0

我通过提供如下生成的 CSR 从 API 获得 p12。

    try {
        generateKeyPair();
        String principal = String.format(CN_PATTERN, mUUID);
        X500Name rootCertIssuer = new X500Name(principal);
        ContentSigner contentSigner = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(mPrivateKey);
        PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(rootCertIssuer, mPublicKey);
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
        extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, mSubjectAltName.getBytes());
        csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
        DERIA5String derMail = new DERIA5String(mEmail);
        csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_emailAddress, derMail);
        DERPrintableString derUserName = new DERPrintableString(mUserName);
        csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, derUserName);
        PKCS10CertificationRequest csr = csrBuilder.build(contentSigner);
        mCsr = csr.getEncoded();
        parseCsr(mCsr);
        return mCsr;

    } catch (IOException | NoSuchAlgorithmException | OperatorCreationException e) {
        throw new CsrGeneratorException(Mtd.getCurrent(), CsrGeneratorException.ERROR_CREATE, e.getMessage());
    }

打开p12效果很好,我发现SAN的值是预期的。但是现在我打开p12时必须将几个DNS传递给SubjectAltName才能得到以下结果

SubjectAlternativeName [
  DNSName: foo.com
  DNSName: bar.com
]

我尝试使用 BouncyCastle 的 GeneralName 对象如下

GeneralName[] subjectAltNames = new GeneralName[]{
    new GeneralName(GeneralName.dNSName, "foo.com"),
    new GeneralName(GeneralName.dNSName, "bar.com)
};

然后

extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(subjectAltNames));

但我没有上面的预期结果

感谢您的帮助

我按如下方式生成了csr

String principal = String.format(CN_PATTERN, mUUID);
X500Name rootCertIssuer = new X500Name(principal);
ContentSigner contentSigner = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(mPrivateKey);
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(rootCertIssuer, mPublicKey);
///
mSAN = new GeneralName[] { 
new GeneralName(GeneralName.dNSName, "foo.com"),
new GeneralName(GeneralName.dNSName, "bar.com")
};
///
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
///
extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(mSAN));
///
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
DERIA5String derMail = new DERIA5String(mEmail);
            csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_emailAddress, derMail);
DERPrintableString derUserName = new DERPrintableString(mUserName);
            csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, derUserName);
PKCS10CertificationRequest csr = csrBuilder.build(contentSigner);
mCsr = csr.getEncoded();
parseCsr(mCsr);
return mCsr;

我通过添加 json 正文向 WS 发出请求:

jsonObject.put("subjectAltName", mCsrGenerator.getSubjectAltName());

mCsrGenerator.getSubjectAltName 为 GeneralName[]

4

0 回答 0