2

x.509証明書を作成したいので、次のコードをWrox、Beggining Cryptography with Java、第6章からコピーします。

import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;

import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;

import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;

import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;

import chapter6.PKCS10ExtensionExample;
import chapter6.X509V1CreateExample;

//example of a basic CA

public class PKCS10CertCreateExample
{
    public static X509Certificate[] buildChain() throws Exception
    {
        //create the certification request
        KeyPair pair = chapter7.Utils.generateRSAKeyPair();
        PKCS10CertificationRequest request =      PKCS10ExtensionExample.generateRequest(pair);

    //create a root certificate
    KeyPair rootPair=chapter7.Utils.generateRSAKeyPair();
    X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair);

    //validate the certification request
    if(!request.verify("BC"))
    {
        System.out.println("request failed to verify!");
        System.exit(1);
    }

    //create the certificate using the information in the request
    X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();

    certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
    certGen.setIssuerDN(rootCert.getSubjectX500Principal());
    certGen.setNotBefore(new Date(System.currentTimeMillis()));
    certGen.setNotAfter(new Date(System.currentTimeMillis()+50000));
    certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
    certGen.setPublicKey(request.getPublicKey("BC"));
    certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");

    certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert));
    certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
    certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
    certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
    certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
    certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));

    //extract the extension request attribute
    ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();

    for(int i=0;i!=attributes.size();i++)
    {
       Attribute attr = Attribute.getInstance(attributes.getObjectAt(i));

       //process extension request
       if(attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest))
       {
               X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));

               Enumeration<?> e = extensions.oids();
               while(e.hasMoreElements())
               {
                   DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement();
                   X509Extension ext = extensions.getExtension(oid);

                   certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
               }   
           }       
       }
    X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate());
    return new X509Certificate[]{issuedCert, rootCert};
    }


    public static void main(String[] args) throws Exception
    {
        X509Certificate[] chain = buildChain();
        PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
        pemWrt.writeObject(chain[0]);
        pemWrt.writeObject(chain[1]);

        pemWrt.close();
    }

}

ただし、コードは次のようなエラーを示しています

スレッド「main」の例外java.lang.IllegalArgumentException:内線2.5.29.15は、org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(Unknown Source)のorg.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(Unknown Source)にすでに追加されています。 org.bouncycastle.x509.X509V3CertificateGenerator.addExtension(Unknown Source)at PKCS10CertCreateExample.buildChain(PKCS10CertCreateExample.java:68)at PKCS10CertCreateExample.main(PKCS10CertCreateExample.java:100)

私を助けてください..

4

1 に答える 1

2

グーグルextension 2.5.29.15はそれが参照することを教えてくれますKeyUsage

のソースコードをグーグルで検索すると、提供された拡張機能がすでに追加されている場合に例外をスローする呼び出しがX509V3CertificateGenerator表示されます。addExtension()X509ExtensionsGenerator.addExtension()

上記で提供したソースコードはまさにそれを実行し、例外がスローされます。

certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));

これはコードのバグです。それらの1つを削除する必要があります。私は最初を推測します。

于 2012-10-15T02:06:16.147 に答える