程序员经验分享-hwhale

通过 SCEP 在 java 中生成 CSR 请求

2024-07-03

我正在尝试发送证书签名请求从一个Android设备到服务器。服务器与 iOS 设备正常工作并遵循SCEP程序 http://softwarearchitectureandarchitects.blogspot.fr/2012/09/enroll-certificate-using-scep.html with OpenSSL.

所以这是我的问题: 我可以发送已签名的封装 CSR,但服务器无法读取封装的 CSR。我从服务器收到以下错误:

pki.rb:26:in initialize: Could not parse the PKCS7: header too long (ArgumentError)

相关 ruby​​ 服务器代码:

#receive object and put it in object data
[...]

# Verify Input Data
p7sign = OpenSSL::PKCS7.new(data)
store = OpenSSL::X509::Store.new
p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
signers = p7sign.signers

# Encrypted data (LINE 26 :)
p7enc = OpenSSL::PKCS7.new(p7sign.data)

# Certificate Signing Request
csr = p7enc.decrypt(ssl.key, ssl.certificate)

# Signed Certificate
request = OpenSSL::X509::Request.new(csr)

Java代码(安卓):

我正在使用 Bouncy Castle 生成 CSR 并使用 Volley (Google) 来发送它。

Main :

//Generate PEM formated CSR
byte[] pemCsr = getPemFromCsr(generateCSR());
//Envelop it in a PKCS#7 object
byte[] envelopedData = getDerFromCMSEnvelopedData(envelopData(pemCsr));
//Sign it in a PKCS#7 object
byte[] signedData = getDerFromCMSSignedData(signData(envelopedData));

sendCsrRequest(signedData);

CSR :

//Generate the CSR
private static PKCS10CertificationRequest genrateCertificationRequest(){
    // Build the CN for the cert we 
    X500NameBuilder nameBld = new X500NameBuilder(BCStyle.INSTANCE);
    nameBld.addRDN(BCStyle.CN, "cn");   
    nameBld.addRDN(BCStyle.O, "o"); 
    nameBld.addRDN(BCStyle.NAME, "name");   
    X500Name principal = nameBld.build();

    // Generate the certificate signing request (csr = PKCS10)
    String sigAlg = "SHA1withRSA";
    JcaContentSignerBuilder csb = new JcaContentSignerBuilder(sigAlg);
    ContentSigner cs = csb.build(privateKey);

    DERPrintableString password = new DERPrintableString("mychallenge");
    PKCS10CertificationRequestBuilder crb = new JcaPKCS10CertificationRequestBuilder(principal, publicKey);
    crb.addAttribute((ASN1ObjectIdentifier) PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);
    PKCS10CertificationRequest csr = crb.build(cs);

    return csr;
}
//Envelop the CSR
private static CMSEnvelopedData envelopData(byte[] pemCsr) {
    CMSTypedData msg     = new CMSProcessableByteArray(pemCsr);
    CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
    edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(x509Certificate).setProvider("BC"));
    CMSEnvelopedData ed = edGen.generate(msg,new JceCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).setProvider("BC").build());
    return ed;
}
//Sign the enveloped CSR
private static CMSSignedData signData(byte[] data){
    ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey);
    CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
    generator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(signer, (X509Certificate) x509Certificate));
    CMSTypedData cmsdata = new CMSProcessableByteArray(data);
    CMSSignedData signedData = generator.generate(cmsdata, true);
    return signedData;
}

我已经准备好粘贴其他代码(Volley 请求、utils 转换器),但也许目前就足够了。

SCEP 已经可以与 iOS 设备配合使用,因此服务器是干净的。 Ruby 可以创建签名的 PKCS#7,所以我想我的签名步骤没问题。 但如果我发送一个空的签名 PKCS#7,我会惊讶地遇到同样的错误。

预先感谢您的任何帮助。


看来信封的 ASN1 对于 OpenSSL 来说不正确。

与此同时,Google Volley 会自动在响应中添加“\n”,这也会引发问题。

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

Java

Android

ruby

openssl

mdm

通过 SCEP 在 java 中生成 CSR 请求 的相关文章

随机推荐

热门标签