在Corda中使用证书链的问题 [英] Issue in consuming the certificate chain in corda
问题描述
我想创建自定义CA,并已按照此链接使用以下命令
I want to create a custom CA and have created rootCertficate as mention on this link using following commands
set RANDFILE=rand
set OPENSSL_CONF=c:\Binaries\openssl-X64\openssl.cnf
openssl req -new -keyout cakey.pem -out careq.pem
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca
然后我将此证书用作root进行签名和使用Java程序创建其他证书
I then use this certificate as root to sign and create other certificates using java program
public static X509Certificate signCertificateSigningRequest(
PKCS10CertificationRequest jcaPKCS10CertificationRequest, KeyPair keyPair, String requestId,
X509Certificate serverCert) throws Exception
{
SubjectPublicKeyInfo pkInfo = jcaPKCS10CertificationRequest.getSubjectPublicKeyInfo();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
PublicKey pubKey = converter.getPublicKey(pkInfo);
X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(serverCert, new BigInteger("1"), // serial
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + 30L * 365L * 24L * 60L * 60L * 1000L),
jcaPKCS10CertificationRequest.getSubject(), pubKey
).addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false)
// true if it is allowed to sign other certs
).addExtension(new ASN1ObjectIdentifier("2.5.29.15"), true, new X509KeyUsage(X509KeyUsage.digitalSignature
| X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.dataEncipherment));
AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
// ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId,
// digAlgId).build(asymmetricKeyParameter);
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").build(keyPair.getPrivate());
X509CertificateHolder x509CertificateHolder = certificateBuilder.build(sigGen);
Certificate eeX509CertificateStructure = x509CertificateHolder.toASN1Structure();
// Read Certificate
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
X509Certificate signedCertificate = (X509Certificate) certificateFactory.generateCertificate(is1);
FileSystemUtility.saveCertificate(signedCertificate.getEncoded(), serverCert.getEncoded(), requestId);
return signedCertificate;
}
使用以下方式选择根证书的地方:
Where root certificate is picked using:
public static X509Certificate getServerCertificate() throws Exception
{
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
return (X509Certificate) certificateFactory.generateCertificate(
new FileInputStream(new File("C:/Users/varun/Desktop/cert/CA/caroot.cer")));
}
但是当我在接收方同时发送两个证书并尝试对其进行验证时我收到以下错误:
But when I send both the certificate at receiver end and it tries to validate it i get following error:
问题1
Caused by: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
at sun.security.provider.certpath.KeyChecker.verifyCAKeyUsage(KeyChecker.java:159) ~[?:1.8.0_131]
at sun.security.provider.certpath.KeyChecker.check(KeyChecker.java:122) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:1.8.0_131]
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_131]
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) ~[?:1.8.0_131]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) ~[?:1.8.0_131]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_131]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_131]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-all-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-all-4.1.9.Final.jar:4.1.9.Final]
问题1已已解决
问题2
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449) ~[?:1.8.0_131]
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) ~[?:1.8.0_131]
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:1.8.0_131]
推荐答案
您需要将证书签名密钥用法添加到CA证书中。确保OpenSSL conf文件的[v3_ca]部分包含 keyUsage = keyCertSign
You need to add to the CA certificate the "Certificate signing" key usage. Ensure that the [v3_ca] section of the OpenSSL conf file includes keyUsage = keyCertSign
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
在此处查看完整示例: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
See a full example here: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
这篇关于在Corda中使用证书链的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!