Java 通过解析PKCS10CertificationRequest读取请求的扩展
我有一个CSR,我正在使用Bouncy Castle API用Java解析它,示例CSR如下所示:Java 通过解析PKCS10CertificationRequest读取请求的扩展,java,bouncycastle,csr,Java,Bouncycastle,Csr,我有一个CSR,我正在使用Bouncy Castle API用Java解析它,示例CSR如下所示: root@serv-appliance:/usr/etc$ openssl req -text -noout -verify -in java.pem.csr verify OK Certificate Request: Data: Version: 0 (0x0) Subject: CN=INF2345, OU=DEVKI, O=Test Org, C=I
root@serv-appliance:/usr/etc$ openssl req -text -noout -verify -in java.pem.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=INF2345, OU=DEVKI, O=Test Org, C=IN
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b2:79:a1:ca:c8:56:83:18:e1:36:44:ed:4c:a2:
a2:91:f9:4d:74:af:17:91:b9:e5:c3:19:2a:be:6e:
54:0a:73:be:60:fd:84:a7:ac:ca:75:28:7f:2f:0f:
ba:0d:6c:36:22:ec:12:0f:17:59:db:1c:ae:b3:92:
8a:3a:fd:a7:ad
ASN1 OID: prime256v1
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Signature Algorithm: ecdsa-with-SHA1
30:45:02:21:00:ec:c3:3c:18:94:76:89:7b:17:ae:98:e7:74:
1f:1c:28:8a:40:4a:12:0f:55:9e:3d:7d:6d:0b:44:97:52:42:
9c:02:20:0f:6f:a6:71:8d:cf:c3:ed:10:76:f3:da:84:f4:a8:
3d:b4:9c:ce:6f:a9:30:cc:91:dd:c3:cc:69:56:a6:6c:d8
我能够成功地解析它并读取主题的公共名称。以下是我的测试代码,用于相同的测试:
PKCS10CertificationRequest pkcsReq = parseCSR(generateRequest.getCsr());
generateRequest.setEndEntitySubjectDn(pkcsReq.getSubject().toString());
for (RDN att : pkcsReq.getSubject().getRDNs()) {
for (AttributeTypeAndValue t : att.getTypesAndValues()) {
if (t.getType().getId().equals("2.5.4.3")) {
generateRequest.setEndEntityUserName(t.getValue().toString());
}
// log.debug("Type:"+t.getType().getId()+"Value:"+t.getValue().toString());
}
}
for(Attribute att:pkcsReq.getAttributes()){
log.debug("TYPE::"+att.getAttrType().getId());
ASN1Set s = att.getAttrValues();
Iterator<ASN1Encodable> asn1Iter = s.iterator();
while(asn1Iter.hasNext()){
log.debug("asn1Iter :: "+asn1Iter.next().toString());
}
}
请建议如何从PKCS10CertificationRequest对象读取此信息。由于PKCS10CertificationRequest没有
getExtension
或类似方法,我看到的唯一解决方案是通过asn1结构
我已经使用openssl 1.0.1e-fips创建了一个示例CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwWjELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQH
EwlTYW8gUGF1bG8xDTALBgNVBAoTBHRlc3QxDDAKBgNVBAsTA29wczENMAsGA1UE
AxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjspTClIqxB
3EwJKJRTELhUowyaztgbZ/yhmM0fJISrcfWgdCK8TDO298YtUHPkGgvnb53HuMA6
BhZ33MPUxEddD+kc0orx4roIBLvu8WC746Ke3VWaQnNiEjGhVj4J8kiWG+TnYnt1
GdAcdpUY5DJ+ttLIkggavNuUdaa0Xc6nQEXZDwiXgEMwEq/rqkvTeArwhuIrUuyL
eHU4LfocXpvgKFN6o1Y4+tAwXw3gTJJxtO1F+TtBnfAvJFj8Y24tjLsvgrL+H2UH
6a2Y1OonkmOwMQXydxLssDSYrIzhS7+fvCKTqzpsz2W7RQ/sIZcouKZZgSczuScq
nF+s4GGS9ykCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWg
MA0GCSqGSIb3DQEBCwUAA4IBAQBaywDeO8cFR0yugMBmjQsvjT9NRiznxhGnfM12
cZKXONYTNEtdzgXzt6qGxWwc12nkhqvyMbhLVKyYr4JqlP4q1ZUTqYgQ8kNKAdu6
KyWHNFL+xKh57YrTxxcTI+qXAiyq9XcToyRPKNKPaLoWUVALpow12Fx0aGK2XAPm
Nij/7V79aiH2/AJDajARx8dKSL4/aZCJ+Hsjho+1h3JJrQoiBc9ugxfYa/qW1XRL
tNpfv7ftbkAiNvSwE349k7NJ7qKW2Gy9UwMUr3jC6285j73fkzJXX0bDG/HgL8AQ
kX3lOgafBlG9XTsX5eiBZdu4Ud/6OlgwczQkls5DZgRyAYGj
-----END CERTIFICATE REQUEST-----
CSR包含与您一样的请求扩展:
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
下面是我使用的代码(带有bouncycastle 1.46 jdk1.6)
请注意,如果您有更多属性,代码可能会更改(对于将要找到的对象类型,存在大量硬编码索引和假设,因为这是此特定情况的示例代码-仅具有特定已知类型的一个请求扩展的CSR)
//用于读取CSR的帮助器方法
公共PKCS10CertificationRequest转换器PEMTOPKCS10CertificationRequest(字符串pem)引发异常{
PKCS10CertificationRequest csr=null;
