向 X509 证书添加特定扩展名 (bouncyCastle)
Add specific extension to X509 Certificate (bouncyCastle)
如何向 X509 v3 证书添加类似数字的内容?
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
new X500Name("CN=Subject"),
serialNumber,
startDate, expiryDate,
new X500Name("CN=CA"),
interPubInfo);
认为这适用于 .addExtension(),但之后会发生什么?
如评论中所述,您不能在证书中的任意位置添加任意值。
如果您想只是为了测试或学习目的,您可以使用Subject Alternative Name 扩展名。此扩展有一些可选字段,格式更“自由”:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
因此您可以添加一个包含您想要的值的 OtherName 字段。问题是 type-id 字段,因为 Object Identifiers 不能是任意值 - they're actually standardized.
在现实生活中,您不能使用下面的代码,因为我使用了一些任意标识符 (1.2.3.4.5.6.7.8.9)只是为了让它工作。对于生产证书,您应该仅使用预定义的现有值。
也就是说,我编写了这段代码(在 BouncyCastle 1.56 中)以添加值为 123 的扩展:
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
int number = 123;
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("1.2.3.4.5.6.7.8.9"); // some arbitrary non-existent OID number
DERSequence seq = new DERSequence(new ASN1Encodable[] { oid, new ASN1Integer(number) });
ArrayList<GeneralName> namesList = new ArrayList<>();
namesList.add(new GeneralName(GeneralName.otherName, seq));
GeneralNames subjectAltNames = GeneralNames.getInstance(new DERSequence((GeneralName[]) namesList.toArray(new GeneralName[] {})));
// certBuilder is a X509v3CertificateBuilder
certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
要从证书中读取此扩展:
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
X509Certificate cert = // a java.security.cert.X509Certificate
byte[] v = cert.getExtensionValue(Extension.subjectAlternativeName.getId());
GeneralNames gn = GeneralNames.getInstance(X509ExtensionUtil.fromExtensionValue(v));
GeneralName[] names = gn.getNames();
for (GeneralName name : names) {
if (name.getTagNo() == GeneralName.otherName) {
ASN1Sequence seq = ASN1Sequence.getInstance(name.getName());
if ("1.2.3.4.5.6.7.8.9".equals(oid.getId())) { // OID is the arbitrary one I created
ASN1Integer value = (ASN1Integer) seq.getObjectAt(1);
int number = value.getValue().intValue();
System.out.println(number); // number is 123
}
}
}
如何向 X509 v3 证书添加类似数字的内容?
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
new X500Name("CN=Subject"),
serialNumber,
startDate, expiryDate,
new X500Name("CN=CA"),
interPubInfo);
认为这适用于 .addExtension(),但之后会发生什么?
如评论中所述,您不能在证书中的任意位置添加任意值。
如果您想只是为了测试或学习目的,您可以使用Subject Alternative Name 扩展名。此扩展有一些可选字段,格式更“自由”:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
因此您可以添加一个包含您想要的值的 OtherName 字段。问题是 type-id 字段,因为 Object Identifiers 不能是任意值 - they're actually standardized.
在现实生活中,您不能使用下面的代码,因为我使用了一些任意标识符 (1.2.3.4.5.6.7.8.9)只是为了让它工作。对于生产证书,您应该仅使用预定义的现有值。
也就是说,我编写了这段代码(在 BouncyCastle 1.56 中)以添加值为 123 的扩展:
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
int number = 123;
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("1.2.3.4.5.6.7.8.9"); // some arbitrary non-existent OID number
DERSequence seq = new DERSequence(new ASN1Encodable[] { oid, new ASN1Integer(number) });
ArrayList<GeneralName> namesList = new ArrayList<>();
namesList.add(new GeneralName(GeneralName.otherName, seq));
GeneralNames subjectAltNames = GeneralNames.getInstance(new DERSequence((GeneralName[]) namesList.toArray(new GeneralName[] {})));
// certBuilder is a X509v3CertificateBuilder
certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
要从证书中读取此扩展:
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
X509Certificate cert = // a java.security.cert.X509Certificate
byte[] v = cert.getExtensionValue(Extension.subjectAlternativeName.getId());
GeneralNames gn = GeneralNames.getInstance(X509ExtensionUtil.fromExtensionValue(v));
GeneralName[] names = gn.getNames();
for (GeneralName name : names) {
if (name.getTagNo() == GeneralName.otherName) {
ASN1Sequence seq = ASN1Sequence.getInstance(name.getName());
if ("1.2.3.4.5.6.7.8.9".equals(oid.getId())) { // OID is the arbitrary one I created
ASN1Integer value = (ASN1Integer) seq.getObjectAt(1);
int number = value.getValue().intValue();
System.out.println(number); // number is 123
}
}
}