Search code examples
javaopensslbouncycastleattributecertificate

Store X509AttributeCertificateHolder object, especially attrCert local and open it

There is an option to store the X509Certificate local with the class JcaPEMWriter from the Bouncy Castle API. After storing the X509Certificate I can open it with openssl with the following command:

openssl x509 -in certificate.pem -text

I have the following code:

X509AttributeCertificateHolder att = acBuilder.build(new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(caprivkey));

Now I want to store the attrCert (the Attribute Certificate) local, which is contained in the att variable. How can I do this? And how can I open the attrCert, it is possible to open it with openssl or any other tool?

Solution

  • To save your Attribute Certificate in a PEM file, you can use JcaPEMWriter as well:

    // save the Attribute Certificate to attcert.pem file
JcaPEMWriter writer = new JcaPEMWriter(new FileWriter("attcert.pem"));
writer.writeObject(att);
writer.close();

    The file will contain a base64 content, like this:

    -----BEGIN ATTRIBUTE CERTIFICATE-----
MIIBvzCCASgCAQEwZ6BlMGCkXjBcMQswCQYDVQQGEwJBVTEoMCYGA1UECgwfVGhl
IExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3RsZTEjMCEGA1UECwwaQm91bmN5IFBy
aW1hcnkgQ2VydGlmaWNhdGUCAQKgYjBgpF4wXDELMAkGA1UEBhMCQVUxKDAmBgNV
BAoMH1RoZSBMZWdpb24gb2YgdGhlIEJvdW5jeSBDYXN0bGUxIzAhBgNVBAsMGkJv
dW5jeSBQcmltYXJ5IENlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAAgF7MCIYDzIw
MTcwNzA2MTE1MDExWhgPMjAxNzA3MDYxMTUxNTFaMCAwHgYDVQRIMRcwFaEThhFp
ZDovL0RBVTEyMzQ1Njc4OTANBgkqhkiG9w0BAQUFAAOBgQBy3epbynwILi/H0DkQ
UXDgIWXXN5oRQem9DJ2AhYl6JHeKOk3ML87axq+ukWYjZoo3eP2rIxuDU6jWRak1
+n92KLsc/zSFaAdxxYjXQbjTpqEafvEea4QPd4PfPHA9nd4QNKox4H1lNhDeyqtP
B4iU+bkA1bKDo4dnhXVtJaAlkg==
-----END ATTRIBUTE CERTIFICATE-----

    Unfortunately, it seems that there's no specific command in openssl to check the Attribute Certificate (check this discussion and this message with no replies - there's an extended version of openssl that seems to support it, although I haven't tested it).

    But you can check the ASN.1 structure using the asn1parse option:

    openssl asn1parse -dump -i -in attcert.pem

    The output will be the ASN.1 structure, like this:

        0:d=0  hl=4 l= 447 cons: SEQUENCE          
    4:d=1  hl=4 l= 296 cons:  SEQUENCE          
    8:d=2  hl=2 l=   1 prim:   INTEGER           :01
   11:d=2  hl=2 l= 103 cons:   SEQUENCE          
   13:d=3  hl=2 l= 101 cons:    cont [ 0 ]        
   15:d=4  hl=2 l=  96 cons:     SEQUENCE          
   17:d=5  hl=2 l=  94 cons:      cont [ 4 ]        
   19:d=6  hl=2 l=  92 cons:       SEQUENCE          
   21:d=7  hl=2 l=  11 cons:        SET               
   23:d=8  hl=2 l=   9 cons:         SEQUENCE          
   25:d=9  hl=2 l=   3 prim:          OBJECT            :countryName
   30:d=9  hl=2 l=   2 prim:          PRINTABLESTRING   :AU
   34:d=7  hl=2 l=  40 cons:        SET               
   36:d=8  hl=2 l=  38 cons:         SEQUENCE          
   38:d=9  hl=2 l=   3 prim:          OBJECT            :organizationName
   43:d=9  hl=2 l=  31 prim:          UTF8STRING        :The Legion of the Bouncy Castle
... and so on

    Or you can read the file using Bouncy Castle:

    import org.bouncycastle.cert.X509AttributeCertificateHolder;
import org.bouncycastle.util.encoders.Base64;

String pem = // read contents from PEM file
// Convert to AC object
byte[] data = Base64.decode(pem.getBytes());
X509AttributeCertificateHolder holder = new X509AttributeCertificateHolder(data);