CSR 的 x500 名称中的电子邮件地址?弹性 1.54
EmailAddress in x500name for CSR? BOUNCY 1.54
我想将 EmailAddress 添加到我的 PKCS10 CSR:
.addRDN( BCStrictStyle.EmailAddress, emailAddr )
为什么 Bouncy/Spongey 规格说明如下?:
org.spongycastle.asn1.x500.style.BCStyle public static final
org.spongycastle.asn1.ASN1ObjectIdentifier EmailAddress Email address
(RSA PKCS#9 extension) - IA5String. Note: if you're trying to be ultra
orthodox, don't use this! It shouldn't be in here.
有什么东西 "wrong" w/ 将 EmailAddr 添加到 x500name 作为 CSR 的一部分吗?
如果有,那么我应该如何正确地将 EmailAddr 添加到我的 CSR 中?
出现警告的原因是最新的 X.509 规范要求将邮件地址放在 subjectAlternativeName 扩展名中。
引自RFC5280:
Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "subscriber@example.com" is the same as
"SUBSCRIBER@EXAMPLE.COM").
Conforming implementations generating new certificates with
electronic mail addresses MUST use the rfc822Name in the subject
alternative name extension (Section 4.2.1.6) to describe such
identities. Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.
由于您创建的是 CSR 而不是证书,所以我不会太担心。无论如何,很少有 CA 可以(或者更愿意)处理 CSR 中的扩展。
为了扩展 Omikron 的回答:我为我们自己的规范创建了一个 x500name:
static private X500Name getX500Name(){
final String testPostalCode = "94602-4105";
return new X500NameBuilder( BCStrictStyle.INSTANCE )
.addRDN( BCStyle.CN, Alias )
//.addRDN( BCStrictStyle.EmailAddress, emailAddr )
.addRDN( BCStrictStyle.POSTAL_CODE, testPostalCode )
.addRDN( BCStrictStyle.SERIALNUMBER, deviceID )
.addRDN( BCStrictStyle.C, deviceID )
.build();
}//getX500Name
然后我将电子邮件地址放入扩展名中:
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa376502(v=vs.85).aspx
//
// http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation#X.509PublicKeyCertificateandCertificationRequestGeneration-SubjectAlternativeName
static public PKCS10CertificationRequest genCSR(){
KeyPair pair = getKeyPair();
PKCS10CertificationRequestBuilder p10Builder;
ContentSigner signer;
try{
GeneralNames subjectAltName = new GeneralNames(
new GeneralName(GeneralName.rfc822Name, emailAddr));
PublicKey publicKey = getKeyStore().getCertificate( certKeyAlias ).getPublicKey();
p10Builder = new JcaPKCS10CertificationRequestBuilder(
getX500Name()
, publicKey )
.addAttribute(Extension.subjectAlternativeName, new DEROctetString( subjectAltName) )
.setLeaveOffEmptyAttributes(true)
;
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder( SHA256withECDSA );
signer = csBuilder.build( pair.getPrivate() );
}catch ( KeyStoreException | OperatorCreationException| IOException X ){
pkException CRYPTOERR = new pkException( pkErrCode.CRYPTO ).set( "registrations err", X );
mLog.error( CRYPTOERR.toString() );
throw CRYPTOERR;
}
PKCS10CertificationRequest CSR = p10Builder.build( signer );
return CSR;
}//genCSR
我想将 EmailAddress 添加到我的 PKCS10 CSR:
.addRDN( BCStrictStyle.EmailAddress, emailAddr )
为什么 Bouncy/Spongey 规格说明如下?:
org.spongycastle.asn1.x500.style.BCStyle public static final org.spongycastle.asn1.ASN1ObjectIdentifier EmailAddress Email address (RSA PKCS#9 extension) - IA5String. Note: if you're trying to be ultra orthodox, don't use this! It shouldn't be in here.
有什么东西 "wrong" w/ 将 EmailAddr 添加到 x500name 作为 CSR 的一部分吗?
如果有,那么我应该如何正确地将 EmailAddr 添加到我的 CSR 中?
出现警告的原因是最新的 X.509 规范要求将邮件地址放在 subjectAlternativeName 扩展名中。
引自RFC5280:
Legacy implementations exist where an electronic mail address is embedded in the subject distinguished name as an emailAddress attribute [RFC2985]. The attribute value for emailAddress is of type IA5String to permit inclusion of the character '@', which is not part of the PrintableString character set. emailAddress attribute values are not case-sensitive (e.g., "subscriber@example.com" is the same as "SUBSCRIBER@EXAMPLE.COM").
Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities. Simultaneous inclusion of the emailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.
由于您创建的是 CSR 而不是证书,所以我不会太担心。无论如何,很少有 CA 可以(或者更愿意)处理 CSR 中的扩展。
为了扩展 Omikron 的回答:我为我们自己的规范创建了一个 x500name:
static private X500Name getX500Name(){
final String testPostalCode = "94602-4105";
return new X500NameBuilder( BCStrictStyle.INSTANCE )
.addRDN( BCStyle.CN, Alias )
//.addRDN( BCStrictStyle.EmailAddress, emailAddr )
.addRDN( BCStrictStyle.POSTAL_CODE, testPostalCode )
.addRDN( BCStrictStyle.SERIALNUMBER, deviceID )
.addRDN( BCStrictStyle.C, deviceID )
.build();
}//getX500Name
然后我将电子邮件地址放入扩展名中:
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa376502(v=vs.85).aspx
//
// http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation#X.509PublicKeyCertificateandCertificationRequestGeneration-SubjectAlternativeName
static public PKCS10CertificationRequest genCSR(){
KeyPair pair = getKeyPair();
PKCS10CertificationRequestBuilder p10Builder;
ContentSigner signer;
try{
GeneralNames subjectAltName = new GeneralNames(
new GeneralName(GeneralName.rfc822Name, emailAddr));
PublicKey publicKey = getKeyStore().getCertificate( certKeyAlias ).getPublicKey();
p10Builder = new JcaPKCS10CertificationRequestBuilder(
getX500Name()
, publicKey )
.addAttribute(Extension.subjectAlternativeName, new DEROctetString( subjectAltName) )
.setLeaveOffEmptyAttributes(true)
;
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder( SHA256withECDSA );
signer = csBuilder.build( pair.getPrivate() );
}catch ( KeyStoreException | OperatorCreationException| IOException X ){
pkException CRYPTOERR = new pkException( pkErrCode.CRYPTO ).set( "registrations err", X );
mLog.error( CRYPTOERR.toString() );
throw CRYPTOERR;
}
PKCS10CertificationRequest CSR = p10Builder.build( signer );
return CSR;
}//genCSR