1. Accueil
  2. Question et réponse
  3. Utiliser une clé privée spécifique pour générer un certificat

Utiliser une clé privée spécifique pour générer un certificat

2017-01-24 1 views
0

Je travaille avec un château gonflable et je souhaite générer une clé privée spécifique au lieu de la clé aléatoire générée.Utiliser une clé privée spécifique pour générer un certificat

Je souhaite fournir ma propre clé privée mais le code génère des clés aléatoires. est-il un moyen de spécifier la clé privée exacte à utiliser dans le château gonflable?

Mon code est comme ci-dessous. Lorsque je vérifie la clé publique du certificat généré, j'obtiens des valeurs différentes tout le temps. J'ai besoin de la valeur que j'ai spécifiée.

Dans principaux

var cb = new X509CertBuilder(suppliers, "CN=MandarinAS, OU=Scheme42, O=MandarinAS, C=GB", 
        CertStrength.Bits1024); 


        var cert = cb.MakeCertificate(pwd, "CN=Mandarin, OU=CustomerId, OU=Scheme42, O=OrgX, C=GB", 1,keypair); 

        File.WriteAllBytes("Cert.pfx", cert.Export(X509ContentType.Pkcs12, pwd)); 


       File.WriteAllBytes("Cert.cer", cert.Export(X509ContentType.Cert, pwd)); 
    var store = new X509Store(storeLocation); 
       store.Open(OpenFlags.ReadOnly); 

       var myCertificate = new X509Certificate2("Cert.pfx", "password"); 
       if (myCertificate.PrivateKey ! 

= null) 
      { 
       store.Close(); 

      } 
//here i debug and compare the public key values myCertificate is always changing

X509CertBuilder.cs

public class X509CertBuilder 
    { 
     private const string SignatureAlgorithm = "SHA1WithRSA"; 
     private readonly int _strength; 
     private readonly CryptoApiRandomGenerator _randomGenerator = new CryptoApiRandomGenerator(); 
     private readonly X509V3CertificateGenerator _certificateGenerator = new X509V3CertificateGenerator(); 
     private readonly SecureRandom _random; 
     private readonly X509Name _issuer; 
     private readonly GeneralName[] _generalNames; 

     public X509CertBuilder(string[] validWithDomainNames, string issuer, CertStrength certStrength) 
     { 
      _random = new SecureRandom(_randomGenerator); 
      _issuer = new X509Name(issuer); 
      _strength = (int) certStrength; 

      _generalNames = new GeneralName[validWithDomainNames.Length]; 
      for (var t = 0; t < validWithDomainNames.Length; t++) 
      { 
       _generalNames[t] = new GeneralName(new X509Name(validWithDomainNames[t])); 
      } 
     } 

     public X509Certificate2 MakeCertificate(string password, string issuedToDomainName, int validYears, AsymmetricCipherKeyPair mykey=null) 
     { 
      _certificateGenerator.Reset(); 

      _certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm); 
      var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), 
       _random); 
      _certificateGenerator.SetSerialNumber(serialNumber); 

      _certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName)); 
      _certificateGenerator.SetIssuerDN(_issuer); 

      var subjectAlternativeNames = new Asn1Encodable[_generalNames.Length + 1]; 
      // first subject alternative name is the same as the subject 
      subjectAlternativeNames[0] = new GeneralName(new X509Name(issuedToDomainName)); 
      for (var t = 1; t <= _generalNames.Length; t++) 
      { 
       subjectAlternativeNames[t] = _generalNames[t - 1]; 
      } 
      var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames); 
      _certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, 
       subjectAlternativeNamesExtension); 

      _certificateGenerator.SetNotBefore(DateTime.UtcNow.Date); 
      _certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(validYears)); 
      var keyGenerationParameters = new KeyGenerationParameters(_random, _strength); 

      var keyPairGenerator = new RsaKeyPairGenerator(); 


      keyPairGenerator.Init(keyGenerationParameters); 
      var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); 

      _certificateGenerator.SetPublicKey(subjectKeyPair.Public); 

      //Previouse auto key 
      //var issuerKeyPair = subjectKeyPair; 

      //My mykey 
      var issuerKeyPair = mykey; 
      var certificate = _certificateGenerator.Generate(issuerKeyPair.Private,_random); 


      var store = new Pkcs12Store(); 
      var friendlyName = certificate.SubjectDN.ToString(); 
      var certificateEntry = new X509CertificateEntry(certificate); 
      store.SetCertificateEntry(friendlyName, certificateEntry); 
      store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(issuerKeyPair.Private), new[] {certificateEntry}); 

      using (var stream = new MemoryStream()) 
      { 
       store.Save(stream, password.ToCharArray(), _random); 
       return new X509Certificate2(stream.ToArray(), password, 
        X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); 
      } 
     } 
    }

Source

2017-01-24 flexxxit

Répondre

0

Modifier: Java pour une réponse incorrecte. L'API BouncyCastle C# est pas facilement accessible en ligne, mais je crois que ce que vous recherchez est X509CertificateParser

Si vous avez la clé publique au format DER, vous pouvez simplement passer le codé byte[] à java.security.cert.CertificateFactory.generateCertificate() et vous obtiendrez le bon X509Certificate en conséquence.

private static X509Certificate formX509Certificate(byte[] encodedCertificate) throws CertificateException { 
     try { 
      CertificateFactory cf = CertificateFactory.getInstance("X.509"); 
      ByteArrayInputStream bais = new ByteArrayInputStream(encodedCertificate); 
      return (X509Certificate) cf.generateCertificate(bais); 
     } catch (CertificateException e) { 
      logger.error("Error converting the certificate", e); 
      throw e; 
     } 
    }

Vos appels à X509CertBuilder génèrent un nouveau certificat avec une nouvelle paire chaque fois clé. Si vous avez déjà généré la paire de clés (à partir du code Java ou OpenSSL, etc.), utilisez simplement la valeur de certificat encodée pour construire l'objet certificat.

Si vous n'avez que les valeurs de paire de clés mais que la clé publique n'est pas formée dans un certificat, utilisez SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());.

/** 
    * Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority. 
    * 
    * @param keyPair     the {@link KeyPair} to generate the {@link X509Certificate} for 
    * @param dn      the distinguished name to user for the {@link X509Certificate} 
    * @param signingAlgorithm  the signing algorithm to use for the {@link X509Certificate} 
    * @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid 
    * @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority 
    * @throws CertificateException  if there is an generating the new certificate 
    */ 
    public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) 
      throws CertificateException { 
     try { 
      ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate()); 
      SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); 
      Date startDate = new Date(); 
      Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays)); 

      X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
        reverseX500Name(new X500Name(dn)), 
        getUniqueSerialNumber(), 
        startDate, endDate, 
        reverseX500Name(new X500Name(dn)), 
        subPubKeyInfo); 

      // Set certificate extensions 
      // (1) digitalSignature extension 
      certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment 
        | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign)); 

      certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); 

      certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic())); 

      certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic())); 

      // (2) extendedKeyUsage extension 
      certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth})); 

      // Sign the certificate 
      X509CertificateHolder certificateHolder = certBuilder.build(sigGen); 
      return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder); 
     } catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) { 
      throw new CertificateException(e); 
     } 
    }

Source

2017-01-24 20:44:54 Andy

 Questions connexes

  • Aucun problème connexe^_^