java – 使用Bouncycastle生成的CSR缺少公钥和属性

我正在使用Bouncy城​​堡来产生CSR.此证书适用于CA.当我使用OpenSSL查看CSR的文本信息时,我发现缺少公钥和属性.任何帮助表示赞赏.

版本：
充气城堡：bcpkix-jdk15on：1.47

    String principal = "CN=company1, OU=company1, O=company1, C=GB"
    AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
    AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
            .find("SHA1WITHRSA");
    AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
    ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(keyParam);

    SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo(signatureAlgorithm, pair.getPublic()
            .getEncoded());
    PKCS10CertificationRequestBuilder csrBuilder = new PKCS10CertificationRequestBuilder(
            new X500Name(principal), publicKeyInfo);
    csrBuilder.addAttribute(X509Extension.basicConstraints, new BasicConstraints(true));
    csrBuilder.addAttribute(X509Extension.keyUsage, new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign));
    csr = csrBuilder.build(signer);

生成的csr的Pem

-----BEGIN CERTIFICATE REQUEST-----
MIICvjCCAaYCAQAwRjERMA8GA1UEAwwIY29tcGFueTExETAPBgNVBAsMCGNvbXBh
bnkxMREwDwYDVQQKDAhjb21wYW55MTELMAkGA1UEBhMCR0IwggE6MA0GCSqGSIb3
DQEBBQUAA4IBJwAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf8WK4
L1yaBqlvV8cqlTerv53I5MchllrkR94oE42JNuQ0vmQlh/wc8WfqB1lkYvQdf04g
IQ69VQKCIfQeahODnQ9N/Ct4wIfoCz3KtZZq7DZgoIsMNf2tWlGwJMTbPYLJYjPv
rfxGMh79dF6VpxMDIHLrvhgYzDFfPxhQXpTTVNXY9pMkrQ+8ZnlqpSQLToQ5JUFZ
ZDiJtZvmhELGOrDxDDHBlmBRMadjRx5bP6JtJYtv540p55trUnJVRmGjjMvWw5aE
cKm7Z1BcoTwLsn0gzBR43el0J9QB+RMiDsJKhaBugzv3/852Ih8eZis6G4dRWnm9
BvAgRQfiW4ciJEnZAgMBAAGgGzALBgNVHQ8xBAMCAQYwDAYDVR0TMQUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOCAQEAI6s+Wybusc2JBN36RMMG4qf8awIVJo/d1KwAhm9Y
7eO+ILLXk3wkZEdX5vEPQAdN7ZYYr1lCQfU2QuxDm3OCYuqJBt0fZGWAPYlfp6QD
AnQLEuLIIP/jZSgn2YzLeOuwO2n+7I9sx2lBihfkzNIK9PEiYM2TOA+4Rac7XdFA
o20GnruZ1Gq79C043Yz+G8iMNS44vaVjlshDovvmD5YDtjmQRtvDzoB2lyqEVwsS
Xy+vc0NdyWHJxAUPeOl+iqjF5YeACH92fFw9WV46syCAW7t9dCqdntvhKQRV+Me0
dOelvZPcqKtd7fsWYpKgUYkk61uWskeLIgnSonEyHWVSwQ==
-----END CERTIFICATE REQUEST-----

缺少公钥,基本约束和密钥用法

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=company1, OU=company1, O=company1, C=GB
        Subject Public Key Info:
            Public Key Algorithm: sha1WithRSAEncryption
            Unable to load Public Key
140432158140064:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239:
140432158140064:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155:
        Attributes:
            X509v3 Key Usage         :unable to print attribute
            X509v3 Basic Constraints :unable to print attribute
    Signature Algorithm: sha1WithRSAEncryption
         23:ab:3e:5b:26:ee:b1:cd:89:04:dd:fa:44:c3:06:e2:a7:fc:
         6b:02:15:26:8f:dd:d4:ac:00:86:6f:58:ed:e3:be:20:b2:d7:
         93:7c:24:64:47:57:e6:f1:0f:40:07:4d:ed:96:18:af:59:42:
         41:f5:36:42:ec:43:9b:73:82:62:ea:89:06:dd:1f:64:65:80:
         3d:89:5f:a7:a4:03:02:74:0b:12:e2:c8:20:ff:e3:65:28:27:
         d9:8c:cb:78:eb:b0:3b:69:fe:ec:8f:6c:c7:69:41:8a:17:e4:
         cc:d2:0a:f4:f1:22:60:cd:93:38:0f:b8:45:a7:3b:5d:d1:40:
         a3:6d:06:9e:bb:99:d4:6a:bb:f4:2d:38:dd:8c:fe:1b:c8:8c:
         35:2e:38:bd:a5:63:96:c8:43:a2:fb:e6:0f:96:03:b6:39:90:
         46:db:c3:ce:80:76:97:2a:84:57:0b:12:5f:2f:af:73:43:5d:
         c9:61:c9:c4:05:0f:78:e9:7e:8a:a8:c5:e5:87:80:08:7f:76:
         7c:5c:3d:59:5e:3a:b3:20:80:5b:bb:7d:74:2a:9d:9e:db:e1:
         29:04:55:f8:c7:b4:74:e7:a5:bd:93:dc:a8:ab:5d:ed:fb:16:
         62:92:a0:51:89:24:eb:5b:96:b2:47:8b:22:09:d2:a2:71:32:
         1d:65:52:c1

解决方法:

我发现了这个问题.我将公钥与签名算法相关联,而不是加密算法.

AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
        .find("SHA1WITHRSA");
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(keyParam);
SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo(signatureAlgorithm, pair.getPublic().getEncoded());

以下是使用签名算法SHA1WithRSA为RSA密钥生成CSR的工作代码

String principal = "CN=company1, OU=company1, O=company1, C=GB";
AsymmetricKeyParameter privateKey = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
        .find("SHA1WITHRSA");
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(privateKey);

PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(
        principal), pair.getPublic());
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true));
extensionsGenerator.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign
        | KeyUsage.cRLSign));
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
csr = csrBuilder.build(signer);

标签：jce,java,encryption,bouncycastle
来源： https://codeday.me/bug/20190901/1785090.html