我在使用Java获取和设置证书策略扩展时遇到问题。我正在使用Bouncy Castle 1.57。
我正在向证书生成器添加扩展名,如下所示:
boolean isCritical = Extensions.certificatePolicies;
String cpValue = Extensions.certificatePoliciesValue;
cerGen.addExtension(Extension.certificatePolicies, isCritical, cpValue.getBytes());
获得此扩展名如下:
byte[] policyBytes = certificate.getExtensionValue(Extension.certificatePolicies.toString());
if (policyBytes != null) {
Object policyObj = new ASN1InputStream(policyBytes).readObject();
policyBytes = ((DEROctetString) policyObj).getOctets();
String policyField = new String(policyBytes); // this is cpValue when set
}
这在我导出证书之前工作正常,但当我将其导出为DER或PEM类型时,当我尝试导入它时,我收到错误:
java.io.IOException:CertificatePoliciesExtension的编码无效。
这是我的导入源代码:
CertificateFactory fact = CertificateFactory.getInstance("X.509");
FileInputStream is = new FileInputStream(file.getAbsolutePath());
X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
当我尝试生成证书时,在最后一行发生异常。
答案 0 :(得分:2)
发生错误是因为您要将扩展名创建为单个String。
您获取扩展程序的代码是有效的,因为您也将其作为单个String阅读(您的阅读方式与创建它完全相同,这就是它的工作原理)。
但证书策略扩展名具有良好的预定义格式,CertificateFactory会尝试根据此格式解析证书。
在RFC 5280中,您可以找到扩展程序的格式:
certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF
PolicyQualifierInfo OPTIONAL }
CertPolicyId ::= OBJECT IDENTIFIER
PolicyQualifierInfo ::= SEQUENCE {
policyQualifierId PolicyQualifierId,
qualifier ANY DEFINED BY policyQualifierId }
-- policyQualifierIds for Internet policy qualifiers
id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
... and lots of other types definitions
请注意,扩展程序不是String。它是PolicyInformation的序列,它是标识符和限定符的序列,依此类推。
我创建了一个只有一个值的示例扩展,就像一个例子:
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.PolicyQualifierId;
import org.bouncycastle.asn1.x509.PolicyQualifierInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
X509v3CertificateBuilder certGen = //create builder
boolean isCritical = true; // depends on your application (setting any value for tests)
PolicyQualifierInfo pqInfo = new PolicyQualifierInfo("aaa.bbb"); // the value you want
PolicyInformation policyInfo = new PolicyInformation(PolicyQualifierId.id_qt_cps, new DERSequence(pqInfo));
CertificatePolicies policies = new CertificatePolicies(policyInfo);
certGen.addExtension(Extension.certificatePolicies, isCritical, policies);
要阅读此扩展程序,您可以执行以下操作:
import org.bouncycastle.x509.extension.X509ExtensionUtil;
X509Certificate certificate = // a java.security.cert.X509Certificate
byte[] policyBytes = certificate.getExtensionValue(Extension.certificatePolicies.toString());
if (policyBytes != null) {
CertificatePolicies policies = CertificatePolicies.getInstance(X509ExtensionUtil.fromExtensionValue(policyBytes));
PolicyInformation[] policyInformation = policies.getPolicyInformation();
for (PolicyInformation pInfo : policyInformation) {
ASN1Sequence policyQualifiers = (ASN1Sequence) pInfo.getPolicyQualifiers().getObjectAt(0);
System.out.println(policyQualifiers.getObjectAt(1)); // aaa.bbb
}
}
以这种方式创建证书,fact.generateCertificate将无错误地创建证书。