This week's book giveaway is in the HTML Pages with CSS and JavaScript forum.
We're giving away four copies of React Cookbook: Recipes for Mastering the React Framework and have David Griffiths & Dawn Griffiths on-line!
See this thread for details.
Win a copy of React Cookbook: Recipes for Mastering the React Framework this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

Certificate Generation using Bouncy Castle

 
Marshal
Posts: 3644
516
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is my first attempt at using Bouncy Castle to accept a CSR and return a signed X509 certificate.  It does seem to work as expected, but and I was hoping that anyone familiar with BC and the signing process could take a quick look to see if there are anything that I may have missed or could be done better.

One issue I did have was trying to extract the Subject Key Identifier from the CA's certificate and include it as the Authority Key Identifier in the generated certificate.  This seems like it should be a common thing to do, but I couldn't find a way using the BC API to pull out the content DER-encode value retrieved from the CA cert so that it could add it to the generated cert.  I ended-up just removing the first 2 octets from the OctetString (primitive and length) to get the key id

Also, I am re-using the generated cert's serial number as it Subject Key Identifier.  Thinking about it now, that probably wasn't a good idea.

Thanks in advance if anyone is able to help.

Java 11
org.bouncycastle:bcprov-jdk15on:1.69
org.bouncycastle:bcpkix-jdk15on:1.69

 
Ron McLeod
Marshal
Posts: 3644
516
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ron McLeod wrote:Also, I am re-using the generated cert's serial number as it Subject Key Identifier.  Thinking about it now, that probably wasn't a good idea.


RFC 5280 in section 4.2.1.2. wrote:For CA certificates, subject key identifiers SHOULD be derived from
the public key or a method that generates unique values.  Two common
methods for generating key identifiers from the public key are:

   (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
         value of the BIT STRING subjectPublicKey (excluding the tag,
         length, and number of unused bits).

   (2) The keyIdentifier is composed of a four-bit type field with
         the value 0100 followed by the least significant 60 bits of
         the SHA-1 hash of the value of the BIT STRING
         subjectPublicKey (excluding the tag, length, and number of
         unused bits).

Other methods of generating unique numbers are also acceptable.

For end entity certificates, the subject key identifier extension
provides a means for identifying certificates containing the
particular public key used in an application.  Where an end entity
has obtained multiple certificates, especially from multiple CAs, the
subject key identifier provides a means to quickly identify the set
of certificates containing a particular public key.  To assist
applications in identifying the appropriate end entity certificate,
this extension SHOULD be included in all end entity certificates.

For end entity certificates, subject key identifiers SHOULD be
derived from the public key.  Two common methods for generating key
identifiers from the public key are identified above.

Where a key identifier has not been previously established, this
specification RECOMMENDS use of one of these methods for generating
keyIdentifiers or use of a similar method that uses a different hash
algorithm.  Where a key identifier has been previously established,
the CA SHOULD use the previously established identifier.


So it looks like I should be creating the SubjectKeyId based on a hash of the Public Key provided in the CSR so if a subsequent request is made which contains the same Public Key (maybe to refresh the Not After date), the SubjectKeyIdentifier would be the same..
 
He loves you so much! And I'm baking the cake! I'm going to put this tiny ad in the cake:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic