Comments (7)
I guess that PKCS12SafeBagBuilder taCertBagBuilder = new JcaPKCS12SafeBagBuilder(chain[2])
is the line that is causing the exception.
Your buildAndGetPfx()
method assumes that the certificate chain always consists of three certificates. However this is not always correct. For example, the Let's Encrypt staging server only returns two certificates (your own one, and a test root certificate). I assume you are testing against the staging server, and now your code breaks because it misses a third certificate.
Other CAs might even return a chain of four or more certificates, so you shouldn't make fixed assumptions on the number of certificates. π
I would recommend you change your code so the PKCS12SafeBag
is dynamically generated from all certificates that are passed in with your certs
parameter.
from acme4j.
The code is looking good, except that you don't set a pkcs_9_at_friendlyName
any more. I don't know much about PFX files, so I cannot say if this is a problem, and if the generated PFX file is generally correct. BTW, instead of the second for
loop you could also do PKCS12SafeBag[] certsArray = certs.toArray(new PKCS12SafeBag[0]);
.
You cannot create a org.shredzone.acme4j.Certificate
resource from a file, because crucial information like the certificate URL, the certificate chain, and alternate chains would be missing. What you can do is store the location of the certificate (URL certificateUrl = certificate.getLocation()
). Later you would do a login.bindCertificate(certificateUrl)
to recreate the Certificate
resource.
from acme4j.
@shred How would that look in code?
Something like this?:
List<JcaPKCS12SafeBagBuilder> builders = new ArrayList<>();
for (X509Certificate cert :
chain) {
builders.add(new JcaPKCS12SafeBagBuilder(cert));
}
List<PKCS12SafeBag> certs = new ArrayList<>();
for (JcaPKCS12SafeBagBuilder builder :
builders) {
certs.add(builder.build());
}
Edit1: This would be even faster requiring only one loop:
List<PKCS12SafeBag> certs = new ArrayList<>();
for (X509Certificate cert :
chain) {
certs.add(new JcaPKCS12SafeBagBuilder(cert).build());
}
from acme4j.
@shred So these
taCertBagBuilder.addBagAttribute(stuff...)
dont matter at all?
from acme4j.
@shred This is what I came up with:
public static PKCS12PfxPdu buildAndGetPfx(X509Certificate[] chain, PublicKey pubKey, PrivateKey privKey, char[] passwd) throws Exception{
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
List<PKCS12SafeBag> certs = new ArrayList<>();
for (X509Certificate cert :
chain) {
certs.add(new JcaPKCS12SafeBagBuilder(cert).build());
}
PKCS12SafeBag[] certsArray = new PKCS12SafeBag[certs.size()];
for (int i = 0; i < certs.size(); i++) {
certsArray[i] = certs.get(i);
}
PKCS12PfxPduBuilder pfxPduBuilder = new PKCS12PfxPduBuilder();
pfxPduBuilder.addEncryptedData(
new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC
, new CBCBlockCipher(new RC2Engine())).build(passwd)
, certsArray); // converting the certs list into an array ty using certs.toArray() didn't work :/ Thats why I used the loop above
PKCS12SafeBagBuilder keyBagBuilder = new JcaPKCS12SafeBagBuilder(privKey, new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC, new CBCBlockCipher(new DESedeEngine())).build(passwd));
keyBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString("Eric's Key"));
keyBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pubKey));
pfxPduBuilder.addData(keyBagBuilder.build());
return pfxPduBuilder.build(new BcPKCS12MacCalculatorBuilder(), passwd);
}
from acme4j.
@shred Another question. Is it possible to create a org.shredzone.acme4j.Certificate from the already existing files? Or must I order a new one every time?
from acme4j.
@shred Thanks for the help!
from acme4j.
Related Issues (20)
- The challenge status is always "INVALID" HOT 5
- The challenge status was always "INVALID" HOT 13
- http://${domain}/.well-known/acme-challenge/${token}
- acme4j example is creating zero- length crt files HOT 10
- preferred-chain attribute, for alternate chains HOT 2
- Can only parse traditional files HOT 2
- EAB HMAC keys with arbitrary lengths HOT 5
- CVE-2023-33201 from Bouncy Castle HOT 8
- add utils to do pre validation or help
- How to check if certificate needs renewal without ordering a new one? HOT 8
- Is there a way to keep txt unchanged and verify twiceοΌ HOT 2
- New account registration HOT 1
- Bouncy Castel dependency? HOT 9
- Allow to pass query parameters in directory URL HOT 2
- Provide example showing how to save and load existing certificates HOT 2
- AcmeJsonResource#update throws AcmeRetryAfterException even if resource is ready HOT 3
- Abstract away certificate renewal HOT 6
- response is not reading correctly HOT 3
- Java 22 Support HOT 1
- OrderBuilder.replaces() functions assume auto-renewal support by the server HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme4j.