Rag
Reputation: 1433
CSR generated with Bouncycastle missing public key and attributes
I am using Bouncy castle to generate CSR. This certificate is intended for CA. When i use OpenSSL to view the text information of the CSR, I find the public key and attributes missing. Any help is appreciated.
Versions: Bouncy castle: bcpkix-jdk15on:1.47
String principal = "CN=company1, OU=company1, O=company1, C=GB"
AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA1WITHRSA");
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(keyParam);
SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo(signatureAlgorithm, pair.getPublic()
.getEncoded());
PKCS10CertificationRequestBuilder csrBuilder = new PKCS10CertificationRequestBuilder(
new X500Name(principal), publicKeyInfo);
csrBuilder.addAttribute(X509Extension.basicConstraints, new BasicConstraints(true));
csrBuilder.addAttribute(X509Extension.keyUsage, new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign));
csr = csrBuilder.build(signer);
Pem of the generated csr
-----BEGIN CERTIFICATE REQUEST-----
MIICvjCCAaYCAQAwRjERMA8GA1UEAwwIY29tcGFueTExETAPBgNVBAsMCGNvbXBh
bnkxMREwDwYDVQQKDAhjb21wYW55MTELMAkGA1UEBhMCR0IwggE6MA0GCSqGSIb3
DQEBBQUAA4IBJwAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf8WK4
L1yaBqlvV8cqlTerv53I5MchllrkR94oE42JNuQ0vmQlh/wc8WfqB1lkYvQdf04g
IQ69VQKCIfQeahODnQ9N/Ct4wIfoCz3KtZZq7DZgoIsMNf2tWlGwJMTbPYLJYjPv
rfxGMh79dF6VpxMDIHLrvhgYzDFfPxhQXpTTVNXY9pMkrQ+8ZnlqpSQLToQ5JUFZ
ZDiJtZvmhELGOrDxDDHBlmBRMadjRx5bP6JtJYtv540p55trUnJVRmGjjMvWw5aE
cKm7Z1BcoTwLsn0gzBR43el0J9QB+RMiDsJKhaBugzv3/852Ih8eZis6G4dRWnm9
BvAgRQfiW4ciJEnZAgMBAAGgGzALBgNVHQ8xBAMCAQYwDAYDVR0TMQUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOCAQEAI6s+Wybusc2JBN36RMMG4qf8awIVJo/d1KwAhm9Y
7eO+ILLXk3wkZEdX5vEPQAdN7ZYYr1lCQfU2QuxDm3OCYuqJBt0fZGWAPYlfp6QD
AnQLEuLIIP/jZSgn2YzLeOuwO2n+7I9sx2lBihfkzNIK9PEiYM2TOA+4Rac7XdFA
o20GnruZ1Gq79C043Yz+G8iMNS44vaVjlshDovvmD5YDtjmQRtvDzoB2lyqEVwsS
Xy+vc0NdyWHJxAUPeOl+iqjF5YeACH92fFw9WV46syCAW7t9dCqdntvhKQRV+Me0
dOelvZPcqKtd7fsWYpKgUYkk61uWskeLIgnSonEyHWVSwQ==
-----END CERTIFICATE REQUEST-----
Missing public key, basic constraints and key usage
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=company1, OU=company1, O=company1, C=GB
Subject Public Key Info:
Public Key Algorithm: sha1WithRSAEncryption
Unable to load Public Key
140432158140064:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239:
140432158140064:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155:
Attributes:
X509v3 Key Usage :unable to print attribute
X509v3 Basic Constraints :unable to print attribute
Signature Algorithm: sha1WithRSAEncryption
23:ab:3e:5b:26:ee:b1:cd:89:04:dd:fa:44:c3:06:e2:a7:fc:
6b:02:15:26:8f:dd:d4:ac:00:86:6f:58:ed:e3:be:20:b2:d7:
93:7c:24:64:47:57:e6:f1:0f:40:07:4d:ed:96:18:af:59:42:
41:f5:36:42:ec:43:9b:73:82:62:ea:89:06:dd:1f:64:65:80:
3d:89:5f:a7:a4:03:02:74:0b:12:e2:c8:20:ff:e3:65:28:27:
d9:8c:cb:78:eb:b0:3b:69:fe:ec:8f:6c:c7:69:41:8a:17:e4:
cc:d2:0a:f4:f1:22:60:cd:93:38:0f:b8:45:a7:3b:5d:d1:40:
a3:6d:06:9e:bb:99:d4:6a:bb:f4:2d:38:dd:8c:fe:1b:c8:8c:
35:2e:38:bd:a5:63:96:c8:43:a2:fb:e6:0f:96:03:b6:39:90:
46:db:c3:ce:80:76:97:2a:84:57:0b:12:5f:2f:af:73:43:5d:
c9:61:c9:c4:05:0f:78:e9:7e:8a:a8:c5:e5:87:80:08:7f:76:
7c:5c:3d:59:5e:3a:b3:20:80:5b:bb:7d:74:2a:9d:9e:db:e1:
29:04:55:f8:c7:b4:74:e7:a5:bd:93:dc:a8:ab:5d:ed:fb:16:
62:92:a0:51:89:24:eb:5b:96:b2:47:8b:22:09:d2:a2:71:32:
1d:65:52:c1
Upvotes: 3
Views: 4589
Answers (3)
JDOaktown
Reputation: 4464
X509Extension has been deprecated: http://www.borelly.net/cb/docs/javaBC-1.4.8/prov/deprecated-list.html So here's an update:
static private X500Name getX500Name(){
final String testPostalCode = "92156-4105";
