Sign Csr Using Bouncy Castle

Sign CSR using Bouncy Castle

Ok ... I was looking to do the same stuff and for the life of me I couldn't figure out how. The APIs all talk about generating the key pairs and then generating the cert but not how to sign a CSR. Somehow, quite by chance - here's what I found.

Since PKCS10 represents the format of the request (of the CSR), you first need to put your CSR into a PKCS10Holder. Then, you pass it to a CertificateBuilder (since CertificateGenerator is deprecated). The way you pass it is to call getSubject on the holder.

Here's the code (Java, please adapt as you need):

public static X509Certificate sign(PKCS10CertificationRequest inputCSR, PrivateKey caPrivate, KeyPair pair)
        throws InvalidKeyException, NoSuchAlgorithmException,
        NoSuchProviderException, SignatureException, IOException,
        OperatorCreationException, CertificateException {   

    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder()
            .find("SHA1withRSA");
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder()
            .find(sigAlgId);

    AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate
            .getEncoded());
    SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pair
            .getPublic().getEncoded());

    PKCS10CertificationRequestHolder pk10Holder = new PKCS10CertificationRequestHolder(inputCSR);
    //in newer version of BC such as 1.51, this is 
    //PKCS10CertificationRequest pk10Holder = new PKCS10CertificationRequest(inputCSR);

    X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(
            new X500Name("CN=issuer"), new BigInteger("1"), new Date(
                    System.currentTimeMillis()), new Date(
                    System.currentTimeMillis() + 30 * 365 * 24 * 60 * 60
                            * 1000), pk10Holder.getSubject(), keyInfo);

    ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
            .build(foo);        

    X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
    X509CertificateStructure eeX509CertificateStructure = holder.toASN1Structure(); 
    //in newer version of BC such as 1.51, this is 
    //org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure = holder.toASN1Structure(); 

    CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");

    // Read Certificate
    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
    is1.close();
    return theCert;
    //return null;
}

As you can see, I've generated the request outside this method, but passed it in. Then, I have the PKCS10CertificationRequestHolder to accept this as a constructor arg.

Next, in the X509v3CertificateBuilder arguments, you'll see the pk10Holder.getSubject - this is apparently all you need? If something is missing, please let me know too!!! It worked for me. The cert I generated correctly had the DN info I needed.

Wikipedia has a killer section on PKCS - http://en.wikipedia.org/wiki/PKCS

Signing CSR using Bouncy Castle in C#

Here is my solution:

public string SignCSR(string str_csr, int validityInYears)
        {
            try
            {
                char[] characters = str_csr.Replace("-----BEGIN CERTIFICATE REQUEST-----", "").Replace("-----END CERTIFICATE REQUEST-----", "").ToCharArray();

                byte[] csrEncode = Convert.FromBase64CharArray(characters, 0, characters.Length);
                Pkcs10CertificationRequest pk10Holder = new Pkcs10CertificationRequest(csrEncode);

                bool verify = pk10Holder.Verify();
                if (verify == false)
                {
                    return constants.INVALIDCERTIFICATEREQUEST;
                }
                // Generating Random Numbers
                CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
                SecureRandom random = new SecureRandom(randomGenerator);

                X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

                // Serial Number
                BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
                certificateGenerator.SetSerialNumber(serialNumber);

                //Import intermediate certificate and get issuer details
                string pathToRootCert = Configuration["intermediatecertificatelocation"];
                string intermediateIssuer = rootBusinessLogic.ImportIssuerFromPem(pathToRootCert);

                // Issuer and Subject Name
                //X509Name issuerDN = new X509Name(issuerName);
                X509Name issuerDN = new X509Name(intermediateIssuer);  //issuer is intermediate certificate here whi will sign
                certificateGenerator.SetIssuerDN(issuerDN);
                certificateGenerator.SetSubjectDN(pk10Holder.GetCertificationRequestInfo().Subject);

                // Valid For
                DateTime notBefore = DateTime.UtcNow.Date;
                DateTime notAfter = notBefore.AddYears(validityInYears);

                certificateGenerator.SetNotBefore(notBefore);
                certificateGenerator.SetNotAfter(notAfter);

                certificateGenerator.SetPublicKey(pk10Holder.GetPublicKey());

                //Import root certificate and get issuer details
                //get root private key from file
                string rootKeyPathFromConfig = Configuration["intermediate_privatekeylocation"];
                AsymmetricKeyParameter issuerPrivKey = rootBusinessLogic.ImportPrivateKeyFromPemFile(rootKeyPathFromConfig);
                if (issuerPrivKey == null)
                {
                    return constants.INTERMEDIATEKEYERROR;
                }

                ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivKey, random);

                // Selfsign certificate
                Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);

                X509Certificate2 x509 = new X509Certificate2(certificate.GetEncoded());
                StringBuilder builder = new StringBuilder();
                builder.AppendLine("-----BEGIN CERTIFICATE-----");
                builder.AppendLine(Convert.ToBase64String(x509.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks));
                builder.AppendLine("-----END CERTIFICATE-----");
                var str_certificate = builder.ToString();
                return str_certificate ;
            }
            catch (Exception ex)
            {
                return ex.Message;
            }
    }

pathToRootCert is the path to the intermediate certificate stored in the device, ImportIssuerFromPem is the method to retrieve issuer name of the intermediate certificate, rootKeyPathFromConfig is the path to the private key of intermediate certificate for signing purpose, ImportPrivateKeyFromPemFile is the method to get the private key in AsymmetricKeyParameter format. This method returns certificate in PEM format.

