logo标签列表

证书主题和颁发者中的属性颠倒

javax509certificatebouncycastlejks
12

我正在尝试使用Bouncycastle 1.46生成X509证书,使用下面的代码。 我的问题是,在将证书写入JKS并重新读取时,DNs会被颠倒。 例如,如果我运行下面的代码,我将得到以下输出:

CN=test,O=gina
CN=test,O=gina
CN=test,O=gina
O=gina, CN=test

有人知道这是什么原因吗?如何避免这种情况?

先行致谢。

代码:

public static void main(String[] args) {
    try {
        Security.addProvider(new BouncyCastleProvider());

        KeyPair pair = generateKeyPair("RSA", 1024);
        X500Name principal = new X500Name("cn=test,o=gina");
        System.out.println(principal);
        BigInteger sn = BigInteger.valueOf(1234);
        Date start = today();
        Date end = addYears(start, 2);
        X509Certificate cert = generateCert(principal, pair, sn, start, end,
                "SHA1withRSA");
        cert.verify(pair.getPublic());
        System.out.println(cert.getSubjectDN());

        // Store the certificate in the JKS
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        ks.setKeyEntry("alias", pair.getPrivate(), KEY_PWD,
                new X509Certificate[] {cert});
        X509Certificate c
                = (X509Certificate)ks.getCertificateChain("alias")[0];
        System.out.println(c.getSubjectDN());
        OutputStream out = new FileOutputStream("text.jks");
        try {
            ks.store(out, KEYSTORE_PWD);
        } finally {
            out.close();
        }

        // Reread the JKS
        ks = KeyStore.getInstance("JKS");
        InputStream in = new FileInputStream("text.jks");
        try {
            ks.load(in, KEYSTORE_PWD);
        } finally {
            in.close();
        }
        c = (X509Certificate)ks.getCertificateChain("alias")[0];
        c.verify(pair.getPublic());
        System.out.println(c.getSubjectDN());
    } catch (Exception e) {
        e.printStackTrace();
    }
}

private static X509Certificate generateCert(X500Name principal,
        KeyPair pair, BigInteger sn, Date start, Date end, String sigalg)
        throws OperatorCreationException, CertificateException {
    JcaX509v3CertificateBuilder certGen
            = new JcaX509v3CertificateBuilder(principal, sn, start, end,
                    principal, pair.getPublic());
    JcaContentSignerBuilder builder
            = new JcaContentSignerBuilder(sigalg);
    builder.setProvider("BC");
    ContentSigner signr = builder.build(pair.getPrivate());
    X509CertificateHolder certHolder = certGen.build(signr);
    JcaX509CertificateConverter conv
            = new JcaX509CertificateConverter();
    conv.setProvider("BC");
    return conv.getCertificate(certHolder);
}

private static KeyPair generateKeyPair(String algorithm, int keySize)
        throws NoSuchAlgorithmException {
    KeyPairGenerator gen = KeyPairGenerator.getInstance(algorithm);
    gen.initialize(keySize);
    return gen.generateKeyPair();
}

private static Date today() {
    Calendar cal = Calendar.getInstance();
    cal.set(Calendar.HOUR_OF_DAY, 0);
    cal.set(Calendar.MINUTE, 0);
    cal.set(Calendar.SECOND, 0);
    cal.set(Calendar.MILLISECOND, 0);
    return cal.getTime();
}

private static Date addYears(Date date, int count) {
    Calendar cal = Calendar.getInstance();
    cal.setTime(date);
    cal.add(Calendar.YEAR, count);
    return cal.getTime();
}
3个回答
13

这可能会更简单。至少在BC 1.48+中,您可以这样构建X500Name,并且OID将按预期方式排序(或者至少是您指定的方式):

final X500Name subject = new X500Name(RFC4519Style.INSTANCE, "CN=test,O=gina");
1
我认为这应该是答案。 - mlapeyre
8

我遇到了同样的问题,并通过以下快速解决:

//CREATES AN X500 CA SUBJECT FOR ISSUER

X500Name issuerName = new JcaX509CertificateHolder((X509Certificate) caCert).getSubject();

接着我使用以下内容:

//CONSTRUCTS THE X509 CERTIFIFATE OBJECT

X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(
issuerName, 
serialNumber, 
startDate, endDate, 
DevCsr.getSubject(), 
DevCsr.getSubjectPublicKeyInfo());

Java Keystore终端实体证书中的发行者名称现在以正确的顺序显示。

干杯!

7

我曾经遇到过与bouncy 1.47相同的问题。

首先,您必须小心处理X500Name和X500Principal类。它们是SUN类和bouncy类,完全不同!

X500Name(bouncy)应使用X500NameBuilder创建。但是,如果您需要使用字符串创建它,则您的属性必须按照RFC2253的反向顺序排列,这意味着您的属性必须按照此顺序排列:“CN,L,ST,O,OU,C,STREET,DC,UID”。

这不太方便,例如,在我的情况下,我必须从X500Principal(SUN)创建一个X500Name(bouncy),唯一的方法是使用X500Principal:getName()方法,该方法按照RFC2253顺序打印属性。所以我创造了这个方法:

private org.bouncycastle.asn1.x500.X500Name toBouncyX500Name( javax.security.auth.x500.X500Principal principal) {

    String name = principal.getName();

    String[] RDN = name.split(",");

    StringBuffer buf = new StringBuffer(name.length());
    for(int i = RDN.length - 1; i >= 0; i--){
        if(i != RDN.length - 1)
            buf.append(',');

        buf.append(RDN[i]);
    }

    return new X500Name(buf.toString());
}

希望这对某些人有用 :)
1
如果证书验证成功,那么顺序对我来说不是问题。我花了几个小时进行SSL握手调试,直到发现证书找不到,因为属性的顺序被颠倒了。这真是一个大失误! - benez
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接