All geek questions in one place

How do you create a CSR in Java without signing it with a requester?

Basically, I need to isolate the data from the constructed CSR (Request Signing Request) before it is first signed by the person making the request, preferably in Java. Thank you very much in advance!

It would also be useful to note how to subsequently add a signature to the CSR, since the CSR data will be initially signed by HSM.

+4
source share
2 answers

Hope this helps:

import java.io.ByteArrayOutputStream; import java.io.PrintStream; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.SecureRandom; import java.security.Signature; import javax.security.auth.x500.X500Principal; import sun.security.pkcs10.*; import sun.security.x509.*; public class GenerateCSR { private static PublicKey publicKey = null; private static PrivateKey privateKey = null; private static KeyPairGenerator keyGen = null; private static GenerateCSR gcsr = null; private GenerateCSR() { try { keyGen = KeyPairGenerator.getInstance("RSA"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } keyGen.initialize(2048, new SecureRandom()); KeyPair keypair = keyGen.generateKeyPair(); publicKey = keypair.getPublic(); privateKey = keypair.getPrivate(); } public static GenerateCSR getInstance() { if (gcsr == null) gcsr = new GenerateCSR(); return gcsr; } public String getCSR(String cn) throws Exception { byte[] csr = generatePKCS10(cn, "Java", "JournalDev", "Cupertino", "California", "USA"); return new String(csr); } /** * * @param CN * Common Name, is X.509 speak for the name that distinguishes * the Certificate best, and ties it to your Organization * @param OU * Organizational unit * @param O * Organization NAME * @param L * Location * @param S * State * @param C * Country * @return * @throws Exception */ private static byte[] generatePKCS10(String CN, String OU, String O, String L, String S, String C) throws Exception { // generate PKCS10 certificate request String sigAlg = "MD5WithRSA"; PKCS10 pkcs10 = new PKCS10(publicKey); Signature signature = Signature.getInstance(sigAlg); signature.initSign(privateKey); // common, orgUnit, org, locality, state, country X500Principal principal = new X500Principal( "CN=Ole Nordmann, OU=ACME, O=Sales, C=NO"); // pkcs10CertificationRequest kpGen = new PKCS10CertificationRequest(sigAlg, principal, publicKey, null, privateKey); // byte[] c = kpGen.getEncoded(); X500Name x500name=null; x500name= new X500Name(principal.getEncoded()); pkcs10.encodeAndSign(x500name, signature); ByteArrayOutputStream bs = new ByteArrayOutputStream(); PrintStream ps = new PrintStream(bs); pkcs10.print(ps); byte[] c = bs.toByteArray(); try { if (ps != null) ps.close(); if (bs != null) bs.close(); } catch (Throwable th) { } return c; } public PublicKey getPublicKey() { return publicKey; } public PrivateKey getPrivateKey() { return privateKey; } public static void main(String[] args) throws Exception { GenerateCSR gcsr = GenerateCSR.getInstance(); System.out.println("Public Key:\n"+gcsr.getPublicKey().toString()); System.out.println("Private Key:\n"+gcsr.getPrivateKey().toString()); String csr = gcsr.getCSR("journaldev.com <http://www.journaldev.com>"); System.out.println("CSR Request Generated!!"); System.out.println(csr); } }
+6
source

I used the Bouncy Castle libraries to create a certificate request without signing it. The problem I ran into was that the many applications available to create a CSR took care of both its generation and its signing. I just wanted to create an unsigned CSR. Unfortunately, I cannot divulge the code used to create the unsigned CSR due to company policies, but I have listed many hints below that should help others. Here are a few steps that can help someone trying to do the same:

  • See an example of CSR data generated using openssl or another tool using the following website.

    http://lapo.it/asn1js/

    This site even includes an example certificate object to see it in action.

  • Check out the ASN1 encoding. This is how the certificate data is encoded, and you need to encode the CSR in the same way using Bouncy Castle.

  • Use Bouncy Castle to create CSR data. The following is a code snippet to initialize some of the fields commonly found in CSR data.

     // Create Organization Name<br/> DERObjectIdentifier oidOrgName = new DERObjectIdentifier("2.5.4.10"); DERPrintableString prntstrOrgName = new DERPrintableString("Test Organization"); DERSet setOrgName = new DERSet(new DERSequence(new ASN1Encodable[] {oidOrgName, prntstrOrgName})); // Create org unit name DERObjectIdentifier oidOrgUnitName = new DERObjectIdentifier(2.5.4.11); DERPrintableString prntstrOrgUnitName = new DERPrintableString("Org Unit Name"); DERSet setOrgUnitName = new DERSet(new DERSequence(new ASN1Encodable[] {oidOrgUnitName, prntstrOrgUnitName}));
+1
source

Source: https://habr.com/ru/post/1381599/

More articles:


All Articles