2. 질의 응답
  3. Bouncycastle의 공개 키 및 속성 누락으로 CSR 생성

Bouncycastle의 공개 키 및 속성 누락으로 CSR 생성

2012-10-12 2 views
3

CSR을 생성하기 위해 Bouncy castle을 사용하고 있습니다. 이 인증서는 CA를위한 것입니다. OpenSSL을 사용하여 CSR의 텍스트 정보를 볼 때 공개 키와 속성이 누락 된 것으로 나타납니다. 어떤 도움을 주셔서 감사합니다.Bouncycastle의 공개 키 및 속성 누락으로 CSR 생성

버전 : 탄력 성 : bcpkix-jdk15on : 생성 된 CSR

-----BEGIN CERTIFICATE REQUEST----- 
MIICvjCCAaYCAQAwRjERMA8GA1UEAwwIY29tcGFueTExETAPBgNVBAsMCGNvbXBh 
bnkxMREwDwYDVQQKDAhjb21wYW55MTELMAkGA1UEBhMCR0IwggE6MA0GCSqGSIb3 
DQEBBQUAA4IBJwAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf8WK4 
L1yaBqlvV8cqlTerv53I5MchllrkR94oE42JNuQ0vmQlh/wc8WfqB1lkYvQdf04g 
IQ69VQKCIfQeahODnQ9N/Ct4wIfoCz3KtZZq7DZgoIsMNf2tWlGwJMTbPYLJYjPv 
rfxGMh79dF6VpxMDIHLrvhgYzDFfPxhQXpTTVNXY9pMkrQ+8ZnlqpSQLToQ5JUFZ 
ZDiJtZvmhELGOrDxDDHBlmBRMadjRx5bP6JtJYtv540p55trUnJVRmGjjMvWw5aE 
cKm7Z1BcoTwLsn0gzBR43el0J9QB+RMiDsJKhaBugzv3/852Ih8eZis6G4dRWnm9 
BvAgRQfiW4ciJEnZAgMBAAGgGzALBgNVHQ8xBAMCAQYwDAYDVR0TMQUwAwEB/zAN 
BgkqhkiG9w0BAQUFAAOCAQEAI6s+Wybusc2JBN36RMMG4qf8awIVJo/d1KwAhm9Y 
7eO+ILLXk3wkZEdX5vEPQAdN7ZYYr1lCQfU2QuxDm3OCYuqJBt0fZGWAPYlfp6QD 
AnQLEuLIIP/jZSgn2YzLeOuwO2n+7I9sx2lBihfkzNIK9PEiYM2TOA+4Rac7XdFA 
o20GnruZ1Gq79C043Yz+G8iMNS44vaVjlshDovvmD5YDtjmQRtvDzoB2lyqEVwsS 
Xy+vc0NdyWHJxAUPeOl+iqjF5YeACH92fFw9WV46syCAW7t9dCqdntvhKQRV+Me0 
dOelvZPcqKtd7fsWYpKgUYkk61uWskeLIgnSonEyHWVSwQ== 
-----END CERTIFICATE REQUEST-----

의 1.47

String principal = "CN=company1, OU=company1, O=company1, C=GB" 
    AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded()); 
    AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() 
      .find("SHA1WITHRSA"); 
    AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1"); 
    ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(keyParam); 

    SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo(signatureAlgorithm, pair.getPublic() 
      .getEncoded()); 
    PKCS10CertificationRequestBuilder csrBuilder = new PKCS10CertificationRequestBuilder(
      new X500Name(principal), publicKeyInfo); 
    csrBuilder.addAttribute(X509Extension.basicConstraints, new BasicConstraints(true)); 
    csrBuilder.addAttribute(X509Extension.keyUsage, new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign)); 
    csr = csrBuilder.build(signer);

PEM 공개 키, 기본 제약 조건 및 키 사용을 누락

Certificate Request: 
    Data: 
     Version: 0 (0x0) 
     Subject: CN=company1, OU=company1, O=company1, C=GB 
     Subject Public Key Info: 
      Public Key Algorithm: sha1WithRSAEncryption 
      Unable to load Public Key 
140432158140064:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 
140432158140064:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 
     Attributes: 
      X509v3 Key Usage   :unable to print attribute 
      X509v3 Basic Constraints :unable to print attribute 
    Signature Algorithm: sha1WithRSAEncryption 
     23:ab:3e:5b:26:ee:b1:cd:89:04:dd:fa:44:c3:06:e2:a7:fc: 
     6b:02:15:26:8f:dd:d4:ac:00:86:6f:58:ed:e3:be:20:b2:d7: 
     93:7c:24:64:47:57:e6:f1:0f:40:07:4d:ed:96:18:af:59:42: 
     41:f5:36:42:ec:43:9b:73:82:62:ea:89:06:dd:1f:64:65:80: 
     3d:89:5f:a7:a4:03:02:74:0b:12:e2:c8:20:ff:e3:65:28:27: 
     d9:8c:cb:78:eb:b0:3b:69:fe:ec:8f:6c:c7:69:41:8a:17:e4: 
     cc:d2:0a:f4:f1:22:60:cd:93:38:0f:b8:45:a7:3b:5d:d1:40: 
     a3:6d:06:9e:bb:99:d4:6a:bb:f4:2d:38:dd:8c:fe:1b:c8:8c: 
     35:2e:38:bd:a5:63:96:c8:43:a2:fb:e6:0f:96:03:b6:39:90: 
     46:db:c3:ce:80:76:97:2a:84:57:0b:12:5f:2f:af:73:43:5d: 
     c9:61:c9:c4:05:0f:78:e9:7e:8a:a8:c5:e5:87:80:08:7f:76: 
     7c:5c:3d:59:5e:3a:b3:20:80:5b:bb:7d:74:2a:9d:9e:db:e1: 
     29:04:55:f8:c7:b4:74:e7:a5:bd:93:dc:a8:ab:5d:ed:fb:16: 
     62:92:a0:51:89:24:eb:5b:96:b2:47:8b:22:09:d2:a2:71:32: 
     1d:65:52:c1

