stackoom
  简体   繁体   中英

Reading Requested Extensions by parsing PKCS10CertificationRequest

 原文  2017-03-22 12:04:50       java/ bouncycastle/ csr

Question

I have a CSR which I am parsing in Java using the Bouncy Castle API, sample CSR shown below: 

root@serv-appliance:/usr/etc$ openssl req -text -noout -verify -in java.pem.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=INF2345, OU=DEVKI, O=Test Org, C=IN
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:b2:79:a1:ca:c8:56:83:18:e1:36:44:ed:4c:a2:
                    a2:91:f9:4d:74:af:17:91:b9:e5:c3:19:2a:be:6e:
                    54:0a:73:be:60:fd:84:a7:ac:ca:75:28:7f:2f:0f:
                    ba:0d:6c:36:22:ec:12:0f:17:59:db:1c:ae:b3:92:
                    8a:3a:fd:a7:ad
                ASN1 OID: prime256v1
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA1
         30:45:02:21:00:ec:c3:3c:18:94:76:89:7b:17:ae:98:e7:74:
         1f:1c:28:8a:40:4a:12:0f:55:9e:3d:7d:6d:0b:44:97:52:42:
         9c:02:20:0f:6f:a6:71:8d:cf:c3:ed:10:76:f3:da:84:f4:a8:
         3d:b4:9c:ce:6f:a9:30:cc:91:dd:c3:cc:69:56:a6:6c:d8

I am able to parse it successfully and to read the Subject Common Name. Below is my test code used for same: 

    PKCS10CertificationRequest pkcsReq = parseCSR(generateRequest.getCsr());

    generateRequest.setEndEntitySubjectDn(pkcsReq.getSubject().toString());

    for (RDN att : pkcsReq.getSubject().getRDNs()) {
        for (AttributeTypeAndValue t : att.getTypesAndValues()) {
            if (t.getType().getId().equals("2.5.4.3")) {
                generateRequest.setEndEntityUserName(t.getValue().toString());
            }
            // log.debug("Type:"+t.getType().getId()+"Value:"+t.getValue().toString());
        }
    }
    for(Attribute att:pkcsReq.getAttributes()){
        log.debug("TYPE::"+att.getAttrType().getId());
        ASN1Set s = att.getAttrValues();
        Iterator<ASN1Encodable> asn1Iter = s.iterator();
        while(asn1Iter.hasNext()){
            log.debug("asn1Iter :: "+asn1Iter.next().toString());
        }
    }

However I am unable to find a way to read the requested extensions shown in the certificate above. 

  Requested Extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment

Please suggest how this information could be read from a PKCS10CertificationRequest object.

1 answers

solution1
 3 ACCPTED  

As PKCS10CertificationRequest has no getExtension or similar method, the only solution I see is going through the asn1 structure.

I've created a sample CSR using openssl 1.0.1e-fips : 

-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwWjELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQH
EwlTYW8gUGF1bG8xDTALBgNVBAoTBHRlc3QxDDAKBgNVBAsTA29wczENMAsGA1UE
AxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjspTClIqxB
3EwJKJRTELhUowyaztgbZ/yhmM0fJISrcfWgdCK8TDO298YtUHPkGgvnb53HuMA6
BhZ33MPUxEddD+kc0orx4roIBLvu8WC746Ke3VWaQnNiEjGhVj4J8kiWG+TnYnt1
GdAcdpUY5DJ+ttLIkggavNuUdaa0Xc6nQEXZDwiXgEMwEq/rqkvTeArwhuIrUuyL
eHU4LfocXpvgKFN6o1Y4+tAwXw3gTJJxtO1F+TtBnfAvJFj8Y24tjLsvgrL+H2UH
6a2Y1OonkmOwMQXydxLssDSYrIzhS7+fvCKTqzpsz2W7RQ/sIZcouKZZgSczuScq
nF+s4GGS9ykCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWg
MA0GCSqGSIb3DQEBCwUAA4IBAQBaywDeO8cFR0yugMBmjQsvjT9NRiznxhGnfM12
cZKXONYTNEtdzgXzt6qGxWwc12nkhqvyMbhLVKyYr4JqlP4q1ZUTqYgQ8kNKAdu6
KyWHNFL+xKh57YrTxxcTI+qXAiyq9XcToyRPKNKPaLoWUVALpow12Fx0aGK2XAPm
Nij/7V79aiH2/AJDajARx8dKSL4/aZCJ+Hsjho+1h3JJrQoiBc9ugxfYa/qW1XRL
tNpfv7ftbkAiNvSwE349k7NJ7qKW2Gy9UwMUr3jC6285j73fkzJXX0bDG/HgL8AQ
kX3lOgafBlG9XTsX5eiBZdu4Ud/6OlgwczQkls5DZgRyAYGj
-----END CERTIFICATE REQUEST-----

