Java 如何使用Bouncy Castle从CSR创建X509以使用公钥验证签名
我使用openssl生成一个私钥,创建一个csr,使用CA私钥将csr发送到服务器,对其进行签名,并生成一个X509,然后将其发送回客户端。客户端将X509放入证书存储。客户端对一些虚拟数据进行签名,并尝试使用证书中的公钥对其进行验证。验证失败。但是,当我直接从私钥生成一个公钥时,验证会使用该公钥成功 在客户端上生成私钥Java 如何使用Bouncy Castle从CSR创建X509以使用公钥验证签名,java,Java,我使用openssl生成一个私钥,创建一个csr,使用CA私钥将csr发送到服务器,对其进行签名,并生成一个X509,然后将其发送回客户端。客户端将X509放入证书存储。客户端对一些虚拟数据进行签名,并尝试使用证书中的公钥对其进行验证。验证失败。但是,当我直接从私钥生成一个公钥时,验证会使用该公钥成功 在客户端上生成私钥 openssl genrsa -out ${keydir}/sign.key 2048 2>/dev/null 企业社会责任 将CSR发送给CA签名者(有关如何处理CS
openssl genrsa -out ${keydir}/sign.key 2048 2>/dev/null
企业社会责任
将CSR发送给CA签名者(有关如何处理CSR字节,请参阅下面的java代码)
然后使用以下命令进行测试
echo abcdefghijklmnopqrstuvwxyz > myfile.txt #generate some data to sign
openssl dgst -sha256 -sign sign.key -out sha256.sign myfile.txt #sign the data with the private key
openssl x509 -pubkey -noout -in Sign.crt > pubkey.pem #extract the public key from the certificate
openssl dgst -sha256 -verify pubkey.pem -signature sha256.sign myfile.txt #verify
验证失败
openssl rsa -in sign.key -pubout -out pubkey.pem #generate public key from private key directly
openssl dgst -sha256 -verify pubkey.pem -signature sha256.sign myfile.txt
确认正常
看起来我的java代码是可疑的。谢谢你的帮助
public byte[] calculateX509(byte[] csrBytes) throws Exception {
Clock clock = Clock.systemUTC();
Date notBefore = Date.from(clock.instant());
Duration expDuration = Duration.ofDays(3650);
Date notAfter = Date.from(clock.instant().plus(expDuration));
String csrStr = new String(csrBytes);
csrStr = csrStr.replace("-----BEGIN CERTIFICATE REQUEST-----", "");
csrStr = csrStr.replace("-----END CERTIFICATE REQUEST-----", "");
csrStr = csrStr.replaceAll("\n", "");
byte[] csrDecode = Base64.getDecoder().decode(csrStr.trim());
PKCS10CertificationRequest decodedCsr = new PKCS10CertificationRequest(csrDecode);
X500Name issuer = X500Name.getInstance(decodedCsr.getSubject().getEncoded());
X509v3CertificateBuilder caBuilder = new X509v3CertificateBuilder(issuer,
BigInteger.valueOf(clock.millis()),
notBefore,
notAfter,
decodedCsr.getSubject(),
decodedCsr.getSubjectPublicKeyInfo())
.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
if (Lunaks.containsAlias(strDAUTOPROVK))
{
char[] pw = {};
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("Sha256withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(Lunaks.getKey(strDAUTOPROVK, pw).getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
JcaX509CertificateConverter providerConverter = certificateConverter.setProvider(new BouncyCastleProvider());
X509CertificateHolder holder = caBuilder.build(sigGen);
X509Certificate cert = providerConverter.getCertificate(holder);
byte[] encoded = cert.getEncoded();
StringWriter writer = new StringWriter();
PemWriter pemWriter = new PemWriter(writer);
PemObject pemObject = new PemObject("CERTIFICATE", encoded);
pemWriter.writeObject(pemObject);
pemWriter.close();
String strBytes = writer.toString();
return strBytes.getBytes();
}
return null;
}
谷歌搜索“bouncy castle create x509 certificate csr”会得到很多结果,例如(方法generateSignedCertificate(csr))。这有帮助吗?谷歌搜索“bouncy castle create x509 certificate csr”会得到很多结果,例如(方法generateSignedCertificate(csr))。这有用吗?
public byte[] calculateX509(byte[] csrBytes) throws Exception {
Clock clock = Clock.systemUTC();
Date notBefore = Date.from(clock.instant());
Duration expDuration = Duration.ofDays(3650);
Date notAfter = Date.from(clock.instant().plus(expDuration));
String csrStr = new String(csrBytes);
csrStr = csrStr.replace("-----BEGIN CERTIFICATE REQUEST-----", "");
csrStr = csrStr.replace("-----END CERTIFICATE REQUEST-----", "");
csrStr = csrStr.replaceAll("\n", "");
byte[] csrDecode = Base64.getDecoder().decode(csrStr.trim());
PKCS10CertificationRequest decodedCsr = new PKCS10CertificationRequest(csrDecode);
X500Name issuer = X500Name.getInstance(decodedCsr.getSubject().getEncoded());
X509v3CertificateBuilder caBuilder = new X509v3CertificateBuilder(issuer,
BigInteger.valueOf(clock.millis()),
notBefore,
notAfter,
decodedCsr.getSubject(),
decodedCsr.getSubjectPublicKeyInfo())
.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
if (Lunaks.containsAlias(strDAUTOPROVK))
{
char[] pw = {};
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("Sha256withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(Lunaks.getKey(strDAUTOPROVK, pw).getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
JcaX509CertificateConverter providerConverter = certificateConverter.setProvider(new BouncyCastleProvider());
X509CertificateHolder holder = caBuilder.build(sigGen);
X509Certificate cert = providerConverter.getCertificate(holder);
byte[] encoded = cert.getEncoded();
StringWriter writer = new StringWriter();
PemWriter pemWriter = new PemWriter(writer);
PemObject pemObject = new PemObject("CERTIFICATE", encoded);
pemWriter.writeObject(pemObject);
pemWriter.close();
String strBytes = writer.toString();
return strBytes.getBytes();
}
return null;
}