如何使用给定的私钥通过ca证书签署最终实体证书

时间:2016-06-20 17:49:49

标签: java digital-signature bouncycastle

我在java(使用充气城堡库)中编写了我的CA证书。现在我想用给定的私钥签署最终实体证书。 这是我的代码:

           X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");
           X500Principal dnNameSubject = dnName;
           serialNumber = new BigInteger("123127956789") ;
           keyus = new KeyUsage(KeyUsage.digitalSignature); 

           ContentSigner  signer =   new JcaContentSignerBuilder("SHA512withECDSA").build(myprivateKey);



           Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
           Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
           AuthorityKeyIdentifier AKI = new AuthorityKeyIdentifier(keyBytesPublic); 

           X509v3CertificateBuilder certBldr =  new JcaX509v3CertificateBuilder(certroot,serialNumber, D1, D2, dnName, mypublicKey);
           certBldr.addExtension(X509Extension.authorityKeyIdentifier, true, AKI); 
           certBldr.addExtension(X509Extension.subjectAlternativeName, false,new GeneralNames(new GeneralName(GeneralName.rfc822Name,"PNeODZ3wV5m2UXmJiovxdwPKZdCkB87ESsk7H8vTZKU=")));
           certBldr.addExtension(X509Extensions.KeyUsage, true, keyus);
           certBldr.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false));


                  // Build/sign the certificate.
                  X509CertificateHolder certHolder = certBldr.build(signer);

                  X509Certificate Endcert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
                 `

我收到了错误enter image description here

你能帮我吗?或者当某人有另一种方式通过CA证书签署最终实体证书时,我会很高兴。

谢谢

2 个答案:

答案 0 :(得分:1)

错误是由于未解决的依赖性造成的。你需要类似的东西

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
    <version>1.49</version>
</dependency>

您的代码中有一些错误

X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");

避免创建字符串。使用从X509中提取的ca证书颁发者名称

 X509Certificate cacert =...
 X500Name issuer = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded());

此日期已过去

Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);

创建类似于此的内容(+ 1天)

Date D1 = new Date();
Date D2 = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);

将keyEncipherment添加到keyUsage

也很常见 
keyus = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment);

并使用cacert

创建authorityKeyIdentifier 
 X509ExtensionUtils extUtils = new X509ExtensionUtils( 
 new SHA1DigestCalculator()); 
 certBldr.addExtension(Extension.authorityKeyIdentifier, false,  
  extUtils.createAuthorityKeyIdentifier(caCert))

您在项目ejbca中有一个完整的CA示例。 This is你需要的课程。

此处还有一个完整示例,用于创建最终实体证书(摘自here

public static X509CertificateHolder buildEndEntityCert(X500Name subject,
        AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey, 
        X509CertificateHolder caCert, String ufn) throws Exception
{
    SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.
            createSubjectPublicKeyInfo(entityKey);

    if(subject==null)
        subject = new X500Name("CN = BETaaS Gateway Certificate");

    X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(
            caCert.getSubject(),
       BigInteger.valueOf(1),
       new Date(System.currentTimeMillis()),
       new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
       subject,
       entityKeyInfo);

    X509ExtensionUtils extUtils = new X509ExtensionUtils(
            new SHA1DigestCalculator());

   certBldr.addExtension(Extension.authorityKeyIdentifier, false, 
        extUtils.createAuthorityKeyIdentifier(caCert))
    .addExtension(Extension.subjectKeyIdentifier, false, 
            extUtils.createSubjectKeyIdentifier(entityKeyInfo))
     .addExtension(Extension.basicConstraints, true, 
            new BasicConstraints(false))
     .addExtension(Extension.keyUsage, true, new KeyUsage(
            KeyUsage.digitalSignature | KeyUsage.keyEncipherment))
     .addExtension(Extension.subjectAlternativeName, false, new GeneralNames(
            new GeneralName(GeneralName.rfc822Name, ufn)));

   AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME);
   AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg);

   ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey);

   return certBldr.build(signer);
}

答案 1 :(得分:0)

这是带有弹力城堡的基本代码,用于根据给定的CA证书,CA私钥,主题(即要颁发的证书)名称和主题公钥来发行证书

  public static X509Certificate issueCertificate(
      @NotNull X500Name subject,
      @NotNull PublicKey subjectPublicKey,
      @NotNull PrivateKey caPrivateKey,
      @NotNull X509Certificate caCert) throws CertificateEncodingException, IOException, NoSuchAlgorithmException {

    X509CertificateHolder caCertHolder = new JcaX509CertificateHolder(caCert);
    X500Name issuer = caCertHolder.getSubject();

    X509v3CertificateBuilder certificateBuilder = createCertificateBuilder(issuer, subject, subjectPublicKey);

    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();

    certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCertHolder))
        .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(subjectPublicKey))
        .addExtension(Extension.basicConstraints, true, new BasicConstraints(false))
        .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));

    return buildX509Certificate(certificateBuilder, caPrivateKey, SHA_256_WITH_RSA);
  }

  private static X509v3CertificateBuilder createCertificateBuilder(X500Name issuerName, X500Name subjectName, PublicKey publicKey) {
    return new X509v3CertificateBuilder(
          issuerName,
          BigInteger.ONE,
          Timestamp.valueOf(LocalDateTime.now().minusDays(1L)),
          Timestamp.valueOf(LocalDateTime.now().plusYears(2L)),
          subjectName,
          SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
  }

  private static X509Certificate buildX509Certificate(X509v3CertificateBuilder certificateBuilder, PrivateKey privateKey, String algorithm) {
    ContentSigner contentSigner = buildContentSigner(algorithm, privateKey);
    X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
    try {
      return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
    } catch (CertificateException e) {
      throw new ApplicationException(e);
    }
  }

  private static ContentSigner buildContentSigner(String algorithm, PrivateKey privateKey) {
    try {
      return new JcaContentSignerBuilder(algorithm)
          .setProvider("BC")
          .setSecureRandom(SecureRandomFactory.getInstance())
          .build(privateKey);
    } catch (OperatorCreationException e) {
      throw new ApplicationException(e);
    }
  }
相关问题
最新问题