출처

2012-10-12 Rag

답변

4

나는 그 문제를 발견했다. 공개 키를 암호화 알고리즘 대신 서명 알고리즘과 연결했습니다. 여기 

AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() 
     .find("SHA1WITHRSA"); 
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1"); 
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(keyParam); 
SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo(signatureAlgorithm, pair.getPublic().getEncoded());

이 ExtensionGenerator을 몰랐, 서명 알고리즘 SHA1withRSA와에게

String principal = "CN=company1, OU=company1, O=company1, C=GB"; 
AsymmetricKeyParameter privateKey = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded()); 
AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() 
     .find("SHA1WITHRSA"); 
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1"); 
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(privateKey); 

PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(
     principal), pair.getPublic()); 
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator(); 
extensionsGenerator.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true)); 
extensionsGenerator.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign 
     | KeyUsage.cRLSign)); 
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate()); 
csr = csrBuilder.build(signer);

출처

2012-10-16 12:06:36 Rag

1

고마워 걸레를 사용하여 RSA 키에 대한 CSR을 생성 할 작업 코드 전하려고했다 csrBuilder.addAttribute (..)로 추가

확장은 올바르게 생성되지 않았지만 제대로 생성되지 않았습니다.

많은 사람들이이 문제를 겪고 있기 때문에 ExtendedKeyUsage 및 Subject Alternate Name을 추가하는 데 몇 줄을 추가하십시오.

 Vector<KeyPurposeId> extendedKeyUsageVector = new Vector<KeyPurposeId>(); 
     for (String extendedKeyUsage : bean.getExtendedKeyUsage()) { 
      extendedKeyUsageVector.add(new KeyPurposeId(extendedKeyUsage)); 
     } 
     extnGen.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(extendedKeyUsageVector)); 


     GeneralName[] subjectAltName = new GeneralName[2]; 
     subjectAltName[0] = new GeneralName(GeneralName.dNSName, "abc.com"); 
     subjectAltName[1] = new GeneralName(GeneralName.dNSName, "xyz.com"); 

     extnGen.addExtension(X509Extension.subjectAlternativeName, false, new GeneralNames(subjectAltName));

출처

2013-03-19 09:44:39

0

X509Extension는 사용되지 않습니다 :

static private X500Name getX500Name(){ 

    final String testPostalCode = "92156-4105"; 
    return new X500NameBuilder(BCStrictStyle.INSTANCE) 
      .addRDN(BCStyle.CN, "JD") 
      .addRDN(BCStrictStyle.POSTAL_CODE, testPostalCode) 
      .addRDN(BCStrictStyle.C, "US") 
      .build(); 
}//getX500Name 



static public PKCS10CertificationRequest genCSR(){ 
    try{ 
     KeyPair pair = getKeyPair(); 

     GeneralNames subjectAltName = new GeneralNames(
       new GeneralName(GeneralName.rfc822Name, "[email protected]")); 


     ExtensionsGenerator extnsnGenr = new ExtensionsGenerator(); 
     extnsnGenr.addExtension(Extension.subjectAlternativeName, false, subjectAltName); 

     PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
       getX500Name() 
       , pair.getPublic()) 
       .addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extnsnGenr.generate()); 
       //.setLeaveOffEmptyAttributes(false) 
       ; 

     JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(SHA256withECDSA); 

     ContentSigner signer = csBuilder.build(pair.getPrivate()); 
     PKCS10CertificationRequest CSR = p10Builder.build(signer); 
    return CSR; 
    } 
    catch (IOException| OperatorCreationException X){ mLog.error(CRYPTOERR.toString()); } 
}//genCSR
: http://www.borelly.net/cb/docs/javaBC-1.4.8/prov/deprecated-list.html 그래서 여기에 업데이 트입니다

출처

2016-06-15 22:29:21 JDOaktown

관련 문제

 관련 문제