basicConstraints, true, 
            new BasicConstraints(false))
     .addExtension(Extension.keyUsage, true, new KeyUsage(
            KeyUsage.digitalSignature | KeyUsage.keyEncipherment))
     .addExtension(Extension.subjectAlternativeName, false, new GeneralNames(
            new GeneralName(GeneralName.rfc822Name, ufn)));

   AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME);
   AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg);

   ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey);

   return certBldr.build(signer);
}

这篇关于如何使用给定的私钥通过ca证书签署最终实体证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！