Java bouncycastle API CSRの作成と証明書の発行
APIの導入
CSRの作成
CSR、すなわち証明書要求ファイル(Certificate Signing Request).X 509デジタル証明書を生成する前に、一般的には、まずユーザが証明書申請ファイルを提出し、その後、CAが証明書を発行する.
PEM形式CSRの例は以下の通りである:(PERはDERに対する簡単な包装である)
CSRによる証明書の作成
まず、CSRファイルを読み取り、解析します.
PKCS 10 CertificationRequest銃法証明書の利用
org.bouncycastle
bcprov-jdk15on
1.64
CSRの作成
CSR、すなわち証明書要求ファイル(Certificate Signing Request).X 509デジタル証明書を生成する前に、一般的には、まずユーザが証明書申請ファイルを提出し、その後、CAが証明書を発行する.
//
KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
gen.initialize(2048);
KeyPair pair = gen.generateKeyPair();
PrivateKey privateKey = pair.getPrivate();
PublicKey publicKey = pair.getPublic();
// CSR
X500Principal subject = new X500Principal("C=CName, ST=STName, L=LName, O=OName, OU=OUName, CN=CNName, [email protected]");
ContentSigner signGen = new JcaContentSignerBuilder("SHA256withRSA").build(privateKey);
PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject, publicKey);
// SAN
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
GeneralNames generalNames = new GeneralNames(new GeneralName[]{new GeneralName(GeneralName.rfc822Name, "ip=6.6.6.6"), new GeneralName(GeneralName.rfc822Name, "[email protected]")});
extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, generalNames);
builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
// build csr
PKCS10CertificationRequest csr = builder.build(signGen);
// PEM CSR
OutputStreamWriter output = new OutputStreamWriter(System.out);
JcaPEMWriter pem = new JcaPEMWriter(output);
pem.writeObject(csr);
pem.close();
PEM形式CSRの例は以下の通りである:(PERはDERに対する簡単な包装である)
-----BEGIN CERTIFICATE REQUEST-----
MIIC5DCCAcwCAQAwgZ4xIjAgBgkqhkiG9w0BCQEWE3NlbnRoYWRldkBnbWFpbC5j
b20xGjAYBgNVBAMTEXd3dy5zZW50aGFkZXYuY29tMRMwEQYDVQQLEwpJbm5vdmF0
aW9uMRIwEAYDVQQKEwlTZW50aGFkZXYxEjAQBgNVBAcTCVRyb25kaGVpbTESMBAG
A1UECBMJVHJvbmRoZWltMQswCQYDVQQGEwJOTzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMkKvsCUp52lcmM//iJEV62yHzDS/ASwm0wmlbUR+OnxESA5
vsYYzqdxX/Ie+K4LqY/FKsnHwcj+l7PqIHPqgiDryMcfYFpmln31jJG6XPFmjBib
m0kl63G9T62EyoRYo7SFZq/wcdgEE0FTw4bnTyT5OED2cYRlozBXdnI0L9jZYv6b
R6ww4LD4cAkqq1TeKNt0lH5G7S8QqTIeobs7hYUgVXkKWhfrYrW0l4lYUuXC12sN
e/zGYClHoaFoasD9pzoFrVjDS9+a3JoInp22OxpQbBVchnOJ3yJr8PRS5Hzx5QYJ
TAYqUd8dsw372FhvnNlZJnSkAsxca7cfpCiL4ZECAwEAAaAAMA0GCSqGSIb3DQEB
BQUAA4IBAQDDTj7ZJaeRftrod5TuEPoDhH8SwCx/wX8aIYG3mjR+q8tJ6rYgPwqR
Du8ODOAgIRFC8Dk43taPhbL94+T+iyw+UJH1KGlf0cdfHvaPoTh6QqfIQHRXuq5H
hkb9g+DgG/uzIS0yQsviKCTwFOZkvaWMZQSlBkAzFf61NQ9ymjLRFnzUN3IBmxMU
VBBEVVchta79XtkQaOsHWaZPpuwvDEtrvvwjk6kIEsc7IU927nN1Vws9oDFsqrKl
ycNVfwjd0cgf5WsTbPnBjQdVSSdAWvJo1wLrv3GxGVUwi44TzVU0xvREYAmZknCW
kpMkr5KBOO3Prex5d0doD5MJhMvxHcSL
-----END CERTIFICATE REQUEST-----
CSRによる証明書の作成
まず、CSRファイルを読み取り、解析します.
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// PEM CSR
PKCS10CertificationRequest csr = null;
ByteArrayInputStream pemStream = new ByteArrayInputStream(pem.getBytes(Charsets.UTF_8));
Reader pemReader = new BufferedReader(new InputStreamReader(pemStream));
PEMParser pemParser = new PEMParser(pemReader);
Object parsedObj = pemParser.readObject();
System.out.println("PemParser returned: " + parsedObj);
if (parsedObj instanceof PKCS10CertificationRequest) {
csr = (PKCS10CertificationRequest) parsedObj;
}
PKCS 10 CertificationRequest銃法証明書の利用
KeyPair rootPair = KeyUtil.generateKeyPair("RSA", 4096);
//
PrivateKey issuePriveteKey = rootPair.getPrivate();
X509Certificate rootCert = // ,
X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(
new X500Name(rootCert.getSubjectDN().getName()),
BigInteger.valueOf(666666666L),
new Date(),
new Date(System.currentTimeMillis() + 1000 * 86400 * 365L),
pkcs10CertificationRequest.getSubject(),
pkcs10CertificationRequest.getSubjectPublicKeyInfo()
);
//
Extensions extensions = null;
for (Attribute attr : pkcs10CertificationRequest.getAttributes()) {
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
break;
}
}
if (extensions != null) {
// SAN
certificateBuilder.addExtension(extensions.getExtension(Extension.subjectAlternativeName));
}
// crl
GeneralName[] names = new GeneralName[1];
names[0] = new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.ca.com/crl");
GeneralNames gns = new GeneralNames(names);
DistributionPointName pointName = new DistributionPointName(gns);
GeneralNames crlIssuer = new GeneralNames(new GeneralName(new X500Name(rootCert.getSubjectDN().getName())));
DistributionPoint[] points = new DistributionPoint[1];
points[0] = new DistributionPoint(pointName, null, crlIssuer);
certificateBuilder.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points));
// aia
AccessDescription[] accessDescriptions = new AccessDescription[2];
accessDescriptions[0] = new AccessDescription(AccessDescription.id_ad_caIssuers, new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.ca.com/root.crt"));
accessDescriptions[1] = new AccessDescription(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.com/"));
certificateBuilder.addExtension(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(accessDescriptions));
ContentSigner signer = new JcaContentSignerBuilder(HostCertificateConf.CERTIFICATE_SIGNATURE_ALGORITHM)
.setProvider(Security.getProvider("BC")).build(issuePriveteKey);
X509CertificateHolder holder = certificateBuilder.build(signer);
X509Certificate cert = new JcaX509CertificateConverter()
.setProvider(Security.getProvider( "BC")).getCertificate(holder);