得到“数据不是对象ID(标签= 49)".在生成X509证书时 [英] Got "data isn't an object ID (tag = 49)" while generating X509 cert

问题描述

我正在尝试为我的密钥库生成自己的CSR，但进展不顺利，并且该错误使我感到困惑.这是我的代码:

I'm trying to generate my own CSR for my keystore, but it didn't go well and that error is confusing me. Here is my code:

import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

public class CreateKeyTest {

    public static void main(String[] args) throws OperatorCreationException, IOException, GeneralSecurityException {
    KeyPairGenerator kpg;
    KeyPair kp;
    RSAPublicKey pubKey;
    RSAPrivateKey privKey;

    FileOutputStream out;
    KeyStore ks;
    FileInputStream in;
    FileInputStream bFis;

    try {
        ks = KeyStore.getInstance("JKS");

        kpg = KeyPairGenerator.getInstance("RSA");
        kpg.initialize(1024);
        kp = kpg.generateKeyPair();
        pubKey = (RSAPublicKey) kp.getPublic();
        privKey = (RSAPrivateKey) kp.getPrivate();

        // generate CSR
        ContentSigner sign = new JcaContentSignerBuilder("SHA1withRSA").build(privKey);

        X500NameBuilder nBuilder = new X500NameBuilder();
        nBuilder.addRDN(BCStyle.CN, "TestCSR");
        nBuilder.addRDN(BCStyle.C, "ER");
        nBuilder.addRDN(BCStyle.E, "test@test.com");
        X500Name name = nBuilder.build();

        PKCS10CertificationRequestBuilder cerReq = new JcaPKCS10CertificationRequestBuilder(name, pubKey);
        PKCS10CertificationRequest request = cerReq.build(sign);

        PEMWriter pWr = new PEMWriter(new FileWriter(new File("D:\\test.csr")));
        pWr.writeObject(request);
        pWr.flush();
        pWr.close();

        bFis = new FileInputStream("D:\\test.csr");
        BufferedInputStream ksbufin = new BufferedInputStream(bFis);
        X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X.509")
                .generateCertificate(ksbufin);

        ks.setKeyEntry("RSA_key", kp.getPrivate(), "changeit".toCharArray(),
                new java.security.cert.Certificate[] { certificate });

        out = new FileOutputStream("key.store");
        ks.store(out, "changeit".toCharArray());

        System.out.println("New Keystore Generated");
        out.close();
    } catch (KeyStoreException | IOException | CertificateException | NoSuchAlgorithmException
            | OperatorCreationException e) {
        System.out.println(e.getMessage());
        e.printStackTrace();
    }
}
}

当我执行它时，它向我显示了一个异常:X509.ObjectIdentifier() -- data isn't an object ID (tag = 49)，它可以追溯到generateCertificate(ksbufin).但是我检查了test.cer并且里面确实有证书数据，并且该异常消息使我感到困惑，甚至不知道那是什么意思(object ID?tag = 49?我没有看到我在其中生成了一个ID我的代码.).

When I execute it, it showed me the exception:X509.ObjectIdentifier() -- data isn't an object ID (tag = 49), and it could be back-traced to generateCertificate(ksbufin). But I checked test.cer and it do have certificate data in there, and that exception message confused me, don't even know what does that mean(object ID? tag = 49? I didn't see I generated an ID in my code.).

有人可以帮我解决这个泥巴吗?

Can anyone help me out this mud?

推荐答案

错误消息是正确的， test.csr 不包含证书.您已使用PKCS10CertificationRequest构建它，因此它包含一个证书签名请求(CSR).

The error message is correct, test.csr does not contain a certificate. You have built it using a PKCS10CertificationRequest, so it consenquently contains a Certificate Signing Request (CSR).

您已经生成了一对私钥和公钥以及一个CSR. CSR是向证书颁发机构(CA)提出的证书请求.它包含公钥和证书的某些预期属性(CN，C，OU等). CSR用私钥签名，并且必须发送到CA. CA将提取公共密钥，生成证书并对其进行签名.请参阅证书注册过程

You have generated a key pair, private and public, and a CSR. The CSR is a request of a certificate to a Certification Authority (CA). It contains the public key and some expected attributes for the certificate (CN, C, OU, etc). CSR is signed with the private key and has to be sent to CA. The CA will extract the public key, generates a certificate and signs it. See Certificate enrollment process

如果您想要证书，您需要获得CA签署的证书

这篇关于得到“数据不是对象ID(标签= 49)".在生成X509证书时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！