1

我使用 openssl 生成一个私钥,创建一个 csr,使用 CA 私钥将 csr 发送到服务器,对其进行签名并生成一个 X509,然后将其发送回客户端。客户端将 X509 放入证书存储区。客户端签署一些虚拟数据并尝试使用证书中的公钥对其进行验证。验证失败。但是,当我直接从私钥生成公钥时,使用该公钥验证成功。

在客户端生成私钥

openssl genrsa -out ${keydir}/sign.key 2048 2>/dev/null

企业社会责任

openssl req -new -sha256 -batch -key /tmp/sign.key -subj '/O=TableSafe/OU=secureroom/CN=sign.autoprov.tablesafe.com' -out /tmp/sign.csr

将 CSR 发送给 CA 签名者(请参阅下面的 java 代码了解它如何处理 CSR 字节)。

然后使用以下命令进行测试。

echo abcdefghijklmnopqrstuvwxyz > myfile.txt #generate some data to sign

openssl dgst -sha256 -sign sign.key -out sha256.sign myfile.txt #sign the data with the private key

openssl x509 -pubkey -noout -in Sign.crt   > pubkey.pem #extract the public key from the certificate

openssl dgst -sha256 -verify pubkey.pem -signature sha256.sign myfile.txt #verify

验证失败

openssl rsa -in sign.key -pubout -out pubkey.pem #generate public key from private key directly

openssl dgst -sha256 -verify pubkey.pem -signature sha256.sign myfile.txt

验证OK

看起来我的 java 代码是可疑的。帮助表示赞赏。

public byte[] calculateX509(byte[] csrBytes) throws Exception {
    Clock clock = Clock.systemUTC();
    Date notBefore = Date.from(clock.instant());
    Duration expDuration = Duration.ofDays(3650);
    Date notAfter = Date.from(clock.instant().plus(expDuration));
    String csrStr = new String(csrBytes);
    csrStr = csrStr.replace("-----BEGIN CERTIFICATE REQUEST-----", "");
    csrStr = csrStr.replace("-----END CERTIFICATE REQUEST-----", "");
    csrStr = csrStr.replaceAll("\n", "");
    byte[] csrDecode = Base64.getDecoder().decode(csrStr.trim());
    PKCS10CertificationRequest decodedCsr = new PKCS10CertificationRequest(csrDecode);
    X500Name issuer = X500Name.getInstance(decodedCsr.getSubject().getEncoded());
    X509v3CertificateBuilder caBuilder = new X509v3CertificateBuilder(issuer,
            BigInteger.valueOf(clock.millis()),
            notBefore,
            notAfter,
            decodedCsr.getSubject(),
            decodedCsr.getSubjectPublicKeyInfo())
            .addExtension(Extension.basicConstraints, true, new BasicConstraints(false));

    if (Lunaks.containsAlias(strDAUTOPROVK))
    {
        char[] pw = {};
        AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("Sha256withRSA");
        AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
        AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(Lunaks.getKey(strDAUTOPROVK, pw).getEncoded());
        ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
        JcaX509CertificateConverter providerConverter = certificateConverter.setProvider(new BouncyCastleProvider());
        X509CertificateHolder holder = caBuilder.build(sigGen);
        X509Certificate cert = providerConverter.getCertificate(holder);
        byte[] encoded = cert.getEncoded();
        StringWriter writer = new StringWriter();
        PemWriter pemWriter = new PemWriter(writer);
        PemObject pemObject = new PemObject("CERTIFICATE", encoded);
        pemWriter.writeObject(pemObject);
        pemWriter.close();
        String strBytes = writer.toString();
        return strBytes.getBytes();
    }
    return null;
}
4

0 回答 0