如何正确签署cmp请求消息? (java,bouncy castle)
问题描述:
我尝试在证书颁发机构(cmp服务器)上通过cmp(证书管理协议)吊销证书,并获取错误代码“无效签名密钥代码”。我认为它是我签署cmp消息的方式的原因,那里出了问题。如何正确签署cmp请求消息? (java,bouncy castle)
我建立与org.bouncycastle.asn1.cmp.PKIHeaderBuilder的头和身体与org.bouncycastle.asn1.crmf.CertTemplateBuilder:
CertTemplateBuilder builderCer = new CertTemplateBuilder();
// cert to revoke
builderCer.setIssuer(issuer);
builderCer.setSerialNumber(serial);
//body
ArrayList revDetailsList = new ArrayList();
revDetailsList.add(new RevDetails(builderCer.build()));
RevReqContent revReqContent = new RevReqContent((RevDetails[]) revDetailsList.toArray(new RevDetails[revDetailsList.size()]));
PKIBody body = new PKIBody(PKIBody.TYPE_REVOCATION_REQ, revReqContent);
// header
X509Name recipient = new X509Name("CN=recipient");
X509Name sender = new X509Name("CN=sender");
int pvno = 1;
PKIHeaderBuilder builderHeader = new PKIHeaderBuilder(pvno, new GeneralName(sender), new GeneralName(recipient));
AlgorithmIdentifier algId = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.10045.4.1"));
builderHeader.setProtectionAlg(algId);
PKIHeader header = builderHeader.build();
然后我必须签署整个消息,似乎有以不同的方式。在extracerts(CMPCertificate)中,我必须添加签名的公钥,签名必须使用该公钥验证。我如何正确地为这种申请签署此消息?我试过org.bouncycastle.asn1.cmp.PKIMessages和org.bouncycastle.cert.cmp.ProtectedPKIMessage。
PKIMessages:
DERBitString signature = new DERBitString(createSignature("signature".getBytes()));
X509Certificate signercert = convertToX509Cert(certPEM);
CMPCertificate cmpCert = new CMPCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(signercert.getEncoded()));
PKIMessage message = new PKIMessage(header, body, signature, new CMPCertificate[] { cmpCert });
// createsignature()
private static byte[] createSignature(byte[] str){
Signature dsa = Signature.getInstance("SHA256WithRSA");
dsa.initSign(privateKey);
dsa.update(str, 0, str.length);
signature = dsa.sign();
return signature;
- >从CMP服务器错误: “SIGNATURE_INVALID_KEY_CODE”
ProtectedPKIMessage:
ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyCastleProvider.PROVIDER_NAME).build((PrivateKey) ks.getKey(KEYSTORE_ALIAS, KEYSTORE_PWD.toCharArray()));
ProtectedPKIMessage message = new ProtectedPKIMessageBuilder(pvno, new GeneralName(sender), new GeneralName(recipient))
.addCMPCertificate(new X509CertificateHolder(ks.getCertificate(KEYSTORE_ALIAS).getEncoded()))
.setBody(body).build(signer);
- >从CMP服务器错误: “ERROR_READING_CMS_OBJECT_CODE”
我签署cmp请求消息的方式是否正确? PKIMessage和'protection'参数和org.bouncycastle.cert.cmp.ProtectedPKIMessage之间有什么区别?
答
这是我用来登录CMP请求
GeneralName generalName = new GeneralName(subjectDN);
ProtectedPKIMessageBuilder pbuilder = new
ProtectedPKIMessageBuilder(generalName,
protectedPKIMessage.getHeader().getSender());
pbuilder.setBody(pkibody);
ContentSigner msgsigner = new
JcaContentSignerBuilder(contentSignerBuilder)//
.setProvider("BC")//
.build(getKey().getPrivate());
ProtectedPKIMessage message = pbuilder.build(msgsigner)
的方式;
答
我还发现了另一种解决方案通过使用PKIMessage(不ProtectedPKIMessage):
// ProtectedPart from bouncy castle
ProtectedPart protectedPart = new ProtectedPart(header, body);
Signature signature = Signature.getInstance("1.2.840.113549.1.1.11", "BC");
signature.initSign((PrivateKey) key);
signature.update(protectedPart.getEncoded());
byte[] sigBytes = signature.sign();
DERBitString signatureDER = new DERBitString(sigBytes);
PKIMessage message = new PKIMessage(header, body, signatureDER, new CMPCertificate[] { cmpCert });
这是为我工作,谢谢! – Simi