2. 질의 응답
  3. 특정 개인 키를 사용하여 인증서 생성

특정 개인 키를 사용하여 인증서 생성

2017-01-24 2 views
0

나는 탄력이 강한 성으로 일하고 있으며 생성 된 임의의 키 대신 특정 개인 키를 생성하려고합니다.특정 개인 키를 사용하여 인증서 생성

개인 키를 제공하고 싶지만 코드는 임의의 키를 계속 생성합니다. 탄력성있는 성에서 사용할 정확한 개인 키를 지정하는 방법이 있습니까?

내 코드는 아래와 같습니다. 생성 된 인증서의 공개 키를 확인하면 항상 다른 값을 얻습니다. 내가 지정한 값이 필요해. 잘못 자바에 대한 대답의 주요

var cb = new X509CertBuilder(suppliers, "CN=MandarinAS, OU=Scheme42, O=MandarinAS, C=GB", 
        CertStrength.Bits1024); 


        var cert = cb.MakeCertificate(pwd, "CN=Mandarin, OU=CustomerId, OU=Scheme42, O=OrgX, C=GB", 1,keypair); 

        File.WriteAllBytes("Cert.pfx", cert.Export(X509ContentType.Pkcs12, pwd)); 


       File.WriteAllBytes("Cert.cer", cert.Export(X509ContentType.Cert, pwd)); 
    var store = new X509Store(storeLocation); 
       store.Open(OpenFlags.ReadOnly); 

       var myCertificate = new X509Certificate2("Cert.pfx", "password"); 
       if (myCertificate.PrivateKey ! 

= null) 
      { 
       store.Close(); 

      } 
//here i debug and compare the public key values myCertificate is always changing

X509CertBuilder.cs

public class X509CertBuilder 
    { 
     private const string SignatureAlgorithm = "SHA1WithRSA"; 
     private readonly int _strength; 
     private readonly CryptoApiRandomGenerator _randomGenerator = new CryptoApiRandomGenerator(); 
     private readonly X509V3CertificateGenerator _certificateGenerator = new X509V3CertificateGenerator(); 
     private readonly SecureRandom _random; 
     private readonly X509Name _issuer; 
     private readonly GeneralName[] _generalNames; 

     public X509CertBuilder(string[] validWithDomainNames, string issuer, CertStrength certStrength) 
     { 
      _random = new SecureRandom(_randomGenerator); 
      _issuer = new X509Name(issuer); 
      _strength = (int) certStrength; 

      _generalNames = new GeneralName[validWithDomainNames.Length]; 
      for (var t = 0; t < validWithDomainNames.Length; t++) 
      { 
       _generalNames[t] = new GeneralName(new X509Name(validWithDomainNames[t])); 
      } 
     } 

     public X509Certificate2 MakeCertificate(string password, string issuedToDomainName, int validYears, AsymmetricCipherKeyPair mykey=null) 
     { 
      _certificateGenerator.Reset(); 

      _certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm); 
      var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), 
       _random); 
      _certificateGenerator.SetSerialNumber(serialNumber); 

      _certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName)); 
      _certificateGenerator.SetIssuerDN(_issuer); 

      var subjectAlternativeNames = new Asn1Encodable[_generalNames.Length + 1]; 
      // first subject alternative name is the same as the subject 
      subjectAlternativeNames[0] = new GeneralName(new X509Name(issuedToDomainName)); 
      for (var t = 1; t <= _generalNames.Length; t++) 
      { 
       subjectAlternativeNames[t] = _generalNames[t - 1]; 
      } 
      var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames); 
      _certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, 
       subjectAlternativeNamesExtension); 

      _certificateGenerator.SetNotBefore(DateTime.UtcNow.Date); 
      _certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(validYears)); 
      var keyGenerationParameters = new KeyGenerationParameters(_random, _strength); 

      var keyPairGenerator = new RsaKeyPairGenerator(); 


      keyPairGenerator.Init(keyGenerationParameters); 
      var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); 

      _certificateGenerator.SetPublicKey(subjectKeyPair.Public); 

      //Previouse auto key 
      //var issuerKeyPair = subjectKeyPair; 

      //My mykey 
      var issuerKeyPair = mykey; 
      var certificate = _certificateGenerator.Generate(issuerKeyPair.Private,_random); 


      var store = new Pkcs12Store(); 
      var friendlyName = certificate.SubjectDN.ToString(); 
      var certificateEntry = new X509CertificateEntry(certificate); 
      store.SetCertificateEntry(friendlyName, certificateEntry); 
      store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(issuerKeyPair.Private), new[] {certificateEntry}); 

      using (var stream = new MemoryStream()) 
      { 
       store.Save(stream, password.ToCharArray(), _random); 
       return new X509Certificate2(stream.ToArray(), password, 
        X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); 
      } 
     } 
    }

출처

2017-01-24 flexxxit

답변

0

편집에서

. BouncyCastle C#을 API는 쉽게 온라인으로 액세스되지 않은,하지만 난 당신이 찾고있는 것은 당신이 DER 형식의 공개 키가있는 경우, 당신은 단순히 java.security.cert.CertificateFactory.generateCertificate()로 인코딩 된 byte[]를 전달할 수 있습니다 그리고 당신은 얻을 것이다 X509CertificateParser

믿는다 결과적으로 적절한 X509Certificate. X509CertBuilder

private static X509Certificate formX509Certificate(byte[] encodedCertificate) throws CertificateException { 
     try { 
      CertificateFactory cf = CertificateFactory.getInstance("X.509"); 
      ByteArrayInputStream bais = new ByteArrayInputStream(encodedCertificate); 
      return (X509Certificate) cf.generateCertificate(bais); 
     } catch (CertificateException e) { 
      logger.error("Error converting the certificate", e); 
      throw e; 
     } 
    }

통화는 새로운 키 쌍마다에 새 인증서를 생성한다. 이미 키 쌍 (Java 코드 또는 OpenSSL 등)을 생성 한 경우 인코딩 된 인증서 값을 사용하여 인증서 객체를 작성하면됩니다.

키 쌍 값 만 있지만 공개 키가 인증서로 구성되지 않은 경우 SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());을 사용하십시오.

/** 
    * Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority. 
    * 
    * @param keyPair     the {@link KeyPair} to generate the {@link X509Certificate} for 
    * @param dn      the distinguished name to user for the {@link X509Certificate} 
    * @param signingAlgorithm  the signing algorithm to use for the {@link X509Certificate} 
    * @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid 
    * @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority 
    * @throws CertificateException  if there is an generating the new certificate 
    */ 
    public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) 
      throws CertificateException { 
     try { 
      ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate()); 
      SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); 
      Date startDate = new Date(); 
      Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays)); 

      X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
        reverseX500Name(new X500Name(dn)), 
        getUniqueSerialNumber(), 
        startDate, endDate, 
        reverseX500Name(new X500Name(dn)), 
        subPubKeyInfo); 

      // Set certificate extensions 
      // (1) digitalSignature extension 
      certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment 
        | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign)); 

      certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); 

      certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic())); 

      certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic())); 

      // (2) extendedKeyUsage extension 
      certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth})); 

      // Sign the certificate 
      X509CertificateHolder certificateHolder = certBuilder.build(sigGen); 
      return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder); 
     } catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) { 
      throw new CertificateException(e); 
     } 
    }

출처

2017-01-24 20:44:54 Andy

관련 문제

 관련 문제