{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 啃猪蹄的小仙女 的问题《Creating Custom X509 v3 Extensions in Java with Bo》','https://www.manongdao.com/q-601759.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have successfully used the X509v3CertificateBuilder Java class from Bouncy Castle to create X509 certificates with standard V3 extensions. I am now trying to create certificates with custom extensions.
I can create a custom extension using the addExtension(...) method, however, the resulting value in the certificate is not what I want. For example, I would like these exact octets listed in the certificate under a custom OID 1.2.3.4: "00 00 00 00 FF FF FF FF". Everything I try wraps that octet string in ASN1 encoding and it ends up as "04 08 00 00 00 00 FF FF FF FF".
Basically, I would like to create a certificate in Java with a custom extension that looks identical to how a certificate would look when created with OpenSSL using an extensions file that had this configuration:
1.2.3.4=DER:00:00:00:00:FF:FF:FF:FF
Is this possible to do in a clean way with the X509v3CertificateBuilder class?
Below is a snippet of code that creates the "incorrect" value.
// Raw value to place in cert for OID 1.2.3.4.
byte[] bytearray = {0, 0, 0, 0, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
ASN1ObjectIdentifier asn1oid = new ASN1ObjectIdentifier("1.2.3.4");
Extension ext = new Extension(asn1oid, false, bytearray);
X509v3CertificateBuilder certBldr =
new JcaX509v3CertificateBuilder(
caCert,
serial,
startDate,
endDate,
dn,
pubKey)
.addExtension(
new ASN1ObjectIdentifier("2.5.29.19"),
false,
new BasicConstraints(false))
.addExtension(
new ASN1ObjectIdentifier("2.5.29.15"),
true,
new X509KeyUsage(
X509KeyUsage.digitalSignature |
X509KeyUsage.nonRepudiation |
X509KeyUsage.keyEncipherment |
X509KeyUsage.dataEncipherment))
.addExtension(
new ASN1ObjectIdentifier("1.2.3.4"),
false,
ext.getExtnValue());
// Create and sign the certificate.
X509CertificateHolder certHolder = certBldr.build(sigGen);
X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)
.getCertificate(certHolder);
After trying a lot of different options, I don't think it's possible to use X509v3CertificateBuilder to create an extension with a raw (non-ASN.1 encoded) value. The addExtension() method expects or changes an input value to be ASN.1 encoded.
However, after looking at the Bouncy Castle source code for the methods that X509v3CertificateBuilder uses behind the scenes, I found a way to do it with other classes. There are more lines of code involved, but it is fairly straightforward and gives the results needed.
Here is the code that will allow a custom extension with a raw value.
Certificate is ASN.1 encoded, so extension values should also be ASN.1 encoded. 04 is OCTET STRING type, 08 - length of this octet string. BouncyCastle doesn't know anything about format of extension data, most likely this is the reason why it doesn't strip tag and length, and you should decoded that data manually.