向我生成的证书添加新扩展

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了向我生成的证书添加新扩展相关的知识,希望对你有一定的参考价值。

我需要在我的证书中添加一个新的OID 1.3.6.1.5.5.7.1.26扩展。我在证书中获得了此OID扩展,但出现以下错误:

证书扩展:10 [1]:ObjectId:1.3.6.1.5.5.7.1.26 Criticality = false 扩展名未知:DER编码的OCTET字符串= 0000:04 0C 30 0A 13 08 33 39 20 64 63 20 32 62 ..0 ... 39 dc 2b

我希望这个OID被识别类似于其他扩展,如AuthorityInfoAccess等。

我是否需要编辑Bouncy Castle X509类的罐子?

我使用ACME4j作为客户端,Letsencrypt Boulder作为我的服务器。

以下是用于注册证书的CSR Builder代码。

public void sign(KeyPair keypair) throws IOException {
    //Security.addProvider(new BouncyCastleProvider());
    Objects.requireNonNull(keypair, "keypair");
    if (namelist.isEmpty()) {
        throw new IllegalStateException("No domain was set");
    }

    try {
        GeneralName[] gns = new GeneralName[namelist.size()];
        for (int ix = 0; ix < namelist.size(); ix++) {
            gns[ix] = new GeneralName(GeneralName.dNSName,namelist.get(ix));
        }
        SignatureAlgorithmIdentifierFinder algFinder = new 
                DefaultSignatureAlgorithmIdentifierFinder();
        GeneralNames subjectAltName = new GeneralNames(gns);


        PKCS10CertificationRequestBuilder p10Builder = new     JcaPKCS10CertificationRequestBuilder(namebuilder.build(), keypair.getPublic());

        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.subjectAlternativeName,     false, subjectAltName);
        //extensionsGenerator.addExtension(Extension.authorityInfoAccess,         true, subjectAltName);
        //extensionsGenerator.addExtension(new ASN1ObjectIdentifier("TBD"),     false, subjectAltName);
        //extensionsGenerator.addExtension(new     ASN1ObjectIdentifier("1.3.6.1.5.5.7.1.24"), false, subjectAltName);
        extensionsGenerator.addExtension(new     ASN1ObjectIdentifier("1.3.6.1.5.5.7.1.26").intern(), false, subjectAltName);
        //extentionsGenerator.addExtension();
            p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,     extensionsGenerator.generate());


        PrivateKey pk = keypair.getPrivate();
        /*JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(
                        pk instanceof ECKey ? EC_SIGNATURE_ALG :     EC_SIGNATURE_ALG);
        ContentSigner signer = csBuilder.build(pk);*/

        if(pk instanceof ECKey)
        {
            AlgorithmIdentifier sigAlg = algFinder.find("SHA1withECDSA");
              AlgorithmIdentifier digAlg = new     DefaultDigestAlgorithmIdentifierFinder().
                    find(sigAlg);
            ContentSigner signer = new     JcaContentSignerBuilder("SHA256with"+pk.getAlgorithm()).setProvider(BOUNCY_CASTL    E_PROVIDER).build(keypair.getPrivate());

            csr=p10Builder.build(signer);
            System.out.println("ZIPED CSR ECDSA: "+csr);
        }
        else
        {
            ContentSigner signer = new     JcaContentSignerBuilder("SHA256with"+pk.getAlgorithm()).build(keypair.getPrivate    ()); 
            csr = p10Builder.build(signer);
            System.out.println("ZIPED CSR RSA: "+csr);
        }

        //csr = p10Builder.build(signer);
    } catch (Exception ex) {
        ex.printStackTrace();;
    }
}
答案

注意:对于这些代码,我使用了bcprov-jdk15on 1.56

关于您的代码的一些评论。首先,请注意ASN1结构:

TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry

TNEntry ::= CHOICE {
  spc   [0] ServiceProviderCodeList,
  range [1] TelephoneNumberRange,
  one       E164Number
}

请注意,TNEntry是一个选择,TNAuthorizationList是一系列TNEntry对象。所以your class name应该改为TNEntry。在下面的代码中,请记住我已将类名更改为TNEntry

