我想知道是否可以使用Bouncy Castle将PKCS10CertificationRequest转换为X509证书吗?
类似于openssl中的X509_REQ_to_X509。
这是我创建请求的方式:
public static PKCS10CertificationRequest generateCSRFile(KeyPair keyPair, KeyUsage keyUsage) throws IOException, OperatorCreationException {
String principal = "CA=" getCA();
AsymmetricKeyParameter privateKey = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1WITHRSA");
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(privateKey);
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(principal), keyPair.getPublic());
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true));
extensionsGenerator.addExtension(X509Extension.keyUsage, true, keyUsage);
csrBuilder.addAttribute(PKCSObjectIdentifiers.x509Certificate, extensionsGenerator.generate());
PKCS10CertificationRequest csr = csrBuilder.build(signer);
return csr;
}
我远不是OpenSSL专家,但是根据我发现的一些文档:
X509_REQ_to_X509(X509_REQ * r,整数天,EVP_PKEY * pkey)创建X509证书,其主题和颁发者与请求中的主题,带有有效日期,并使用pkey对其进行签名(以md5为摘要)。
这里等效于Bouncycastle:
public X509Certificate x509ReqToX509(PKCS10CertificationRequest csr, int days, PrivateKey pKey)
{
Date notBefore = new Date();
Calendar cal = Calendar.getInstance();
cal.add(Calendar.DATE, days);
Date notAfter = cal.getTime();
BigInteger serialNumber = generateCertSerialNumber(); // No implemented here
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(serialNumber);
certGen.setIssuerDN(csr.getCertificationRequestInfo().getSubject());
certGen.setSubjectDN(csr.getCertificationRequestInfo().getSubject());
certGen.setNotBefore(notBefore);
certGen.setNotAfter(notAfter);
certGen.setPublicKey(csr.getPublicKey());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
return certGen.generate(pKey, "BC");
}
注意: