我嘗試在證書頒發機構(cmp服務器)上通過cmp(證書管理協議)吊銷證書,並獲取錯誤代碼「無效簽名密鑰代碼」。我認爲它是我簽署cmp消息的方式的原因,那裏出了問題。如何正確簽署cmp請求消息? (java,bouncy castle)
我建立與org.bouncycastle.asn1.cmp.PKIHeaderBuilder的頭和身體與org.bouncycastle.asn1.crmf.CertTemplateBuilder:
CertTemplateBuilder builderCer = new CertTemplateBuilder();
// cert to revoke
builderCer.setIssuer(issuer);
builderCer.setSerialNumber(serial);
//body
ArrayList revDetailsList = new ArrayList();
revDetailsList.add(new RevDetails(builderCer.build()));
RevReqContent revReqContent = new RevReqContent((RevDetails[]) revDetailsList.toArray(new RevDetails[revDetailsList.size()]));
PKIBody body = new PKIBody(PKIBody.TYPE_REVOCATION_REQ, revReqContent);
// header
X509Name recipient = new X509Name("CN=recipient");
X509Name sender = new X509Name("CN=sender");
int pvno = 1;
PKIHeaderBuilder builderHeader = new PKIHeaderBuilder(pvno, new GeneralName(sender), new GeneralName(recipient));
AlgorithmIdentifier algId = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.10045.4.1"));
builderHeader.setProtectionAlg(algId);
PKIHeader header = builderHeader.build();
然後我必須簽署整個消息,似乎有以不同的方式。在extracerts(CMPCertificate)中,我必須添加簽名的公鑰,簽名必須使用該公鑰驗證。我如何正確地爲這種申請簽署此消息?我試過org.bouncycastle.asn1.cmp.PKIMessages和org.bouncycastle.cert.cmp.ProtectedPKIMessage。
PKIMessages:
DERBitString signature = new DERBitString(createSignature("signature".getBytes()));
X509Certificate signercert = convertToX509Cert(certPEM);
CMPCertificate cmpCert = new CMPCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(signercert.getEncoded()));
PKIMessage message = new PKIMessage(header, body, signature, new CMPCertificate[] { cmpCert });
// createsignature()
private static byte[] createSignature(byte[] str){
Signature dsa = Signature.getInstance("SHA256WithRSA");
dsa.initSign(privateKey);
dsa.update(str, 0, str.length);
signature = dsa.sign();
return signature;
- >從CMP服務器錯誤: 「SIGNATURE_INVALID_KEY_CODE」
ProtectedPKIMessage:
ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyCastleProvider.PROVIDER_NAME).build((PrivateKey) ks.getKey(KEYSTORE_ALIAS, KEYSTORE_PWD.toCharArray()));
ProtectedPKIMessage message = new ProtectedPKIMessageBuilder(pvno, new GeneralName(sender), new GeneralName(recipient))
.addCMPCertificate(new X509CertificateHolder(ks.getCertificate(KEYSTORE_ALIAS).getEncoded()))
.setBody(body).build(signer);
- >從CMP服務器錯誤: 「ERROR_READING_CMS_OBJECT_CODE」
我簽署cmp請求消息的方式是否正確? PKIMessage和'protection'參數和org.bouncycastle.cert.cmp.ProtectedPKIMessage之間有什麼區別?
這是爲我工作,謝謝! – Simi