Question

我想从给定的X509Certificate对象中检索OCSP信息。由于我不知道如何解析这些信息，我在这里提出这个问题。

这是我到目前为止所得到的：

X509Certificate x509cert = ... //The Certificate
ASN1Primitive obj = ASN1Primitive.fromByteArray(x509cert
                            .getExtensionValue(Extension.authorityInfoAccess
                                    .getId()));
AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance(obj);

抛出异常：

java.security.cert.CertificateParsingException: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.DEROctetString

如何将ASN1Primitive解析为有效的DEROctetString进展？

示例中ASN1Primitive的值为：

3032303006082b060105050730018624687474703a2f2f6f6373702e616368656c6f732e64653a383038302f6f6373702f65676b

在我看来是一个有效的价值。

Answer 1

您可以使用DEROctetString

构建ASN1InputStream

byte[] authInfoAccessExtensionValue = x509cert.getExtensionValue(X509Extension.authorityInfoAccess.getId());
ASN1InputStream ais1 = new ASN1InputStream(new ByteArrayInputStream(authInfoAccessExtensionValue ));
DEROctetString oct = (DEROctetString) (ais1.readObject());
ASN1InputStream ais2 = new ASN1InputStream(oct.getOctets());
AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(ais2.readObject());

尝试使用此代码在X509Certificate中获取OCSP URI元数据。代码是从SD-DSS项目的OnlineOCSPSource类中提取的（稍加修改）

public String getAccessLocation(X509Certificate certificate) throws IOException {

    final ASN1ObjectIdentifier ocspAccessMethod = X509ObjectIdentifiers.ocspAccessMethod;
    final byte[] authInfoAccessExtensionValue = certificate.getExtensionValue(X509Extension.authorityInfoAccess.getId());
    if (null == authInfoAccessExtensionValue) {

        return null;
    }
    ASN1InputStream ais1 = null;
    ASN1InputStream ais2 = null;
    try {

        final ByteArrayInputStream bais = new ByteArrayInputStream(authInfoAccessExtensionValue);
        ais1 = new ASN1InputStream(bais);
        final DEROctetString oct = (DEROctetString) (ais1.readObject());
        ais2 = new ASN1InputStream(oct.getOctets());
        final AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(ais2.readObject());

        final AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
        for (AccessDescription accessDescription : accessDescriptions) {

            final boolean correctAccessMethod = accessDescription.getAccessMethod().equals(ocspAccessMethod);
            if (!correctAccessMethod) {

                continue;
            }
            final GeneralName gn = accessDescription.getAccessLocation();
            if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) {
                //Not a uniform resource identifier
                continue;
            }
            final DERIA5String str = (DERIA5String) ((DERTaggedObject) gn.toASN1Primitive()).getObject();
            final String accessLocation = str.getString();

            return accessLocation;
        }
        return null;

    } finally {
        ais1.close();
        ais2.close();
    }
}

Answer 2

在 Bouncy Castle 1.57 中，无需创建中间人ASN1Primitive。您只需使用org.bouncycastle.asn1.x509.Extension和org.bouncycastle.x509.extension.X509ExtensionUtil类

即可获得扩展程序

X509Certificate cert = // the certificate

// get Authority Information Access extension
byte[] extVal = cert.getExtensionValue(Extension.authorityInfoAccess.getId());
AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));

然后您可以使用aia对象：

AccessDescription[] descriptions = aia.getAccessDescriptions();
for (AccessDescription ad : descriptions) {
    // ...
}

您也可以在以前的版本中执行此操作，但对于版本＆lt; = 1.47，我认为Extension类不存在，您应该使用org.bouncycastle.asn1.x509.X509Extension（我认为{{1}是一样的。）

如何从X509Certificate对象解析AuthoritiyInformation

2 个答案: