从JWK生成x5c证书链 [英] Generate x5c certificate chain from JWK

问题描述

我正在使用nimbus-jose-jwt 5.14，并使用以下代码生成了RSA密钥对

I am using nimbus-jose-jwt 5.14 and I generated RSA key pair with the following code

    KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
    gen.initialize(2048);
    KeyPair keyPair = gen.generateKeyPair();
    JWK jwk = new RSAKey.Builder((RSAPublicKey)keyPair.getPublic())
        .privateKey((RSAPrivateKey)keyPair.getPrivate())
        .keyUse(KeyUse.SIGNATURE)
        .keyID(UUID.randomUUID().toString())
        .build();

现在，我需要讨论一些有关公钥的元数据":

Now I need to expone some "metadata" about the public key:

• e
• 孩子
• kty
• n
• 使用
• x5c

如何获得x5c?是否可以使用此库生成X509证书?此字段为空:

How can I obtain x5c ? Is it possible to generate X509 certificate with this library? This field is null:

if (jwk.getX509CertChain() == null)

推荐答案

您已生成密钥对，而不是证书.证书包含公钥，但它不是从公钥派生的，因此您不能直接从公钥中获取证书.

You have generated a key pair, not a certificate. A certificate contains a public key but it is not derived from it, so you can't get a certificate directly from the public key.

要验证JWT，接收者只需要公用密钥，因此实际上不需要为此发布x5c

To verify a JWT the recipient only needs the public key, so publishing the x5c is in fact unnecesary for this purpose

如果您真的要发布证书，建议您使用OpenSSL生成该证书，然后将公钥导入代码中以获取JWK参数

If you really want to publish a certificate, I suggest to generate it with OpenSSL and import the public key in your code to get the JWK parameters

openssl req -x509 -newkey rsa:2048 -keyout key.pem  -days 365 -out certificate.pem

这篇关于从JWK生成x5c证书链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！