Fatal编程技术网
  • java/
  • Java 如何使用Bouncy Castle从CSR创建X509以使用公钥验证签名

Java 如何使用Bouncy Castle从CSR创建X509以使用公钥验证签名

java

Java 如何使用Bouncy Castle从CSR创建X509以使用公钥验证签名,java,Java,我使用openssl生成一个私钥,创建一个csr,使用CA私钥将csr发送到服务器,对其进行签名,并生成一个X509,然后将其发送回客户端。客户端将X509放入证书存储。客户端对一些虚拟数据进行签名,并尝试使用证书中的公钥对其进行验证。验证失败。但是,当我直接从私钥生成一个公钥时,验证会使用该公钥成功 在客户端上生成私钥 openssl genrsa -out ${keydir}/sign.key 2048 2>/dev/null 企业社会责任 将CSR发送给CA签名者(有关如何处理CS

我使用openssl生成一个私钥,创建一个csr,使用CA私钥将csr发送到服务器,对其进行签名,并生成一个X509,然后将其发送回客户端。客户端将X509放入证书存储。客户端对一些虚拟数据进行签名,并尝试使用证书中的公钥对其进行验证。验证失败。但是,当我直接从私钥生成一个公钥时,验证会使用该公钥成功

在客户端上生成私钥

openssl genrsa -out ${keydir}/sign.key 2048 2>/dev/null
企业社会责任

将CSR发送给CA签名者(有关如何处理CSR字节,请参阅下面的java代码)

然后使用以下命令进行测试

echo abcdefghijklmnopqrstuvwxyz > myfile.txt #generate some data to sign

openssl dgst -sha256 -sign sign.key -out sha256.sign myfile.txt #sign the data with the private key

openssl x509 -pubkey -noout -in Sign.crt   > pubkey.pem #extract the public key from the certificate

openssl dgst -sha256 -verify pubkey.pem -signature sha256.sign myfile.txt #verify
验证失败

openssl rsa -in sign.key -pubout -out pubkey.pem #generate public key from private key directly

openssl dgst -sha256 -verify pubkey.pem -signature sha256.sign myfile.txt
确认正常

看起来我的java代码是可疑的。谢谢你的帮助

public byte[] calculateX509(byte[] csrBytes) throws Exception {
    Clock clock = Clock.systemUTC();
    Date notBefore = Date.from(clock.instant());
    Duration expDuration = Duration.ofDays(3650);
    Date notAfter = Date.from(clock.instant().plus(expDuration));
    String csrStr = new String(csrBytes);
    csrStr = csrStr.replace("-----BEGIN CERTIFICATE REQUEST-----", "");
    csrStr = csrStr.replace("-----END CERTIFICATE REQUEST-----", "");
    csrStr = csrStr.replaceAll("\n", "");
    byte[] csrDecode = Base64.getDecoder().decode(csrStr.trim());
    PKCS10CertificationRequest decodedCsr = new PKCS10CertificationRequest(csrDecode);
    X500Name issuer = X500Name.getInstance(decodedCsr.getSubject().getEncoded());
    X509v3CertificateBuilder caBuilder = new X509v3CertificateBuilder(issuer,
            BigInteger.valueOf(clock.millis()),
            notBefore,
            notAfter,
            decodedCsr.getSubject(),
            decodedCsr.getSubjectPublicKeyInfo())
            .addExtension(Extension.basicConstraints, true, new BasicConstraints(false));

    if (Lunaks.containsAlias(strDAUTOPROVK))
    {
        char[] pw = {};
        AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("Sha256withRSA");
        AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
        AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(Lunaks.getKey(strDAUTOPROVK, pw).getEncoded());
        ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
        JcaX509CertificateConverter providerConverter = certificateConverter.setProvider(new BouncyCastleProvider());
        X509CertificateHolder holder = caBuilder.build(sigGen);
        X509Certificate cert = providerConverter.getCertificate(holder);
        byte[] encoded = cert.getEncoded();
        StringWriter writer = new StringWriter();
        PemWriter pemWriter = new PemWriter(writer);
        PemObject pemObject = new PemObject("CERTIFICATE", encoded);
        pemWriter.writeObject(pemObject);
        pemWriter.close();
        String strBytes = writer.toString();
        return strBytes.getBytes();
    }
    return null;
}
谷歌搜索“bouncy castle create x509 certificate csr”会得到很多结果,例如(方法generateSignedCertificate(csr))。这有帮助吗?谷歌搜索“bouncy castle create x509 certificate csr”会得到很多结果,例如(方法generateSignedCertificate(csr))。这有用吗? 
public byte[] calculateX509(byte[] csrBytes) throws Exception {
    Clock clock = Clock.systemUTC();
    Date notBefore = Date.from(clock.instant());
    Duration expDuration = Duration.ofDays(3650);
    Date notAfter = Date.from(clock.instant().plus(expDuration));
    String csrStr = new String(csrBytes);
    csrStr = csrStr.replace("-----BEGIN CERTIFICATE REQUEST-----", "");
    csrStr = csrStr.replace("-----END CERTIFICATE REQUEST-----", "");
    csrStr = csrStr.replaceAll("\n", "");
    byte[] csrDecode = Base64.getDecoder().decode(csrStr.trim());
    PKCS10CertificationRequest decodedCsr = new PKCS10CertificationRequest(csrDecode);
    X500Name issuer = X500Name.getInstance(decodedCsr.getSubject().getEncoded());
    X509v3CertificateBuilder caBuilder = new X509v3CertificateBuilder(issuer,
            BigInteger.valueOf(clock.millis()),
            notBefore,
            notAfter,
            decodedCsr.getSubject(),
            decodedCsr.getSubjectPublicKeyInfo())
            .addExtension(Extension.basicConstraints, true, new BasicConstraints(false));

    if (Lunaks.containsAlias(strDAUTOPROVK))
    {
        char[] pw = {};
        AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("Sha256withRSA");
        AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
        AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(Lunaks.getKey(strDAUTOPROVK, pw).getEncoded());
        ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
        JcaX509CertificateConverter providerConverter = certificateConverter.setProvider(new BouncyCastleProvider());
        X509CertificateHolder holder = caBuilder.build(sigGen);
        X509Certificate cert = providerConverter.getCertificate(holder);
        byte[] encoded = cert.getEncoded();
        StringWriter writer = new StringWriter();
        PemWriter pemWriter = new PemWriter(writer);
        PemObject pemObject = new PemObject("CERTIFICATE", encoded);
        pemWriter.writeObject(pemObject);
        pemWriter.close();
        String strBytes = writer.toString();
        return strBytes.getBytes();
    }
    return null;
}