PEMReader=新PEMReader(新StringReader(pem));
试一试{
Object parsedObj=reader.readObject();
if(PKCS10CertificationRequest的parsedObj实例){
csr=(PKCS10CertificationRequest)parsedObj;
}
}捕获(IOEX异常){
例如printStackTrace();
}最后{
reader.close();
}
返回csr;
}
PKCS10CertificationRequest csr=convertPemToPKCS10CertificationRequest(csrPem);
ASN1Set attributes=csr.getCertificationRequestInfo().getAttributes();
枚举对象=attributes.getObjects();
while(objects.hasMoreElements()){
Object obj=(Object)objects.nextElement();
DERSequence seq=(DERSequence)obj;
可撤销的objectAt=seq.getObjectAt(0);
if(ASN1ObjectIdentifier实例处的对象){
字符串id=((ASN1ObjectIdentifier)objectAt).getId();
if(“1.2.840.113549.1.9.14”.equals(id)){//PKCS#9扩展请求
DERSet=(DERSet)seq.getObjectAt(1);
//序列中的序列
DERSequence reqExt=(DERSequence)(DERSequence)set.getObjectAt(0)).getObjectAt(0);
DERObjectIdentifier oid=(DERObjectIdentifier)reqExt.getObjectAt(0);
ASN1Boolean临界=(ASN1Boolean)reqExt.getObjectAt(1);
DEROctetString oct=(DEROctetString)ReqText.getObjectAt(2);
System.out.println(oid.getId());//2.5.29.15-密钥用法
System.out.println(critical.isTrue());//true-是关键的
KeyUsage ku=新的KeyUsage(新的DERBitString(oct.getOctets());
//在我的示例中,相关部分位于位置3
//不确定这是否是我使用openssl生成CSR的方式上的一个问题,或者它是否始终处于这个位置
int bits=ku.getBytes()[3]&0xff;
int keyUsageToCheck=keyusause.digitalSignature | keyusause.keyencyption;
System.out.println((bits&keyUsageToCheck)=keyUsageToCheck);//true-设置了密钥用法
}
}
}
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
// helper method to read the CSR
public PKCS10CertificationRequest convertPemToPKCS10CertificationRequest(String pem) throws Exception {
PKCS10CertificationRequest csr = null;
PEMReader reader = new PEMReader(new StringReader(pem));
try {
Object parsedObj = reader.readObject();
if (parsedObj instanceof PKCS10CertificationRequest) {
csr = (PKCS10CertificationRequest) parsedObj;
}
} catch (IOException ex) {
ex.printStackTrace();
} finally {
reader.close();
}
return csr;
}
PKCS10CertificationRequest csr = convertPemToPKCS10CertificationRequest(csrPem);
ASN1Set attributes = csr.getCertificationRequestInfo().getAttributes();
Enumeration<?> objects = attributes.getObjects();
while (objects.hasMoreElements()) {
Object obj = (Object) objects.nextElement();
DERSequence seq = (DERSequence) obj;
DEREncodable objectAt = seq.getObjectAt(0);
if (objectAt instanceof ASN1ObjectIdentifier) {
String id = ((ASN1ObjectIdentifier) objectAt).getId();
if ("1.2.840.113549.1.9.14".equals(id)) { // PKCS#9 ExtensionRequest
DERSet set = (DERSet) seq.getObjectAt(1);
// a sequence inside a sequence
DERSequence reqExt = (DERSequence) ((DERSequence) set.getObjectAt(0)).getObjectAt(0);
DERObjectIdentifier oid = (DERObjectIdentifier) reqExt.getObjectAt(0);
ASN1Boolean critical = (ASN1Boolean) reqExt.getObjectAt(1);
DEROctetString oct = (DEROctetString) reqExt.getObjectAt(2);
System.out.println(oid.getId()); // 2.5.29.15 - key usage
System.out.println(critical.isTrue()); // true - is critical
KeyUsage ku = new KeyUsage(new DERBitString(oct.getOctets()));
// in my example, the relevant part is in position 3
// not sure if it's an issue on the way I used openssl to generate the CSR, or if it'll always be at this position
int bits = ku.getBytes()[3] & 0xff;
int keyUsageToCheck = KeyUsage.digitalSignature | KeyUsage.keyEncipherment;
System.out.println((bits & keyUsageToCheck) == keyUsageToCheck); // true - it has the key usages set
}
}
}