Java加密与解密笔记(四) 高级应用

术语列表:

CA:证书颁发认证机构(Certificate Authority)

PEM:隐私增强邮件(Privacy Enhanced Mail),是OpenSSL使用的一种密钥文件。

PKI:公钥基础设施(Public Key Infrastructure),可以理解成是一种平台标准。事实上所有的数字证书都符合PIK平台下的X.509标准。正式这个原因,我们才可以在之前的解析数字证书的时候可以用X509Certificate类。即使在X.509的大标准下,仍然存在不同编码格式的数字证书如CER、BER、DER和PICS(包括PKCS7、PKCS10、PKCS12等)

CSR:证书签发申请(Certificate Siging Request),是一种文件,内容包含了“我是谁”以及“我需要什么样的证书(算法名称,密钥长度等)”

数字证书

数字证书的本质其实还是非对称加密。数字证书中KeyStore充当着PrivateKey的角色(其实KeyStore中包含完整的秘钥对),Certificate充当着PublicKey的角色。

相对于普通的非对称加密算法,数字证书新增了哪些功能?

//TODO 

可以用工具keytool来生成KeyStore文件,这个工具存放在在Java的bin目录中。详细说明参考官方说明:http://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

可以用下面的命令来生成KeyStore文件:

keytool -genkey -validity 30 -alias www.example.com -keyalg RSA -keystore d:\demo.keystore  

参数说明:

genkey:表示生成密钥 
validity:证书有效期,单位:天
alias:证书别名
keyalg:(非对称加密)算法名称
keystore:KeyStore文件存储位置

执行过程中会要求输入相关信息:

输入keystore密码:  
再次输入新密码:  
您的名字与姓氏是什么?  
  [Unknown]:  hu
您的组织单位名称是什么?  
  [Unknown]:  huqiao
您的组织名称是什么?  
  [Unknown]:  huqiao
您所在的城市或区域名称是什么?  
  [Unknown]:  Beijing
您所在的州或省份名称是什么?  
  [Unknown]:  Beijing
该单位的两字母国家代码是什么  
  [Unknown]:  CN  
CN=huqiao, OU=huqiao, O=hu, L=Beijing, ST=Beijing, C=CN 正确吗?  
  [否]:  Y  
  
输入<tomcat>的主密码  
        (如果和 keystore 密码相同,按回车):  
再次输入新密码:  

执行完成之后,会在指定位置生成一个.keystore的文件。这个文件中包含了密钥对等其他信息,二进制内容,所以无法用文本编辑器打开。是服务器用的。

用keytool查看keystore文件信息:

keytool -list  -v -keystore xxxx.keystore -storepass 密码

 

同样用keytool工具,来生成客户端用的cer文件:

keytool -export -keystore d:\demo.keystore -alias www.example.com -file d:\demo.cer -rfc  

这就是颁发给客户端的证书文件:

可以用Java来读取证书的内容:

 

    public static void main(String[] args) throws Exception{
        
        X509Certificate cer = (X509Certificate) getCertificate("D:\\demo.cer");  
        
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        
        System.out.println("版本:"+cer.getVersion());
        System.out.println("序列号:"+Integer.toHexString(cer.getSerialNumber().intValue()));
        System.out.println("签名算法:"+cer.getSigAlgName());
        System.out.println("颁发者:"+cer.getIssuerDN());
        System.out.println("有限期从:" + sdf.format(cer.getNotBefore()) + "到" + sdf.format(cer.getNotAfter()));
        System.out.println("使用者:" + cer.getSubjectDN());
        
    }
    
    private static Certificate getCertificate(String certificatePath)throws Exception {  
        CertificateFactory certificateFactory = CertificateFactory  
                .getInstance("X.509");  
        FileInputStream in = new FileInputStream(certificatePath);  
  
        Certificate certificate = certificateFactory.generateCertificate(in);  
        in.close();  
  
        return certificate;  
    } 

 

 读取到的内容:

版本:3
序列号:61cb1ded
签名算法:SHA256withRSA
颁发者:CN=hu, OU=huqiao, O=huqiao, L=Beijing, ST=Beijing, C=CN
有限期从:2017-10-19 11:16:02到2116-05-13 11:16:02
使用者:CN=hu, OU=huqiao, O=huqiao, L=Beijing, ST=Beijing, C=CN

 

 同样,读取KeyStore的方法如下:

    /**
     * 从文件读取KeyStore文件 
     * @param keyStoreFilePath
     * @param pwd
     * @return
     * @throws Exception
     */
    public static KeyStore getKeyStore(String keyStoreFilePath,String pwd)throws Exception{
        KeyStore keyStore = KeyStore.getInstance("jks");
        InputStream in = new FileInputStream(keyStoreFilePath);
        keyStore.load(in, pwd.toCharArray());
        return keyStore;
    }

 

在KeyStore中,既能拿到私钥也能拿到公钥:

        String pwd = "123456";
        String alias = "www.example.me";
        KeyStore keyStore = getKeyStore("D:\\demo.keystore", pwd);
        
        PrivateKey priKey = (PrivateKey)keyStore.getKey(alias, pwd.toCharArray());
        
        
        Certificate cer2 = keyStore.getCertificate(alias);
        PublicKey pubKey = cer2.getPublicKey();
        System.out.println("-------------Private Key-----------------");
        System.out.println(Base64Util.encode(priKey.getEncoded()));
        System.out.println("-------------Public Key-----------------");
        System.out.println(Base64Util.encode(pubKey.getEncoded()));

 

-------------Private Key-----------------
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRd0QlcJcrImkD5xLkjh7hQRU+
8Qi1n55k9fhKu+Ee5GTx958XGifX1zWv0IajiWcOCly9SdAWja6afNQZsXAvcoQEouwtwpOQ4KZB
vipH9aWtU5JLRvPwFER2TDddb1L3fDqhozl8WSDRVLFOgYJdzKp1SblVeGfbOWEz8t4NiUlvB0f0
srHubafPHy08ZDPvCy72ywuomc6kiwn/IXBRQrFBTanMxWu3mqF4XwawQ+EJlPQIBauHwCaC1N5B
YQPgNbia6GmfQlATAGt94Vn/e44MZ69e/E9bnWcpSDWZ+y72DdR1YypT/Ey8ercl1Hj0tYuX67vd
BoEJw/vOTPN3AgMBAAECggEAD+G0GAaeX5XfUn1tsEiaTMfrfXc3CtZMYylHJxtxqS71/Gai+FRy
WuolVuw/mRys5KKif3OeRGd/qpT2W/BZKi/LlLJpp9qN57kwweFSQVx9sFOazvxVOInA2xtSQ1JS
fxM7OtAuZqA3XcfHHcWyBbyj2/q4A6P6c+O43AB5F5uDBgWQT7FgMgtuh4A6U0bYaglGX6LEqztj
ENw6hP1VSEQomw+EAvCTOa0xqDBN8KWJQmEqweq8loVlGr1h8bDsNFRLRUrWFAKqRYBxZ1m+c08m
1e7rRG8Pj9OcuS2SZBtzmh9NSiWDK0u/zp/A9m6yaLD6qpyfi61+1LkZzcPEAQKBgQDt8zqJ+tBS
akZMOhStrdzaFu6/USnIfufmj/U/DV66gyCXaTGGw3wG2pPsqmi+XnPVWcHZ/yaILFPXVE59/eox
IDiAih61U088RKhtzR/4yBZvv9AnSfz5EDC/dt6yv9ptOnaj6dPa7alN0m5lwV+qkEbuNug7azRE
8Ngd0FO5dwKBgQDhWuZu4W29KCjFTbL5yU23dgi8Dg1v/BjuGG8VBJ/RSSOM0wDT7jVyjflLRea3
jXKYIhKeOqpbMN5xsVvwuF5bXdGneMzT8AAmFjpfR2P8PE9RdB61TELGtz7gov4dh6dJ+Nokxo9L
PIvQ/cBL6/hKvX06VAQPcm/2BQnTBn8WAQKBgHaKiqo8mlXEffrxoGWZzQGVFSGYhJFOr6bMJuhf
d8bBFpZ3oGW7s2kSsUjg6EeWdGxgR9Obag3Cz43hgS0BNw98NsnKhVveAgZLSgFRhFEDFTJcw40f
LfjCWRa5WF6Cd4Wc74ffMFzLs2GCqN7mhAtLzxpTnkQjtyl1NqU7qMonAoGAVfKYPiPF+cWuPwnS
P8gR1u2yiR6G63XngC9bdlWsKmLNpzD2eN26DrWtJZNEWi8dTH56QVS4kk0CGbR+D0IR4qDWjBvb
at13AQ+rNZmBvbq2uaci6xxpv2Y2GfCwIE0TdXfuouYD0rsFzDBrPcmCiebZMvzGC6omn1ruk0hA
AgECgYB2Ub/V5jlBtNDYjROJ1cHWKlg9uTHv6ovRiDO4jcaXwEKuoBQGgjkyxBTsIItz4GAUHVYc
AxOnNCaJ94zyLzWI85/0+QBOqkgS6zdkmIcBk5Lj9P+Yk7/YVlNNGp9Mv9peHRqF8dRSHtqqUWMy
vDs4ZprpdLHXNcnDvtSseQ5lBA==
-------------Public Key-----------------
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0XdEJXCXKyJpA+cS5I4e4UEVPvEItZ+e
ZPX4SrvhHuRk8fefFxon19c1r9CGo4lnDgpcvUnQFo2umnzUGbFwL3KEBKLsLcKTkOCmQb4qR/Wl
rVOSS0bz8BREdkw3XW9S93w6oaM5fFkg0VSxToGCXcyqdUm5VXhn2zlhM/LeDYlJbwdH9LKx7m2n
zx8tPGQz7wsu9ssLqJnOpIsJ/yFwUUKxQU2pzMVrt5qheF8GsEPhCZT0CAWrh8AmgtTeQWED4DW4
muhpn0JQEwBrfeFZ/3uODGevXvxPW51nKUg1mfsu9g3UdWMqU/xMvHq3JdR49LWLl+u73QaBCcP7
zkzzdwIDAQAB

 

有效期验证:

    /**
     * 有限期验证
     * @param cer
     * @param date
     * @return
     */
    public static boolean verifyDate(Certificate cer,Date date){
         X509Certificate x509Certificate = (X509Certificate) cer;  
         try {
            x509Certificate.checkValidity(date);
            return true;
        } catch (Exception e) {
            return false;
        }  
        
    }

 

签名和验证签名:

    /**
     * 签名
     * @param data
     * @param cer
     * @return
     */
    public static String sign(String data,KeyStore keyStore,String alias,String pwd)throws Exception{
        PrivateKey privateKey = getPrivateKey(keyStore, alias, pwd);
        X509Certificate cer = (X509Certificate)keyStore.getCertificate(alias);
        Signature signature = Signature.getInstance(cer.getSigAlgName());
        signature.initSign(privateKey);
        signature.update(data.getBytes("UTF-8"));
        return Base64Util.encode(signature.sign());
    }
    
    /**
     * 验证签名
     * @param sign
     * @param cer
     * @return
     */
    public static boolean signVerify(String data,String sign,Certificate cer)throws Exception{
        byte[] signData = Base64Util.decode(sign);
        PublicKey publicKey = cer.getPublicKey();
        Signature signature = Signature.getInstance(((X509Certificate)cer).getSigAlgName());
        signature.initVerify(publicKey);
        signature.update(data.getBytes());
        return signature.verify(signData);
    }
    

 

需要注意的是签名算法应该从证书里拿,而不是密钥你拿。

 

加密和解密:

    /**
     * 加密
     * @param data
     * @param cer
     * @return
     */
    public static String encrypt(String data,Certificate cer)throws Exception{
        PublicKey publicKey = cer.getPublicKey();
        Cipher cipher = Cipher.getInstance(publicKey.getAlgorithm());
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
        byte[] encrypedData = cipher.doFinal(data.getBytes("UTF-8"));
        return Base64Util.encode(encrypedData);
    }
    
    /**
     * 解密
     * @param data
     * @param cer
     * @return
     */
    public static String decrypt(String data,KeyStore keyStore,String alias,String pwd)throws Exception{
        PrivateKey privteKey = getPrivateKey(keyStore, alias, pwd);
        Cipher cipher = Cipher.getInstance(privteKey.getAlgorithm());
        cipher.init(Cipher.DECRYPT_MODE, privteKey);
        byte[] decrypedData = cipher.doFinal(Base64Util.decode(data));
        return new String(decrypedData,"UTF-8");
    }

 

测试:

public static void main(String[] args) throws Exception{
        
        X509Certificate cer = (X509Certificate) getCertificate("D:\\test.cer");  
        
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        
        System.out.println("版本:"+cer.getVersion());
        System.out.println("序列号:"+Integer.toHexString(cer.getSerialNumber().intValue()));
        System.out.println("签名算法:"+cer.getSigAlgName());
        System.out.println("颁发者:"+cer.getIssuerDN());
        System.out.println("有限期从:" + sdf.format(cer.getNotBefore()) + "到" + sdf.format(cer.getNotAfter()));
        System.out.println("使用者:" + cer.getSubjectDN());
        
        String pwd = "123456";
        String alias = "blog.huqiao.me";
        KeyStore keyStore = getKeyStore("D:\\test.keystore", pwd);
        
        PrivateKey priKey = (PrivateKey)keyStore.getKey(alias, pwd.toCharArray());
        
        
        Certificate cer2 = keyStore.getCertificate(alias);
        PublicKey pubKey = cer2.getPublicKey();
        System.out.println("-------------Private Key-----------------");
        System.out.println(Base64Util.encode(priKey.getEncoded()));
        System.out.println("-------------Public Key-----------------");
        System.out.println(Base64Util.encode(pubKey.getEncoded()));
        
        String data = "Hello,Certificate";
        System.out.println("原文:" + data);
        
        String sign = sign(data, keyStore, alias, pwd);
        System.out.println("签名:" + sign);
        
        boolean signVerify = signVerify(data, sign,(Certificate)cer);
        System.out.println("签名验证:" + signVerify);
        
        String encryptData = encrypt(data, cer);
        System.out.println("加密后:" + encryptData);
        
        String decryptData = decrypt(encryptData, keyStore, alias, pwd);
        System.out.println("解密后:" + decryptData);
        
    }

 

-------------Private Key-----------------
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRd0QlcJcrImkD5xLkjh7hQRU+
8Qi1n55k9fhKu+Ee5GTx958XGifX1zWv0IajiWcOCly9SdAWja6afNQZsXAvcoQEouwtwpOQ4KZB
vipH9aWtU5JLRvPwFER2TDddb1L3fDqhozl8WSDRVLFOgYJdzKp1SblVeGfbOWEz8t4NiUlvB0f0
srHubafPHy08ZDPvCy72ywuomc6kiwn/IXBRQrFBTanMxWu3mqF4XwawQ+EJlPQIBauHwCaC1N5B
YQPgNbia6GmfQlATAGt94Vn/e44MZ69e/E9bnWcpSDWZ+y72DdR1YypT/Ey8ercl1Hj0tYuX67vd
BoEJw/vOTPN3AgMBAAECggEAD+G0GAaeX5XfUn1tsEiaTMfrfXc3CtZMYylHJxtxqS71/Gai+FRy
WuolVuw/mRys5KKif3OeRGd/qpT2W/BZKi/LlLJpp9qN57kwweFSQVx9sFOazvxVOInA2xtSQ1JS
fxM7OtAuZqA3XcfHHcWyBbyj2/q4A6P6c+O43AB5F5uDBgWQT7FgMgtuh4A6U0bYaglGX6LEqztj
ENw6hP1VSEQomw+EAvCTOa0xqDBN8KWJQmEqweq8loVlGr1h8bDsNFRLRUrWFAKqRYBxZ1m+c08m
1e7rRG8Pj9OcuS2SZBtzmh9NSiWDK0u/zp/A9m6yaLD6qpyfi61+1LkZzcPEAQKBgQDt8zqJ+tBS
akZMOhStrdzaFu6/USnIfufmj/U/DV66gyCXaTGGw3wG2pPsqmi+XnPVWcHZ/yaILFPXVE59/eox
IDiAih61U088RKhtzR/4yBZvv9AnSfz5EDC/dt6yv9ptOnaj6dPa7alN0m5lwV+qkEbuNug7azRE
8Ngd0FO5dwKBgQDhWuZu4W29KCjFTbL5yU23dgi8Dg1v/BjuGG8VBJ/RSSOM0wDT7jVyjflLRea3
jXKYIhKeOqpbMN5xsVvwuF5bXdGneMzT8AAmFjpfR2P8PE9RdB61TELGtz7gov4dh6dJ+Nokxo9L
PIvQ/cBL6/hKvX06VAQPcm/2BQnTBn8WAQKBgHaKiqo8mlXEffrxoGWZzQGVFSGYhJFOr6bMJuhf
d8bBFpZ3oGW7s2kSsUjg6EeWdGxgR9Obag3Cz43hgS0BNw98NsnKhVveAgZLSgFRhFEDFTJcw40f
LfjCWRa5WF6Cd4Wc74ffMFzLs2GCqN7mhAtLzxpTnkQjtyl1NqU7qMonAoGAVfKYPiPF+cWuPwnS
P8gR1u2yiR6G63XngC9bdlWsKmLNpzD2eN26DrWtJZNEWi8dTH56QVS4kk0CGbR+D0IR4qDWjBvb
at13AQ+rNZmBvbq2uaci6xxpv2Y2GfCwIE0TdXfuouYD0rsFzDBrPcmCiebZMvzGC6omn1ruk0hA
AgECgYB2Ub/V5jlBtNDYjROJ1cHWKlg9uTHv6ovRiDO4jcaXwEKuoBQGgjkyxBTsIItz4GAUHVYc
AxOnNCaJ94zyLzWI85/0+QBOqkgS6zdkmIcBk5Lj9P+Yk7/YVlNNGp9Mv9peHRqF8dRSHtqqUWMy
vDs4ZprpdLHXNcnDvtSseQ5lBA==
-------------Public Key-----------------
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0XdEJXCXKyJpA+cS5I4e4UEVPvEItZ+e
ZPX4SrvhHuRk8fefFxon19c1r9CGo4lnDgpcvUnQFo2umnzUGbFwL3KEBKLsLcKTkOCmQb4qR/Wl
rVOSS0bz8BREdkw3XW9S93w6oaM5fFkg0VSxToGCXcyqdUm5VXhn2zlhM/LeDYlJbwdH9LKx7m2n
zx8tPGQz7wsu9ssLqJnOpIsJ/yFwUUKxQU2pzMVrt5qheF8GsEPhCZT0CAWrh8AmgtTeQWED4DW4
muhpn0JQEwBrfeFZ/3uODGevXvxPW51nKUg1mfsu9g3UdWMqU/xMvHq3JdR49LWLl+u73QaBCcP7
zkzzdwIDAQAB
原文:Hello,Certificate
签名:0NxD/FHk9CIdfoLIN7/TrQkFhEMGJzJr6E/do7aR8mgUAJjEHNg9NhXT1eaI8hszuofFPj8PhN+w
fE2N2YqB8ozBbNhvMvUbeMaAK2gFrMCBsw+ihbtPwTVoc3sxY3FQSDmEgLBY2IBtmvji9XdrclNY
D/IJJhg5DwlXpIoYPRIf2Ct+JkvY4sM/6xNm1ZyKb0CZbKJTAZQ57BuXU4vvs5wvB6TAK/ilR5yV
TFhKlzLRS68FPCREukdiB/eITXPugfEBTCyIUQhrF2qaxdKOwyTN7dCWI16QVtAYKT9SG2Dbs5bu
bBRsYlwhrLYunBER8QCvX7gHLLZIiCheQg3VaQ==
签名验证:true
加密后:rkiHwkuAdS1WikNq7bogqdmR+alDc7anV/RGcKbX9LmBJoUyQcV+Iu2K1bhc44yddnxfGy0uRqKM
9rsfPM/O1epB09oz5QdeOj8BP1Em8WEjhsG6LxU9oCPj3jypV/z6gH6fOg1idz0nS+sDuXqHqj/t
rNx0n3SgztG2Ek5S/Px2STHmS+G7FghPP4ZbW0IeKSOpRbErKW82aA4AF3Rsn7e6eSzHZT+2WMs/
2oTfzwfYguimLZA4TUTJwTXJ2lK3XRkIkaBo27er81BX7IaT44bYn7y7ujiWmGEbdgOgck+FNqny
gSVvYUvDvli8w5HB+0cEa7VpUDIqw3MFJ+Z2HQ==
解密后:Hello,Certificate

 

小结:数字证书就是在非对称加密的基础上增加了一些其他的信息,具体的加密也解密,签名也签名验证在与之前的RSA没有什么差别。

 

 

HTTPS

HTTPS是使用SSL/TLS加密的HTTP协议。

客户端与服务器通信用的是数字证书(非对称加密),客户端拿到服务器的证书,用这个证书的公钥进行数据加密,然后将数据发送给服务器。

加密通信没问题了,通信过程不会被别人窃听和篡改。但是还是有一个问题,就是如何确定服务器是否被冒牌了。

确定服务器是否是“真的”服务器时,客户端和服务器两方说了都不算数,得需要第三方来证明。这就是CA(证书颁发验证机构)。

CA负责注册服务器,记录服务器的详细信息,并给服务器颁发证书。

那么怎么确保CA的可靠性。从理论上讲无法确认,于是只能人为地构建认证机构,比如Symantec、VeriSign、GeoTrust等。这些机构向全球提供证书服务。我们的浏览器或系统内置了这些机构的证书,所以在访问这些机构或子机构认证的服务器时可以正常通过验证。

 

我们可以不用公共的CA服务,自己给服务器搞一个证书,但是浏览器不会认,需要手动把这些证书导入到本地系统才行。

 

 

其他相关文章:
 
 

 

参考:

http://snowolf.iteye.com/blog/391931

https://zhuanlan.zhihu.com/p/24854237

 

posted @ 2017-10-20 11:21  at0x7c00  阅读(1733)  评论(0编辑  收藏  举报
CSDN - ITeye - GitHub  |  HuQiao's Blog  |  业余经营:IT快报