使用充气桥X509v3CertificateBuilder生成X509证书

Posted 2021-05-03

我正在尝试移植JXTA以在App Engine上运行。鉴于App Engine尚不支持BouncyCastle“ BC”提供程序，我必须移植现有的JXTA代码以使用白名单类生成X509Certificate。我对Crypto的了解很少，而且我不确定我要实现的目标是否可能。这是来自JXTA项目的PSEUtils.java的原始代码：

PSEUtils.java

有一个包含java.security.cert.X509Certificate的帮助器类：]

public static class IssuerInfo {
    public X509Certificate cert; // subject Cert
    public PrivateKey subjectPkey; // subject private key
    public X509Certificate issuer; // issuer Cert
    public PrivateKey issuerPkey; // issuer private key
}

在方法中：

public static IssuerInfo genCert(X500Principal subject, KeyPair keypair, IssuerInfo issuerinfo)

我将主题传递为：

new X500Principal("CN="+useCN)

密钥对为（来自原始代码：]

KeyPairGenerator g = KeyPairGenerator.getInstance("RSA");
g.initialize(1024, UTILS.srng);
KeyPair keypair = g.generateKeyPair();

和jxta编码的IssuerInfo。

现在，由于我无法拉进bouncycastle.jce软件包，因此我不得不删除JXTA使用的X509Principal和X509V3CertificateGenerator代码，并尝试用符合GAE限制的实现替换它。这是我目前使用org.bouncycastle.X509.X509v3CertificateBuilder的genCert方法的内容。

SubjectPublicKeyInfo subPubKeyInfo =  SubjectPublicKeyInfo.getInstance(keypair.getPublic().getEncoded());

X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(
     new X500Name(issuer.getName()), 
     BigInteger.ONE, 
     today, until, 
     new X500Name(subject.getName()), 
     subPubKeyInfo);
问题是我无法使keypair.getPublic().getEncoded()与SubjectPublicKeyInfo.getInstance()方法一起使用。抛出java.lang.IllegalArgumentException：工厂未知对象：[B

检查时似乎填充了公钥：

Sun RSA public key, 1024 bits
  modulus: 117521430893506212334140912845641570591161279468597426442875306202350445904550279678434051874985419676760802566018092318362676224355315431299979507080364677679613392086245588766565617009250512996843008784370448997729071786062596049780632058501646041736216482596596901215941577208285499619376322050871534546271
  public exponent: 65537
我发现了以下SO链接，该链接演示了此代码的工作原理：

Sign CSR using Bouncy Castle

我尝试转换genCert的方法在下面，但由于某种原因，我无法摆脱从编码的公共密钥创建SubjectPublicKeyInfo吗？

非常感谢您的帮助。

public static IssuerInfo genCert(X500Principal subject, KeyPair keypair, IssuerInfo issuerinfo)  {
    IssuerInfo info = new IssuerInfo();
    try {
        // set up issuer
        PrivateKey signer;
        X500Principal issuer;

        if (null == issuerinfo) { // self-signed root cert
            signer = keypair.getPrivate();
            issuer = new X500Principal(subject.getEncoded());
        } else { // issuer signed service sert
            signer = issuerinfo.subjectPkey;
            X500Principal issuer_subject = issuerinfo.cert.getSubjectX500Principal();
            issuer = new X500Principal(issuer_subject.getEncoded());
        }

        // set validity 10 years from today
        Date today = new Date();
        Calendar cal = Calendar.getInstance();

        cal.setTime(today);
        cal.add(Calendar.YEAR, 10);
        Date until = cal.getTime();

        SubjectPublicKeyInfo subPubKeyInfo =  SubjectPublicKeyInfo.getInstance(keypair.getPublic().getEncoded());

    //**Can't get here so i'm not sure if the rest of this works?**

        AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA");
        AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);

        RSAPrivateCrtKeyParameters cps = (RSAPrivateCrtKeyParameters) keypair.getPrivate();
        ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(cps);            

     X509CertificateHolder certHolder = v3CertGen.build(sigGen);

     CertificateFactory cf = CertificateFactory.getInstance("X.509");

     // Read user Certificate
     InputStream is1 = new ByteArrayInputStream(certHolder.getEncoded());
     X509Certificate eeCert = (X509Certificate) cf.generateCertificate(is1);
     is1.close();

我正在尝试移植JXTA以在App Engine上运行。鉴于App Engine尚不支持BouncyCastle“ BC”提供程序，我必须移植现有的JXTA代码以生成X509Certificate ...

答案

我能够在Rene Mayrhofer的代码的帮助下完成此任务。我提供了仅在本地测试环境中进行过测试的实现，但它似乎可以正常工作：