The CSR contains the Requested Extensions just like yours: 

    Attributes:
    Requested Extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment

The code I used is below (with bouncycastle 1.46 jdk1.6 ).

Please note that the code might change if you have more attributes (there's a lot of hardcoded indexes and assumptions about the type of objects that will be found, because it's a sample code for this specific case - a CSR with just one requested extension of a specific known type) 

// helper method to read the CSR
public PKCS10CertificationRequest convertPemToPKCS10CertificationRequest(String pem) throws Exception {
    PKCS10CertificationRequest csr = null;
    PEMReader reader = new PEMReader(new StringReader(pem));
    try {
        Object parsedObj = reader.readObject();

        if (parsedObj instanceof PKCS10CertificationRequest) {
            csr = (PKCS10CertificationRequest) parsedObj;
        }
    } catch (IOException ex) {
        ex.printStackTrace();
    } finally {
        reader.close();
    }

    return csr;
}

PKCS10CertificationRequest csr = convertPemToPKCS10CertificationRequest(csrPem);

ASN1Set attributes = csr.getCertificationRequestInfo().getAttributes();
Enumeration<?> objects = attributes.getObjects();
while (objects.hasMoreElements()) {
    Object obj = (Object) objects.nextElement();
    DERSequence seq = (DERSequence) obj;
    DEREncodable objectAt = seq.getObjectAt(0);
    if (objectAt instanceof ASN1ObjectIdentifier) {
        String id = ((ASN1ObjectIdentifier) objectAt).getId();
        if ("1.2.840.113549.1.9.14".equals(id)) { // PKCS#9 ExtensionRequest
            DERSet set = (DERSet) seq.getObjectAt(1);
            // a sequence inside a sequence
            DERSequence reqExt = (DERSequence) ((DERSequence) set.getObjectAt(0)).getObjectAt(0);

            DERObjectIdentifier oid = (DERObjectIdentifier) reqExt.getObjectAt(0);
            ASN1Boolean critical = (ASN1Boolean) reqExt.getObjectAt(1);
            DEROctetString oct = (DEROctetString) reqExt.getObjectAt(2);

            System.out.println(oid.getId()); // 2.5.29.15 - key usage
            System.out.println(critical.isTrue()); // true - is critical

            KeyUsage ku = new KeyUsage(new DERBitString(oct.getOctets()));

            // in my example, the relevant part is in position 3
            // not sure if it's an issue on the way I used openssl to generate the CSR, or if it'll always be at this position
            int bits = ku.getBytes()[3] & 0xff;
            int keyUsageToCheck = KeyUsage.digitalSignature | KeyUsage.keyEncipherment;
            System.out.println((bits & keyUsageToCheck) == keyUsageToCheck); // true - it has the key usages set
        }
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PKCS10CertificationRequest creation on android How to serialize PKCS10CertificationRequest in BouncyCastle to send it over network? How do you print a PKCS10CertificationRequest as a String? How to get PublicKey from PKCS10CertificationRequest using new Bouncy Castle library? Update org.bouncycastle.jce.PKCS10CertificationRequest to org.bouncycastle.pkcs.PKCS10CertificationRequest; What encoding does [BouncyCastle] PKCS10CertificationRequest.getEncoded() return? JSCEP-Wrong 3rd argument type. Found: 'org.spongycastle.pkcs.PKCS10CertificationRequest', required: 'org.bouncycastle.pkcs.PKCS10CertificationRequest' Unable to write CSR generated using org.bouncycastle.asn1.pkcs.CertificationRequest in PEM file format Creating PKCS10 certificate request with PKCS11 inJAVA Sign PKCS10 Certificate in Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM