I had emailed about this previously but did not receive any response (email subject: "Setting OpenSSL::X509::Request version"), and then put some comments here: https://jira.codehaus.org/browse/JRUBY-6793, also with no response.
Basically, bouncy castle does not provide an API to do this. The only way to do it is to move away from using BC's generator classes, and continue hacking the ASN.1 sequence ourselves. The "version" is an internal value that refers to the version of the format itself, not the version of the file. It should not really be settable by client code. The RFC says "It shall be 0 for this version of the standard." As another example of this. Bouncycastle has two separate generator class for certificates: X509V1CertificateGenerator and X509V3CertificateGenerator. There is only a "version 0" for PKCS10 though. I argue we should make the code that calls "version=" not break, but i think it will be a losing battle going forward trying to support it. -- Matt Hauck On Wednesday, January 23, 2013 at 1:18 PM, Charles Oliver Nutter wrote: > On Wed, Jan 23, 2013 at 3:10 PM, Matt Hauck <mattha...@gmail.com > (mailto:mattha...@gmail.com)> wrote: > > The first one fails probably because when it changes the version, it expects > > that the outputted der would have been different, and thus does not match > > the signature anymore. > > > > > That sounds good to me :-) Perhaps you can figure out the right way > for us to support version= with the new PKCS10 rewrite you did? > > - Charlie > > --------------------------------------------------------------------- > To unsubscribe from this list, please visit: > > http://xircles.codehaus.org/manage_email