Menu
How do you convert a .CSR (a.k.a. p10 or PKCS#10) file to .DER format in java?
Here is a sample one:
-----BEGIN CERTIFICATE REQUEST-----
MIICrzCCAZcCAQAwUTEOMAwGA1UEAxMFYm9ndXMxDTALBgNVBAsTBHRlc3QxDTALBgNVBAoTBGNh
c2UxITAfBgkqhkiG9w0BCQEWEmJvZ3VzQHRlc3RjYXNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJr3uT3018LE3gyqwAlPQba/bvw0f5YejudMLQa0ROAdUl/Yz3TlVDKB+cQK
9dTTza51FiWGKzi0xU9YZOXDfRcJoFPBR0Jkw09eh5fJ24oEsQQSgPeX11pYNaOF8vwmM8agU95I
jFiwbIuXdaOY2p7f9P1Z2G0fYZ2q34s+rbmiXVKG/YvTbAmb7BuavJ+BiwdddrJsP4WUyEmr+AzQ
2WTxTTrENx9b+2wl0qukYBLL5pWTi1EqoVIMIkxqWkKjh4Ate9L54o4lUn6WsrZGcwNOc9mreHZz
t/OtSr2zzRCDdNnuek+jw21h5rTVfeb+3ADKWDjFNvhip9xgZ6ecxKMCAwEAAaAZMBcGCSqGSIb3
DQEJBzEKEwhwYXNzd29yZDANBgkqhkiG9w0BAQQFAAOCAQEAdVfhpkb6RzdwTGxwv78JjCPmzDUn
f2SP90937fDF98xp12bvj3EX+dyyeNV52xKce2x5qIZirhiPQoIotAl9lQkTSE58BkZfgM9Bbaj6
0oDnUYH8VSKnK8Oz4R4+9FChYsG0ZUNcsbHH698csrEQT2lOgdG9tAp643KrfapySybzq6wBqK5c
HcyhiprKc7O+Nvv8vXyMRtVDJD/UQM9JJPmOhfc6B9/nLZg9BOvEAH6sAtrZXXLgZ1UJ840DToBP
CzYA3JPG+dTwuCKHWt7sVyMSkKiMb6FdAp1QeOSmismhKlWC/gGm3/Mj14GODo01T3EB0aK5gpok
zRZPM1TESg==
-----END CERTIFICATE REQUEST-----
Printing the CSR/P10 file
I know that I can use the Microsoft certutil command in windows to display it also.
Example:
cerutil -dump <filename.p10>
PKCS10 Certificate Request:
Version: 1
Subject:
[email protected]
O=case
OU=test
CN=bogus
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 9a f7 b9 3d f4 d7 c2
0010 c4 de 0c aa c0 09 4f 41 b6 bf 6e fc 34 7f 96 1e
0020 8e e7 4c 2d 06 b4 44 e0 1d 52 5f d8 cf 74 e5 54
0030 32 81 f9 c4 0a f5 d4 d3 cd ae 75 16 25 86 2b 38
0040 b4 c5 4f 58 64 e5 c3 7d 17 09 a0 53 c1 47 42 64
0050 c3 4f 5e 87 97 c9 db 8a 04 b1 04 12 80 f7 97 d7
0060 5a 58 35 a3 85 f2 fc 26 33 c6 a0 53 de 48 8c 58
0070 b0 6c 8b 97 75 a3 98 da 9e df f4 fd 59 d8 6d 1f
0080 61 9d aa df 8b 3e ad b9 a2 5d 52 86 fd 8b d3 6c
0090 09 9b ec 1b 9a bc 9f 81 8b 07 5d 76 b2 6c 3f 85
00a0 94 c8 49 ab f8 0c d0 d9 64 f1 4d 3a c4 37 1f 5b
00b0 fb 6c 25 d2 ab a4 60 12 cb e6 95 93 8b 51 2a a1
00c0 52 0c 22 4c 6a 5a 42 a3 87 80 2d 7b d2 f9 e2 8e
00d0 25 52 7e 96 b2 b6 46 73 03 4e 73 d9 ab 78 76 73
00e0 b7 f3 ad 4a bd b3 cd 10 83 74 d9 ee 7a 4f a3 c3
00f0 6d 61 e6 b4 d5 7d e6 fe dc 00 ca 58 38 c5 36 f8
0100 62 a7 dc 60 67 a7 9c c4 a3 02 03 01 00 01
Request Attributes: 1
1 attributes:
Attribute[0]: 1.2.840.113549.1.9.7 (Challenge Password)
Value[0][0]:
Unknown Attribute type
password
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.4 md5RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 4a c4 54 33 4f 16 cd 24 9a 82 b9 a2 d1 01 71 4f
0010 35 8d 0e 8e 81 d7 23 f3 df a6 01 fe 82 55 2a a1
0020 c9 8a a6 e4 78 50 9d 02 5d a1 6f 8c a8 90 12 23
0030 57 ec de 5a 87 22 b8 f0 d4 f9 c6 93 dc 00 36 0b
0040 4f 80 4e 03 8d f3 09 55 67 e0 72 5d d9 da 02 ac
0050 7e 00 c4 eb 04 3d 98 2d e7 df 07 3a f7 85 8e f9
0060 24 49 cf 40 d4 3f 24 43 d5 46 8c 7c bd fc fb 36
0070 be b3 73 ca 9a 8a a1 cc 1d 5c ae a8 01 ac ab f3
0080 26 4b 72 aa 7d ab 72 e3 7a 0a b4 bd d1 81 4e 69
0090 4f 10 b1 b2 1c df eb c7 b1 b1 5c 43 65 b4 c1 62
00a0 a1 50 f4 3e 1e e1 b3 c3 2b a7 22 55 fc 81 51 e7
00b0 80 d2 fa a8 6d 41 cf 80 5f 46 06 7c 4e 48 13 09
00c0 95 7d 09 b4 28 82 42 8f 18 ae 62 86 a8 79 6c 7b
00d0 9c 12 db 79 d5 78 b2 dc f9 17 71 8f ef 66 d7 69
