stackoom
  简体   繁体   中英

From CRMF request into CertificateRequest (PKCS#10) Signature

 原文  2012-05-09 19:32:31       bouncycastle/ asn.1/ csr

Question

I did a example code to understand how to get a CRMF (mozilla certificate request) to convert it into a CSR more similar to PKCS#10

I got the Base 64 CRMFRequest as a ASN1InputStream type.

I convert it into a CertReqMsg type (Bouncycastle)

when I debug, I realize the CertReqMsg have the public key, another data like Subject (CN, O, OU, etc)and other, but more important, it has a signature and an AlgoritmIdentifier.

but the object doesn't have getters

How I extract the signature as a DERBitString...? I need it to use as parameter to the CertificationRequest object (which returns the CSR as I want it)

by the way, the CertificationRequest need a CertificationRequestInfo object as parameter. and inside it (CertificationRequestInfo ), it receives Attributes as parameter . I supose to this attributes are of the kind of:

distributionPoint, unotice, policyOID, subjectAlternativeNameDN

I know that it start with a 

    ASN1Set attributes = null;
    attributes = new DERSet();

But I don't know how to fill this paramethers to 

     CertificationRequestInfo info = new CertificationRequestInfo(subject, infoPublicKey, attributes);

Sorry if some question seems obvious... but I can't find the solve..

Thanks in advance

1 answers

solution1
 0  2012-05-10 00:58:48

You won't be able to convert the CRMF format into a PKCS#10 CSR.

The CSR is structured like this and signed by the subject's private key: 

CertificationRequest ::= SEQUENCE {
    certificationRequestInfo CertificationRequestInfo,
    signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
    signature BIT STRING
}

(Essentially, it's very similar to a self-signed X.509 certificate, without issuer and validity dates.)

Since when you get the CRMF request, you won't have the subject's private key, you won't be able to make this signature.

If you're writing some sort of CA software, you don't really need this. Processing a CRMF request and a CSR request is more or less equivalent. A CA shouldn't really do what the CSR wants blindly anyway, so it would have to vet the attributes it associates with the public key and identity some other way anyway.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question .Net Programmatically Sign PKCS#10 Request with Bouncy Castle Create PKCS#10 CSR and HMAC seal Android - generating PKCS#10 requests How to extract PKCS#1 signature from PKCS#7 Creating PKCS7 signature from etoken PKCS7 and “NONEwithRSA” signature How to extract SubjectAlternativeNames form PKCS10 request Create PKCS10 request with subject alternatives using Bouncy Castle in Java Information used to verify PKCS#7 signature in Java How to get signed content from pkcs7 attached signature using Bouncy Castle
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM