Bouncycastle X509 certificate chain generation with valid Root certificate :unknown object in getInstance

Question

Trying to generate a X509 with BouncyCastle api. Here is my piece of code.

    try {
        Security.addProvider(new BouncyCastleProvider()); // adding provider to
        String pathtoSave = "D://sureshtest.cer";

        KeyPair keyPair = generateKeypair();
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        X509Certificate trustCert = createCertificate(null,"CN=DigiCorp",
                "CN=Nextenders", publicKey, privateKey);
         // Create an input stream from the file containing the certificate.
        InputStream is =new FileInputStream(new File("D://validcertFormCa.pfx"));
        /*
         * CertificateFactory object is used for reading Certificates, CRL and
         * CertPaths. Create a factory object using the standard SPI pattern
         * used in JCA.
         */
        CertificateFactory factory =
                CertificateFactory.getInstance("X.509", "BC");

        /*
         * Generate a X509 Certificate initialized with the data read from the
         * input stream.
         */
        X509Certificate mastercert =
                (X509Certificate) factory.generateCertificate(is);
        java.security.cert.Certificate[] outChain = { trustCert,mastercert };
        trustCert.checkValidity();
        mastercert.checkValidity();
        KeyStore outStore = KeyStore.getInstance("PKCS12");
        outStore.load(null, null);
        outStore.setKeyEntry("my own certificate", privateKey,
                "admin123".toCharArray(), outChain);

        OutputStream outputStream = new FileOutputStream(pathtoSave);
        outStore.store(outputStream, "admin123".toCharArray());
        outputStream.flush();
        outputStream.close();
    } catch (Exception e) {
        e.printStackTrace();
    }

And run into the exception

    org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory$ExCertificateException
    at org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory.engineGenerateCertificate(Unknown Source)
    at java.security.cert.CertificateFactory.generateCertificate(Unknown Source)
    at com.nextenders.certificategeenrator.CertificateGenerator.testGenerateSignCertWithKeyStore(CertificateGenerator.java:119)
    at com.nextenders.facadeimplementation.facade.JUnitFacade.main(JUnitFacade.java:11)
Caused by: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.ASN1Integer
    at org.bouncycastle.asn1.ASN1Sequence.getInstance(Unknown Source)
    at org.bouncycastle.asn1.x509.TBSCertificate.getInstance(Unknown Source)
    at org.bouncycastle.asn1.x509.Certificate.<init>(Unknown Source)
    at org.bouncycastle.asn1.x509.Certificate.getInstance(Unknown Source)
    at org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory.readDERCertificate(Unknown Source)
    ... 4 more

Answer 1

What is mastercert supposed to be?

According to the docs for generateCertificate(), it expects that a "certificate provided in inStream must be DER-encoded and may be supplied in binary or printable (Base64) encoding". In other words, a DER or PEM encoded X509 certificate.

What you're providing it via that InputStream is a PFX file (a PKCS#12 file), not a DER or PEM encoded certificate.

My advice is to use openssl pkcs12 to extract the necessary certificate from the PKCS#12 file, and place it into a separate file, then change the code to load that instead of your PFX file.