Skip to content

Commit cb2c3cd

Browse files
committed
Fixing CSR signing in cert gen tool (was previously disabled).
1 parent 4f0f429 commit cb2c3cd

1 file changed

Lines changed: 42 additions & 47 deletions

File tree

src/main/java/org/nhindirect/stagent/cert/tools/certgen/CertGenerator.java

Lines changed: 42 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2626
import java.security.KeyPair;
2727
import java.security.KeyPairGenerator;
2828
import java.security.PrivateKey;
29+
import java.security.PublicKey;
2930
import java.security.SecureRandom;
3031
import java.security.Security;
3132
import java.security.cert.X509Certificate;
@@ -43,20 +44,26 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
4344
import org.apache.commons.io.FileUtils;
4445
import org.bouncycastle.asn1.ASN1Sequence;
4546
import org.bouncycastle.asn1.ASN1Set;
47+
import org.bouncycastle.asn1.ASN1Encodable;
4648
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
4749
import org.bouncycastle.asn1.DERSequence;
4850
import org.bouncycastle.asn1.cms.Attribute;
51+
import org.bouncycastle.asn1.pkcs.CertificationRequest;
4952
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
5053
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
5154
import org.bouncycastle.asn1.x509.BasicConstraints;
55+
import org.bouncycastle.asn1.x509.Extension;
56+
import org.bouncycastle.asn1.x509.Extensions;
5257
import org.bouncycastle.asn1.x509.GeneralName;
5358
import org.bouncycastle.asn1.x509.GeneralNames;
5459
import org.bouncycastle.asn1.x509.KeyUsage;
60+
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
5561
import org.bouncycastle.asn1.x509.X509Extension;
5662
import org.bouncycastle.asn1.x509.X509Extensions;
5763
import org.bouncycastle.crypto.prng.VMPCRandomGenerator;
5864
import org.bouncycastle.jce.PKCS10CertificationRequest;
5965
import org.bouncycastle.jce.X509Principal;
66+
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
6067
import org.bouncycastle.util.io.pem.PemObject;
6168
import org.bouncycastle.x509.X509V3CertificateGenerator;
6269
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
@@ -120,11 +127,21 @@ public static long generatePositiveRandom()
120127

121128
public static X509Certificate createCertFromCSR(PemObject certReq, CertCreateFields signerCert) throws Exception
122129
{
123-
/*
124-
certReq.verify();
125130

126-
final CertificationRequestInfo reqInfo = certReq.getCertificationRequestInfo();
131+
byte[] csrBytes = certReq.getContent();
132+
133+
CertificationRequest csrObj = CertificationRequest.getInstance(csrBytes);
134+
135+
// Parse the PKCS#10 structure
136+
CertificationRequestInfo csr = csrObj.getCertificationRequestInfo();
137+
138+
// Extract SPKI
139+
SubjectPublicKeyInfo spki = csrObj.getCertificationRequestInfo().getSubjectPublicKeyInfo();
127140

141+
// Convert to java.security.PublicKey
142+
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
143+
PublicKey publicKey = converter.getPublicKey(spki);
144+
128145
final X509V3CertificateGenerator v1CertGen = new X509V3CertificateGenerator();
129146
final Calendar start = Calendar.getInstance();
130147
final Calendar end = Calendar.getInstance();
@@ -134,58 +151,36 @@ public static X509Certificate createCertFromCSR(PemObject certReq, CertCreateFie
134151
v1CertGen.setIssuerDN(signerCert.getSignerCert().getSubjectX500Principal()); // issuer is the parent cert
135152
v1CertGen.setNotBefore(start.getTime());
136153
v1CertGen.setNotAfter(end.getTime());
137-
v1CertGen.setSubjectDN(new X509Principal(reqInfo.getSubject().toString()));
138-
v1CertGen.setPublicKey(certReq.getPublicKey());
154+
v1CertGen.setSubjectDN(new X509Principal(csr.getSubject().toString()));
155+
v1CertGen.setPublicKey(publicKey);
139156
v1CertGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
140157

141158

142-
final ASN1Set attributesAsn1Set = reqInfo.getAttributes();
159+
ASN1Set attrs = csrObj.getCertificationRequestInfo().getAttributes();
143160

144-
X509Extensions certificateRequestExtensions = null;
145-
for (int i = 0; i < attributesAsn1Set.size(); ++i)
146-
{
147-
// There should be only only one attribute in the set. (that is, only
148-
// the `Extension Request`, but loop through to find it properly)
149-
final DEREncodable derEncodable = attributesAsn1Set.getObjectAt( i );
150-
151-
152-
if (derEncodable instanceof DERSequence)
153-
{
154-
final Attribute attribute = new Attribute( (DERSequence) attributesAsn1Set
155-
.getObjectAt( i ) );
156-
157-
if (attribute.getAttrType().equals( PKCSObjectIdentifiers.pkcs_9_at_extensionRequest ))
158-
{
159-
// The `Extension Request` attribute is present.
160-
final ASN1Set attributeValues = attribute.getAttrValues();
161-
162-
// The X509Extensions are contained as a value of the ASN.1 Set.
163-
// Assume that it is the first value of the set.
164-
if (attributeValues.size() >= 1)
165-
{
166-
certificateRequestExtensions = new X509Extensions( (ASN1Sequence) attributeValues
167-
.getObjectAt( 0 ) );
168-
169-
// No need to search any more.
170-
//break;
171-
}
172-
}
173-
}
174-
}
161+
162+
Extensions requestedExtensions = null;
163+
164+
for (ASN1Encodable attrObj : attrs) {
165+
org.bouncycastle.asn1.pkcs.Attribute attr =
166+
org.bouncycastle.asn1.pkcs.Attribute.getInstance(attrObj);
175167

176-
@SuppressWarnings("unchecked")
177-
Enumeration<DERObjectIdentifier> oids = certificateRequestExtensions.oids();
178-
while (oids.hasMoreElements())
179-
{
180-
DERObjectIdentifier oid = oids.nextElement();
181-
X509Extension ex = certificateRequestExtensions.getExtension(oid);
182-
183-
v1CertGen.addExtension(oid, ex.isCritical(), X509Extension.convertValueToObject(ex));
168+
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
169+
requestedExtensions = Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
170+
break;
171+
}
184172
}
185173

174+
175+
if (requestedExtensions != null) {
176+
for (ASN1ObjectIdentifier oid : requestedExtensions.getExtensionOIDs()) {
177+
Extension ext = requestedExtensions.getExtension(oid);
178+
v1CertGen.addExtension(oid, ext.isCritical(), ext.getParsedValue());
179+
}
180+
}
181+
186182
return v1CertGen.generate((PrivateKey)signerCert.getSignerKey(), CryptoExtensions.getJCEProviderName());
187-
*/
188-
return null;
183+
189184
}
190185

191186
private static CertCreateFields createNewCA(CertCreateFields fields, KeyPair keyPair, boolean addAltNames) throws Exception

0 commit comments

Comments
 (0)