【问题标题】:Issue in consuming the certificate chain in corda在corda中使用证书链的问题
【发布时间】:2017-11-24 16:14:47
【问题描述】:

我想创建一个自定义 CA,并使用以下命令创建了 this link 上提到的 rootCertficate

set RANDFILE=rand
set OPENSSL_CONF=c:\Binaries\openssl-X64\openssl.cnf
openssl req -new -keyout cakey.pem -out careq.pem
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca

然后我使用这个证书作为 root 使用 java 程序签署和创建其他证书

public static X509Certificate signCertificateSigningRequest(
            PKCS10CertificationRequest jcaPKCS10CertificationRequest, KeyPair keyPair, String requestId,
            X509Certificate serverCert) throws Exception
    {
        SubjectPublicKeyInfo pkInfo = jcaPKCS10CertificationRequest.getSubjectPublicKeyInfo();
        JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
        PublicKey pubKey = converter.getPublicKey(pkInfo);
        X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(serverCert, new BigInteger("1"), // serial
                new Date(System.currentTimeMillis()),
                new Date(System.currentTimeMillis() + 30L * 365L * 24L * 60L * 60L * 1000L),
                jcaPKCS10CertificationRequest.getSubject(), pubKey
        ).addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false)
        // true if it is allowed to sign other certs
        ).addExtension(new ASN1ObjectIdentifier("2.5.29.15"), true, new X509KeyUsage(X509KeyUsage.digitalSignature
                | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.dataEncipherment));

        AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
        // ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId,
        // digAlgId).build(asymmetricKeyParameter);
        ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").build(keyPair.getPrivate());

        X509CertificateHolder x509CertificateHolder = certificateBuilder.build(sigGen);
        Certificate eeX509CertificateStructure = x509CertificateHolder.toASN1Structure();
        // Read Certificate
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
        InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
        X509Certificate signedCertificate = (X509Certificate) certificateFactory.generateCertificate(is1);
        FileSystemUtility.saveCertificate(signedCertificate.getEncoded(), serverCert.getEncoded(), requestId);
        return signedCertificate;
    }

根证书的选择使用:

public static X509Certificate getServerCertificate() throws Exception
    {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
        return (X509Certificate) certificateFactory.generateCertificate(
                new FileInputStream(new File("C:/Users/varun/Desktop/cert/CA/caroot.cer")));
    }

但是当我在接收端发送两个证书并尝试验证它时,我收到以下错误:

问题 1

Caused by: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
    at sun.security.provider.certpath.KeyChecker.verifyCAKeyUsage(KeyChecker.java:159) ~[?:1.8.0_131]
    at sun.security.provider.certpath.KeyChecker.check(KeyChecker.java:122) ~[?:1.8.0_131]
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:1.8.0_131]
    at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:1.8.0_131]
    at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_131]
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:1.8.0_131]
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) ~[?:1.8.0_131]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-all-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-all-4.1.9.Final.jar:4.1.9.Final]

问题 1已解决

问题 2

Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449) ~[?:1.8.0_131]
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) ~[?:1.8.0_131]
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_131]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:1.8.0_131]

【问题讨论】:

  • 您需要将“证书签名”密钥用法添加到 CA 证书中
  • @pedrofb-这是怎么做到的?
  • 我只知道我遵循了本指南jamielinux.com/docs/openssl-certificate-authority/…,然后对于 BouncyCastle,您在此处获得的代码有效(尽管如果您想使用此证书签署证书,那么您应该将 basic constraint 设置为 @ 987654329@ 最有可能)

标签: java certificate corda certificate-authority


【解决方案1】:

您需要将“证书签名”密钥用法添加到 CA 证书。确保 OpenSSL conf 文件的 [v3_ca] 部分包含 keyUsage = keyCertSign

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

在此处查看完整示例:https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

【讨论】:

  • 您是否验证过生成的证书确实具有所需的keyUsage?
  • 您似乎列出了extendedKeyUsage。我在您的列表中看不到 keyCertSign。你列出的正确吗?您的脚本包含-extensions v3_ca,所以我假设您使用的是 [ v3_ca ] 部分。确保您正在应用它
  • 在 windows 上使用 openssl 应该不是问题。使用openssl x509 -in caroot.cer -text -noout 打印认证信息。看X509v3 Key UsageX509v3 Basic Constraints
  • 客户端是一个名为Corda的开源实现@添加了我现在面临的新问题
  • 第二个错误可能是因为服务器证书没有被CA正确签名。这是与第一个无关的 bouncycastle 代码的问题。我稍后再看看
猜你喜欢
  • 2019-12-11
  • 2018-11-16
  • 2021-12-01
  • 2021-02-20
  • 1970-01-01
  • 2014-02-06
  • 2021-12-14
  • 2019-06-21
  • 1970-01-01
相关资源
最近更新 更多