我也改变了这堂课的一些东西。在getInstance(Object obj)方法中,spc和range字段的类型不正确(根据ASN1定义,它们都是序列):

switch (tag) {
    case spc:
    case range: // both are sequences
        return new TNEntry(tag, ASN1Sequence.getInstance(tagObj, false));
    // not sure about "one" field, as it's not tagged
}

我只是不知道如何处理这个字段,因为它没有标记。也许它应该是一个DERIA5String,或者也许还有另一种类型的“无标记”选择。

在同一个类中(请记住,我已将其名称更改为TNEntry),我还删除了构造函数public TNEntry(int tag, String name),因为我不确定它是否适用(至少我不需要使用它,但是你可以保留它,如果你想要),我已经改变了toString方法来返回一个更易读的字符串:

public String toString() {
    String sep = System.getProperty("line.separator");
    StringBuffer buf = new StringBuffer();

    buf.append(this.getClass().getSimpleName());
    buf.append(" [").append(tag);
    buf.append("]: ");
    switch (tag) {
        case spc:
            buf.append("ServiceProviderCodeList: ").append(sep);
            ASN1Sequence seq = (ASN1Sequence) this.obj;
            int size = seq.size();
            for (int i = 0; i < size; i++) {
                // all elements are DERIA5Strings
                DERIA5String str = (DERIA5String) seq.getObjectAt(i);
                buf.append("    ");
                buf.append(str.getString());
                buf.append(sep);
            }
            break;

        case range:
            buf.append("TelephoneNumberRange: ").append(sep);

            // there are always 2 elements in TelephoneNumberRange
            ASN1Sequence s = (ASN1Sequence) this.obj;
            DERIA5String str = (DERIA5String) s.getObjectAt(0);
            buf.append("    start: ");
            buf.append(str.getString());
            buf.append(sep);
            ASN1Integer count = (ASN1Integer) s.getObjectAt(1);
            buf.append("    count: ");
            buf.append(count.toString());
            buf.append(sep);
            break;

        default:
            buf.append(obj.toString());
    }

    return buf.toString();
}

我还创建了一个TNAuthorizationList类,它保存了TNEntry对象的序列(记住我已经将你的类名改为TNEntry,所以这个TNAuthorizationList类是另一个)。请注意,我还创建了一个常量来保存OID(只是为了让事情变得更容易):

public class TNAuthorizationList extends ASN1Object {
    // put OID in a constant, so I don't have to remember it all the time
    public static final ASN1ObjectIdentifier TN_AUTH_LIST_OID = new ASN1ObjectIdentifier("1.3.6.1.5.5.7.1.26");

    private TNEntry[] entries;

    public TNAuthorizationList(TNEntry[] entries) {
        this.entries = entries;
    }

    public static TNAuthorizationList getInstance(Object obj) {
        if (obj instanceof TNAuthorizationList) {
            return (TNAuthorizationList) obj;
        }
        if (obj != null) {
            return new TNAuthorizationList(ASN1Sequence.getInstance(obj));
        }

        return null;
    }

    public static TNAuthorizationList getInstance(ASN1TaggedObject obj, boolean explicit) {
        return getInstance(ASN1Sequence.getInstance(obj, explicit));
    }

    private TNAuthorizationList(ASN1Sequence seq) {
        this.entries = new TNEntry[seq.size()];

        for (int i = 0; i != seq.size(); i++) {
            entries[i] = TNEntry.getInstance(seq.getObjectAt(i));
        }
    }

    public TNEntry[] getEntries() {
        TNEntry[] tmp = new TNEntry[entries.length];
        System.arraycopy(entries, 0, tmp, 0, entries.length);
        return tmp;
    }

    @Override
    public ASN1Primitive toASN1Primitive() {
        return new DERSequence(entries);
    }

    public String toString() {
        String sep = System.getProperty("line.separator");
        StringBuffer buf = new StringBuffer();

        buf.append(this.getClass().getSimpleName());
        buf.append(":").append(sep);
        for (TNEntry tnEntry : entries) {
            buf.append("  ");
            buf.append(tnEntry.toString());
            buf.append(sep);
        }
        return buf.toString();
    }
}

