使用Bouncy Castle签署CSR

好的…我一直在寻找做同样的事情，对于我的一生，我不知道该怎么做。所有的API都在谈论生成密钥对，然后生成证书，而不是如何签署CSR。不知何故，很偶然-
这就是我发现的东西。

由于PKCS10表示（CSR的）请求格式，因此您首先需要将CSR放入PKCS10Holder中。然后，将其传递给CertificateBuilder（因为不推荐使用CertificateGenerator）。传递方法是在持有人上调用getSubject。

这是代码（Java，请根据需要进行调整）：

public static X509Certificate sign(PKCS10CertificationRequest inputCSR, PrivateKey caPrivate, KeyPair pair)        throws InvalidKeyException, NoSuchAlgorithmException,        NoSuchProviderException, SignatureException, IOException,        OperatorCreationException, CertificateException {    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA1withRSA");    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder() .find(sigAlgId);    AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate .getEnpred());    SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pair .getPublic().getEnpred());    PKCS10CertificationRequestHolder pk10Holder = new PKCS10CertificationRequestHolder(inputCSR);    //in newer version of BC such as 1.51, this is     //PKCS10CertificationRequest pk10Holder = new PKCS10CertificationRequest(inputCSR);    X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder( new X500Name("CN=issuer"), new BigInteger("1"), new Date(         System.currentTimeMillis()), new Date(         System.currentTimeMillis() + 30 * 365 * 24 * 60 * 60      * 1000), pk10Holder.getSubject(), keyInfo);    ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(foo);    X509CertificateHolder holder = myCertificateGenerator.build(sigGen);    X509CertificateStructure eeX509CertificateStructure = holder.toASN1Structure();     //in newer version of BC such as 1.51, this is     //org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure = holder.toASN1Structure();    CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");    // Read Certificate    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEnpred());    X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);    is1.close();    return theCert;    //return null;}

如您所见，我已经在此方法外部生成了请求，但是将其传递了。然后，我具有PKCS10CertificationRequestHolder将此接受为构造函数arg。

接下来，在X509v3CertificateBuilder参数中，您将看到pk10Holder.getSubject-
显然这就是您所需要的吗？如果缺少什么，也请让我知道！！！它为我工作。我正确生成的证书具有我需要的DN信息。

维基百科上有一个关于PKCS的杀手section-
http://en.wikipedia.org/wiki/PKCS