我成功地从证书请求制作了 X.509 证书。
但是,我需要在 X.509 证书中插入 CERT 路径信息。
我知道我必须使用CertPathBuilder方法,但我不知道如何使用它。
你能给我一个适合以下代码的代码示例吗?
import java.io.FileInputStream;
import java.io.FileWriter;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import chapter6.X509V1CreateExample;
//example of a basic CA
public class PKCS10CertCreateExample
{
public static X509Certificate[] buildChain() throws Exception
{
PEMReader pRd = new PEMReader(
new InputStreamReader(
new FileInputStream("pkcs10.req")));
PKCS10CertificationRequest request = (PKCS10CertificationRequest)pRd.readObject();
//create a root certificate
KeyPair rootPair=chapter6.Utils.generateRSAKeyPair();
X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair);
//validate the certification request
if(!request.verify("BC"))
{
System.out.println("request failed to verify!");
System.exit(1);
}
//create the certificate using the information in the request
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis()+50000));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
//certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
//extract the extension request attribute
ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();
for(int i=0;i!=attributes.size();i++)
{
Attribute attr = Attribute.getInstance(attributes.getObjectAt(i));
//process extension request
if(attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest))
{
X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
Enumeration<?> e = extensions.oids();
while(e.hasMoreElements())
{
DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement();
X509Extension ext = extensions.getExtension(oid);
certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
}
}
}
X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate());
return new X509Certificate[]{issuedCert, rootCert};
}
public static void pemEncodeToFile(String filename, Object obj, char[] password) throws Exception{
PEMWriter pw = new PEMWriter(new FileWriter(filename));
if (password != null && password.length > 0) {
pw.writeObject(obj, "DESEDE", password, new SecureRandom());
} else {
pw.writeObject(obj);
}
pw.flush();
pw.close();
}
public static void main(String[] args) throws Exception
{
X509Certificate[] chain = buildChain();
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(chain[0]);
pemEncodeToFile("pkcs10.pem", chain[0], null);
pemWrt.close();
}
}
下面的代码可能会帮助你
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey"));
PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector);
cpp.addCertStore(cs);
cpp.setRevocationEnabled(true);
cpp.setMaxPathLength(6);
cpp.setDate(new Date());
CertPathBuilderResult a = cpb.build(cpp);
CertPath certPath = a.getCertPath();
CSR 回复通常由中间 CA 签名,因此证书链不完整缺少根 CA。 假设集合trustCerts
中的所有根 CA 证书,并且证书数组从 CSR 回复certChain
。
要构建完整的证书链,首先将所有根 CA 证书添加到 trustAnchors
。
Set<TrustAnchor> trustAnchors = new HashSet<>();
trustAnchors.addAll(trustCerts.stream.map(cert -> new TrustAnchors(cert, null)).toList());
然后使用目标结束证书配置CertSelector
。
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(certChain[0]);
创建生成参数。如果不使用它,请禁用吊销检查。
PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustAnchors, selector);
parameters.setRevocationEnabled(false);
将中间 CA 证书添加到生成参数中。由于certChain
同时包含中间 CA 和结束证书,因此只需将其添加到参数中即可。
CertStore intermediate = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certChain)));
parameters.addCertStore(intermediate);
实例化构建器实例和构建路径
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult cpbResult = (PKIXCertPathBuilderResult) cpb.build(parameters);
CertPath cp = cpbResult.getCertPath();
List<X509Certificate> completeCertChain = (List<X509Certificate>) cp.getCertificates();