return new X500NameBuilder( BCStrictStyle.INSTANCE )
.addRDN( BCStyle.CN, "JD" )
.addRDN( BCStrictStyle.POSTAL_CODE, testPostalCode )
.addRDN( BCStrictStyle.C, "US" )
.build();
}//getX500Name
static public PKCS10CertificationRequest genCSR(){
try{
KeyPair pair = getKeyPair();
GeneralNames subjectAltName = new GeneralNames(
new GeneralName(GeneralName.rfc822Name, "[email protected]"));
ExtensionsGenerator extnsnGenr = new ExtensionsGenerator();
extnsnGenr.addExtension(Extension.subjectAlternativeName, false, subjectAltName);
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
getX500Name()
, pair.getPublic() )
.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extnsnGenr.generate());
//.setLeaveOffEmptyAttributes(false)
;
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder( SHA256withECDSA );
ContentSigner signer = csBuilder.build( pair.getPrivate() );
PKCS10CertificationRequest CSR = p10Builder.build( signer );
return CSR;
}
catch ( IOException| OperatorCreationException X ){ mLog.error( CRYPTOERR.toString() ); }
}//genCSR
Upvotes: 0
Chirag Katudia
Reputation: 511
Thanks a lot Rag,
Didn't know ExtensionGenerator before and was trying to add as csrBuilder.addAttribute(..)
It never failed but didn't generated extension properly.
Adding few more lines to add ExtendedKeyUsage and Subject Alternate Name since many people are facing this issue.
Vector<KeyPurposeId> extendedKeyUsageVector = new Vector<KeyPurposeId>();
for (String extendedKeyUsage : bean.getExtendedKeyUsage()) {
extendedKeyUsageVector.add(new KeyPurposeId(extendedKeyUsage));
}
extnGen.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(extendedKeyUsageVector));
GeneralName[] subjectAltName = new GeneralName[2];
subjectAltName[0] = new GeneralName(GeneralName.dNSName, "abc.com");
subjectAltName[1] = new GeneralName(GeneralName.dNSName, "xyz.com");
extnGen.addExtension(X509Extension.subjectAlternativeName, false, new GeneralNames(subjectAltName));
Upvotes: 1
Rag
Reputation: 1433
I found the problem. I was associating public key with a signature algorithm instead of an encryption algorithm.
AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA1WITHRSA");
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(keyParam);
SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo(signatureAlgorithm, pair.getPublic().getEncoded());
Here is the working code that would generate a CSR for RSA keys using signature algorithm SHA1WithRSA
String principal = "CN=company1, OU=company1, O=company1, C=GB";
AsymmetricKeyParameter privateKey = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA1WITHRSA");
AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(privateKey);
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(
principal), pair.getPublic());
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true));
extensionsGenerator.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign
| KeyUsage.cRLSign));
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
csr = csrBuilder.build(signer);
Upvotes: 4
Related Questions
- Bouncy Castle - how to get Public Key Info from JceOpenSSLPKCS8DecryptorProviderBuilder
- Sign CSR using Bouncy Castle
- Generating the CSR using BouncyCastle API
- Creating certificate with bouncycastle
- BouncyCastle: Extract public key from Certificate causes NullPointerException
- How to determine the Public Key Size from the CSR file using Bouncy Castle in java?
- CSR generation using java or BouncyCastle without using Private key
- Unable to write CSR generated using org.bouncycastle.asn1.pkcs.CertificationRequest in PEM file format
- Getting Public Key from the CSR file using Bouncy Castle in java
- Certificate generated through CSR signing with BouncyCastle considered untrusted