2012-10-14 172 views
2

我想創建X.509證書, 所以我複製從Wrox的,Beggining加密與Java,第6章建立出錯的X.509證書

import java.io.OutputStreamWriter; 
import java.math.BigInteger; 
import java.security.KeyPair; 
import java.security.cert.X509Certificate; 
import java.util.Date; 
import java.util.Enumeration; 

import org.bouncycastle.asn1.ASN1Set; 
import org.bouncycastle.asn1.DERObjectIdentifier; 

import org.bouncycastle.asn1.pkcs.Attribute; 
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; 
import org.bouncycastle.asn1.x509.BasicConstraints; 
import org.bouncycastle.asn1.x509.ExtendedKeyUsage; 
import org.bouncycastle.asn1.x509.KeyPurposeId; 
import org.bouncycastle.asn1.x509.KeyUsage; 
import org.bouncycastle.asn1.x509.X509Extension; 
import org.bouncycastle.asn1.x509.X509Extensions; 

import org.bouncycastle.jce.PKCS10CertificationRequest; 
import org.bouncycastle.openssl.PEMWriter; 
import org.bouncycastle.x509.X509V3CertificateGenerator; 
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; 
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure; 

import chapter6.PKCS10ExtensionExample; 
import chapter6.X509V1CreateExample; 

//example of a basic CA 

public class PKCS10CertCreateExample 
{ 
    public static X509Certificate[] buildChain() throws Exception 
    { 
     //create the certification request 
     KeyPair pair = chapter7.Utils.generateRSAKeyPair(); 
     PKCS10CertificationRequest request =  PKCS10ExtensionExample.generateRequest(pair); 

    //create a root certificate 
    KeyPair rootPair=chapter7.Utils.generateRSAKeyPair(); 
    X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair); 

    //validate the certification request 
    if(!request.verify("BC")) 
    { 
     System.out.println("request failed to verify!"); 
     System.exit(1); 
    } 

    //create the certificate using the information in the request 
    X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); 

    certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); 
    certGen.setIssuerDN(rootCert.getSubjectX500Principal()); 
    certGen.setNotBefore(new Date(System.currentTimeMillis())); 
    certGen.setNotAfter(new Date(System.currentTimeMillis()+50000)); 
    certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject()); 
    certGen.setPublicKey(request.getPublicKey("BC")); 
    certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); 

    certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert)); 
    certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC"))); 
    certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); 
    certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false)); 
    certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); 
    certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); 

    //extract the extension request attribute 
    ASN1Set attributes = request.getCertificationRequestInfo().getAttributes(); 

    for(int i=0;i!=attributes.size();i++) 
    { 
     Attribute attr = Attribute.getInstance(attributes.getObjectAt(i)); 

     //process extension request 
     if(attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) 
     { 
       X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0)); 

       Enumeration<?> e = extensions.oids(); 
       while(e.hasMoreElements()) 
       { 
        DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement(); 
        X509Extension ext = extensions.getExtension(oid); 

        certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets()); 
       } 
      }  
     } 
    X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate()); 
    return new X509Certificate[]{issuedCert, rootCert}; 
    } 


    public static void main(String[] args) throws Exception 
    { 
     X509Certificate[] chain = buildChain(); 
     PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out)); 
     pemWrt.writeObject(chain[0]); 
     pemWrt.writeObject(chain[1]); 

     pemWrt.close(); 
    } 

} 

但是下面的代碼,這些代碼顯示錯誤如下線程「主」 java.lang.IllegalArgumentException異常

例外:擴展2.5.29.15已經在org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(來源不明) 加入 在org.bouncycastle.asn1。 x509.X509ExtensionsGenerator.addExtension(未知來源) 在org.bouncycastle.x509.X509V3CertificateGenerator.addExtension(來源不明) 在PKCS10CertCreateExample.buildChain(PKCS10CertCreateExample.java:68) 在PKCS10CertCreateExample.main(PKCS10CertCreateExample.java:100)

請幫助我..

+0

谷歌搜索「extension 2.5.29.15」發現它是'KeyUsage'。看代碼收集它兩次。 –

+0

謝謝,Brian。但我如何修復代碼才能正常工作? '代碼收集到的是兩次添加'是什麼意思? – user1349407

+0

請參閱下面的答案。 –

回答

2

谷歌搜索extension 2.5.29.15會告訴你,是指KeyUsage

谷歌搜索的源代碼X509V3CertificateGenerator表明addExtension()電話X509ExtensionsGenerator.addExtension()如果提供的擴展已經添加了拋出異常。

你在上面提供的源代碼就是這樣做的,並引發異常:

certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false)); 
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); 

這是在代碼中的錯誤。你需要刪除其中的一個。我會猜測第一個。