Generating the CSR using BouncyCastle API

With the recent versions of BouncyCastle it is recommended to create the CSR using the org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder class.

You can use this code snipppet:

KeyPair pair = generateKeyPair();
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
    new X500Principal("CN=Requested Test Certificate"), pair.getPublic());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
ContentSigner signer = csBuilder.build(pair.getPrivate());
PKCS10CertificationRequest csr = p10Builder.build(signer);

Bouncy castle create a certificate from openssl csr in java

The answer you linked tells you what the code returns: "a valid PEM-encoded signedData object containing a signed Certificate chain (of the type that can be imported by keytool)". Actually it's not quite valid: (1) it doesn't put any linebreaks in the base64 as PEM officially requires -- which you fixed, although you did it at 63 not 64 as standard; (2) it uses BEGIN/END PKCS #7 SIGNED DATA whereas the standard is BEGIN/END PKCS7 -- or in most cases BEGIN/END CMS because CMS is basically a superset of PKCS7. keytool ignores both of these flaws when reading a 'CA reply' (i.e. -importcert to an existing privateKey entry), but other software doesn't -- like BouncyCastle and OpenSSL. You already added line breaks; if you change the BEGIN/END labels to PKCS7 and put the result in a file you can read it with among other things

 openssl pkcs7 -in $file -print_certs # add -text for expanded details

However, calling this 'the type that can be imported by keytool' implies it is the only type which is false. keytool can read PKCS7 containing certs -- either PEM or DER -- but it can also read 'bare' X.509 certificates in either PEM or DER, and that is usually more convenient. To do that, replace everything from CMSSignedDataGenerator onward with something like for DER:

Files.write(Paths.get("outputfile"), certencoded)

or for PEM since you have Bouncy:

try( PemWriter w = new PemWriter(new FileWriter("outputfile")) ){
    w.writeObject(new PemObject("CERTIFICATE",certencoded));
}

or if you prefer to do it yourself:

try( Writer w = new FileWriter("outputfile") ){
    w.write("-----BEGIN CERTIFICATE-----\r\n" 
        + Base64.getMimeEncoder().encodeToString(certencoded) 
            // MimeEncoder does linebreaks at 76 by default which 
            // is close enough and less work than doing it by hand
        + "\r\n-----END CERTIFICATE-----\r\n");
}

Note: you may not need the \r -- PEM doesn't actually specify CRLF vs LF linebreaks -- but MimeEncoder uses them on the interior breaks and I like to be consistent.

This -- just the certificate -- is what your openssl x509 -req -CA* alternative produces, and that's why it's much smaller -- one cert is smaller than three certs plus some overhead.

Several more points:

• PEMParser can handle CSR just fine; you don't need the PemReader+PemObject detour

• using the entire SubjectPublicKeyInfo for the SubjectKeyIdentifier extension is wrong. OTOH nothing uses the SKI extension in a leaf cert anyway, so simplest to just delete this rather than fix it.

• in certgen.build() if you use JcaContentSignerBuilder instead of the BcRSA variant, you can pass cakey directly without going through PrivateKeyFactory and the signature scheme directly without going through two AlgorithmIdentifierFinders -- as the /*cms-sd*/generator.addSignerInfoGenerator later in the code already does.

• speaking of the signature scheme, don't use SHA1 for cert signatures (or most others). It was already deprecated in 2013 when that answer was written, and in 2017 was publicly broken for collision (see https://shattered.io) after which many systems either reject it entirely or nag mercilessly for such use, and some related ones like git. In fact many authorities and checklisters now prohibit it for any use, even though some (like HMAC and PBKDF) aren't actually broken. Your openssl x509 -req alternative used SHA256 which is fine*.

• and lastly, issuing a cert is NOT 'sign[ing] {the|a} CSR'. You can just look at the cert contents and see it's not at all the same as the CSR or even the CSR body. You create (or generate as used in the Bouncy names) a cert and sign the cert -- in response to a CSR.

* at least for now; if and when quantum cryptanalysis works a lot of currently used schemes, including probably SHA256-RSA signature, will be in trouble and will have to be replaced by 'post-quantum' schemes which people are now working to develop. But if this happens, you'll see it on every news channel and site in existence.

---

Related Topics