现在,要将此扩展添加到证书中,我已完成此代码(包含一些示例数据,因为我不知道在现实世界中每个字段应该是什么):

X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(etc...);

// create TNEntries for TNAuthorizationList
TNEntry[] entries = new TNEntry[2];

// create a "spc" entry
DERIA5String[] cList = new DERIA5String[] { new DERIA5String("spc1"), new DERIA5String("spc2") };
DERSequence spc = new DERSequence(cList);
entries[0] = TNEntry.getInstance(new DERTaggedObject(false, TNEntry.spc, spc));

// create a "range" entry
DERSequence range = new DERSequence(new ASN1Encodable[] { new DERIA5String("123456"), new ASN1Integer(1) });
entries[1] = TNEntry.getInstance(new DERTaggedObject(false, TNEntry.range, range));

TNAuthorizationList tnAuthList = new TNAuthorizationList(entries);
builder.addExtension(TNAuthorizationList.TN_AUTH_LIST_OID, false, tnAuthList);

获得证书对象(在我的示例中为X509Certificate)后,您可以执行以下操作:

// cert is a X509Certificate instance
ASN1Primitive value = X509ExtensionUtil.fromExtensionValue(cert.getExtensionValue(TNAuthorizationList.TN_AUTH_LIST_OID.getId()));
TNAuthorizationList authList = TNAuthorizationList.getInstance(value);
System.out.println(authList.toString());

输出将是:

TNAuthorizationList:
  TNEntry [0]: ServiceProviderCodeList: 
    spc1
    spc2

  TNEntry [1]: TelephoneNumberRange: 
    start: 123456
    count: 1

笔记:

  • 正如我所说,这段代码是不完整的,因为我不知道如何处理TNEntry的一个字段,因为它没有标记(我不知道它是否必须是DERIA5String或者是否有另一种类型的对象为“未标记” “场”。
  • 你也可以做一些改进: ServiceProviderCodeList可以有1到3个元素,因此您可以验证其大小 TelephoneNumberRange:起始字段有一个特定的格式(FROM ("0123456789#*"),我认为这意味着只接受这些字符),所以你也可以验证它 要创建ServiceProviderCodeListTelephoneNumberRange的值,我已经手动创建了DERSequence对象,但是如果需要,可以为它们创建自定义类:ServiceProviderCodeList可以包含DERIA5String列表并在其构造函数中执行适当的验证(大小从1到1) 3),和TelephoneNumberRange可以有起始和计数字段(正确验证起始值) - 并且toASN1Primitive只需要以正确的顺序返回其字段的DERSequence

对于你的parsing issues,我检查了acme4j code,它使用了java.security.cert.X509Certificate类。此类的toString()方法(当使用Sun的默认提供程序时)生成此“扩展名未知”输出(根据相应的code)。

因此,为了正确解析它(显示如上所述的格式化输出),您可能必须更改acme4j的代码(或编写自己的代码),创建新的toString()方法并在此方法中包含新的TNAuthorizationList类。

当您提供显示如何使用acme4j的代码时,如果需要,我会相应地更新此答案。

另一答案

由于OID 1.3.6.1.5.5.7.1.26仍然是一个草案,我相信像Let's Encrypt这样的工具和系统不太可能识别这个扩展(他们可能会在这个扩展成为官方之后做到这一点,我真的不喜欢我知道这种批准背后的官僚程序)。

这意味着您可能需要

以上是关于向我生成的证书添加新扩展的主要内容,如果未能解决你的问题,请参考以下文章

powershell 此powershell脚本生成新证书,从IISExpress ssl端口删除旧证书分配并添加新证书

Apple Developer 帐户错误:生成的最大证书数量(开发)

添加新实体标量时实体框架 4 映射片段错误

如何向我的团队项目添加新解决方案?

VS Code中自定义Emmet代码片段

Xcode 命令 /usr/bin/codesign 失败,退出代码为 1:errSecInternalComponent