添加特定扩展名到X509证书(bouncyCastle)

时间:2017-05-12 07:09:47

标签: java version x509certificate bouncycastle

如何在X509 v3证书中添加类似数字的内容?

X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
                new X500Name("CN=Subject"),             
                serialNumber,
                startDate, expiryDate,
                new X500Name("CN=CA"),
                interPubInfo);

认为这适用于.addExtension(),但接下来会发生什么?

1 个答案:

答案 0 :(得分:2)

正如评论中所说,您不能在证书中的任何位置添加任意值。

如果您想仅用于测试或学习目的,您可以使用Subject Alternative Name扩展程序。此扩展程序有一些可选字段,其中包含更多" free"格式:

OtherName ::= SEQUENCE {
    type-id    OBJECT IDENTIFIER,
    value      [0] EXPLICIT ANY DEFINED BY type-id }

因此,您可以使用所需的值添加OtherName字段。问题是type-id字段,因为对象标识符不能是任意值 - they're actually standardized

在现实生活中,您无法使用下面的代码,因为我使用了一些任意标识符( 1.2.3.4.5.6.7.8.9 )使它工作。对于生产证书,您应该只使用预定义的现有值。

话虽如此,我已经制作了此代码(在 BouncyCastle 1.56 中)以添加值 123 的扩展程序:

import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;

int number = 123;
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("1.2.3.4.5.6.7.8.9"); // some arbitrary non-existent OID number
DERSequence seq = new DERSequence(new ASN1Encodable[] { oid, new ASN1Integer(number) });

ArrayList<GeneralName> namesList = new ArrayList<>();
namesList.add(new GeneralName(GeneralName.otherName, seq));
GeneralNames subjectAltNames = GeneralNames.getInstance(new DERSequence((GeneralName[]) namesList.toArray(new GeneralName[] {})));

// certBuilder is a X509v3CertificateBuilder
certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);

要从证书中读取此扩展程序:

import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.x509.extension.X509ExtensionUtil;

X509Certificate cert = // a java.security.cert.X509Certificate
byte[] v = cert.getExtensionValue(Extension.subjectAlternativeName.getId());
GeneralNames gn = GeneralNames.getInstance(X509ExtensionUtil.fromExtensionValue(v));
GeneralName[] names = gn.getNames();
for (GeneralName name : names) {
    if (name.getTagNo() == GeneralName.otherName) {
        ASN1Sequence seq = ASN1Sequence.getInstance(name.getName());
        if ("1.2.3.4.5.6.7.8.9".equals(oid.getId())) { // OID is the arbitrary one I created
            ASN1Integer value = (ASN1Integer) seq.getObjectAt(1);
            int number = value.getValue().intValue();
            System.out.println(number); // number is 123
        }
    }
}
相关问题
最新问题