00e0 cc f7 c5 f0 ed 77 4f f7 8f 64 7f 27 35 cc e6 23
00f0 8c 09 bf bf 70 6c 4c 70 37 47 fa 46 a6 e1 57 75
Signature matches Public Key
Key Id Hash(rfc-sha1): 3b 03 e4 49 e8 b4 74 99 43 84 9e a4 b6 27 c4 1f c0 c5 e7 6b
Key Id Hash(sha1): 17 68 43 78 9a 76 53 4c 24 3a 9a 8d 13 a0 47 c6 92 93 4c 84
CertUtil: -dump command completed successfully.
I also know that I can print the ASN.1 format as follows:openssl asn1parse -in <filename>
0:d=0 hl=4 l= 687 cons: SEQUENCE
4:d=1 hl=4 l= 407 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 81 cons: SEQUENCE
13:d=3 hl=2 l= 14 cons: SET
15:d=4 hl=2 l= 12 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :commonName
22:d=5 hl=2 l= 5 prim: PRINTABLESTRING :bogus
29:d=3 hl=2 l= 13 cons: SET
31:d=4 hl=2 l= 11 cons: SEQUENCE
33:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
38:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test
44:d=3 hl=2 l= 13 cons: SET
46:d=4 hl=2 l= 11 cons: SEQUENCE
48:d=5 hl=2 l= 3 prim: OBJECT :organizationName
53:d=5 hl=2 l= 4 prim: PRINTABLESTRING :case
59:d=3 hl=2 l= 33 cons: SET
61:d=4 hl=2 l= 31 cons: SEQUENCE
63:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
74:d=5 hl=2 l= 18 prim: IA5STRING :[email protected]
94:d=2 hl=4 l= 290 cons: SEQUENCE
98:d=3 hl=2 l= 13 cons: SEQUENCE
100:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
111:d=4 hl=2 l= 0 prim: NULL
113:d=3 hl=4 l= 271 prim: BIT STRING
388:d=2 hl=2 l= 25 cons: cont [ 0 ]
390:d=3 hl=2 l= 23 cons: SEQUENCE
392:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
403:d=4 hl=2 l= 10 cons: SET
405:d=5 hl=2 l= 8 prim: PRINTABLESTRING :password
415:d=1 hl=2 l= 13 cons: SEQUENCE
417:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
428:d=2 hl=2 l= 0 prim: NULL
430:d=1 hl=4 l= 257 prim: BIT STRING
824
I found out that you can use the built in java converter for this:
byte[] certificateData = "....<YOUR PEM ENCODED DATA STRING HERE>...";
String certificateDataString = removeCSRHeadersAndFooters(new String(certificateData)); // remove headers and footers
byte[] derByteArray = javax.xml.bind.DatatypeConverter.parseBase64Binary(certificateDataString); // PEM -> DER
A convenience method for stripping out headers and footers
/**
* Takes in a CSR/p10 as a string and removes the headers and footers of the request string.
*
* @param inString a CSR string
* @return a CSR String stripped of the text headers and footers
*/
public static String removeCSRHeadersAndFooters(String inString)
{
logger.debug("pemString: [" + inString + "]");
inString = inString.replace("-----BEGIN CERTIFICATE REQUEST-----" + "\n", "");
inString = inString.replace("\n" + "-----END CERTIFICATE REQUEST-----" + "\n", "");
logger.debug("[" + inString + "]");
return inString;
}
One can make it simpler with only three lines and decode not only certificate requests, but certificates and signatures as well
public static byte[] pemToDer(String pem) {
/* We split data with dashes as separator.
As a result we should have either 5 parts or 1,
if guarding strings were not present. */
String[] parts = pem.split("-----");
/* The middle element is base64 encoded data */
String base64 = parts[parts.length / 2];
return DatatypeConverter.parseBase64Binary(base64);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
