java实现安全证书相关操作
https://blog.csdn.net/zhushanzhi/article/details/77864516
版权声明:本文为博主原创文章,未经博主允许不得转载。
- package test;
- import java.io.ByteArrayOutputStream;
- import java.io.File;
- import java.io.FileInputStream;
- import java.io.FileNotFoundException;
- import java.io.FileOutputStream;
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
- import java.io.PrintStream;
- import java.security.Key;
- import java.security.KeyPair;
- import java.security.KeyPairGenerator;
- import java.security.KeyStore;
- import java.security.Principal;
- import java.security.PrivateKey;
- import java.security.PublicKey;
- import java.security.SecureRandom;
- import java.security.Signature;
- import java.security.cert.Certificate;
- import java.security.cert.CertificateException;
- import java.security.cert.CertificateFactory;
- import java.security.cert.CertificateFactorySpi;
- import java.security.cert.X509Certificate;
- import java.util.ArrayList;
- import java.util.Calendar;
- import java.util.Collection;
- import java.util.Date;
- import java.util.Enumeration;
- import java.util.HashMap;
- import java.util.List;
- import java.util.Map;
- import java.util.regex.Matcher;
- import java.util.regex.Pattern;
- import javax.crypto.KeyGenerator;
- import javax.crypto.SecretKey;
- import javax.crypto.spec.SecretKeySpec;
- import org.junit.Test;
- import sun.misc.BASE64Decoder;
- import sun.misc.BASE64Encoder;
- import sun.security.pkcs.ContentInfo;
- import sun.security.pkcs.PKCS10;
- import sun.security.pkcs.PKCS7;
- import sun.security.tools.KeyStoreUtil;
- import sun.security.x509.AlgorithmId;
- import sun.security.x509.CertificateAlgorithmId;
- import sun.security.x509.CertificateIssuerName;
- import sun.security.x509.CertificateSerialNumber;
- import sun.security.x509.CertificateSubjectName;
- import sun.security.x509.CertificateValidity;
- import sun.security.x509.CertificateVersion;
- import sun.security.x509.CertificateX509Key;
- import sun.security.x509.X500Name;
- import sun.security.x509.X500Signer;
- import sun.security.x509.X509CertImpl;
- import sun.security.x509.X509CertInfo;
- public class ReadKeyStoreTest {
- /**
- * 列出store中所有的私钥和公钥 以及签名信息
- *
- * @param ks
- * @param storePass
- * @param priKeyPass
- * @throws Exception
- */
- private void listKeyAndCertificate(KeyStore ks, String storePass,
- String priKeyPass) throws Exception {
- System.out.println("size=" + ks.size());
- Enumeration<string> enum1 = ks.aliases();
- int i = 0;
- while (enum1.hasMoreElements()) {
- String alias = enum1.nextElement();
- System.out.println("第" + (++i) + "个");
- System.out.println("alias=" + alias);
- java.security.cert.Certificate c = ks.getCertificate(alias);// alias为条目的别名
- readX509Certificate((X509Certificate) c);
- readPriKey(ks, alias, priKeyPass);
- }
- }
- /**
- * 列出store中私钥和cert chain信息
- *
- * @param ks
- * @param alias
- * @param pass
- * @throws Exception
- */
- private void readPriKey(KeyStore ks, String alias, String pass)
- throws Exception {
- Key key = ks.getKey(alias, pass.toCharArray());
- if (null == key) {
- System.out.println("no priviate key of " + alias);
- return;
- }
- System.out.println();
- System.out.println("algorithm=" + key.getAlgorithm());
- System.out.println("format=" + key.getFormat());
- System.out.println("toString=" + key);
- readCertChain(ks, alias);
- }
- /**
- * 列出store中 cert chain信息
- *
- * @param ks
- * @param alias
- * @throws Exception
- */
- private void readCertChain(KeyStore ks, String alias) throws Exception {
- Certificate[] certChain = ks.getCertificateChain(alias);
- System.out.println("chain of " + alias);
- if (null == certChain) {
- System.out.println("no chain");
- return;
- }
- int i = 0;
- for (Certificate c : certChain) {
- System.out.println("index " + (i++) + " in chain of " + alias);
- readX509Certificate((X509Certificate) c);
- }
- }
- /**
- * 列出x509Certificate的基本信息
- *
- * @param t
- */
- private void readX509Certificate(X509Certificate t) {
- System.out.println(t);
- System.out.println("输出证书信息:\n" + t.toString());
- System.out.println("版本号:" + t.getVersion());
- System.out.println("序列号:" + t.getSerialNumber().toString(16));
- System.out.println("主体名:" + t.getSubjectDN());
- System.out.println("签发者:" + t.getIssuerDN());
- System.out.println("有效期:" + t.getNotBefore());
- System.out.println("签名算法:" + t.getSigAlgName());
- byte[] sig = t.getSignature();// 签名值
- PublicKey pk = t.getPublicKey();
- byte[] pkenc = pk.getEncoded();
- System.out.println("签名 :");
- for (int i = 0; i < sig.length; i++)
- System.out.print(sig[i] + ",");
- System.out.println();
- System.out.println("公钥: ");
- for (int i = 0; i < pkenc.length; i++)
- System.out.print(pkenc[i] + ",");
- System.out.println();
- }
- /**
- * 创建一个新的keystore
- *
- * @param storePass
- * @param storeType
- * PKCS12/JKS
- * @return
- * @throws Exception
- */
- private KeyStore createKeyStore(String storePass, String storeType)
- throws Exception {
- KeyStore ks = KeyStore.getInstance(storeType);
- ks.load(null, storePass.toCharArray());
- return ks;
- }
- /**
- * 加载一个已有的keyStore
- *
- * @param path
- * @param storePass
- * @param storeType
- * PKCS12/JKS
- * @return
- * @throws Exception
- */
- private KeyStore loadKeyStore(String path, String storePass,
- String storeType) throws Exception {
- FileInputStream in = new FileInputStream(path);
- KeyStore ks = KeyStore.getInstance(storeType);
- ks.load(in, storePass.toCharArray());
- in.close();
- return ks;
- }
- /**
- * 从文件加载一个证书
- *
- * @param path
- * @param certType
- * @return
- * @throws Exception
- */
- private Certificate loadCert(String path, String certType) throws Exception {
- CertificateFactory cf = CertificateFactory.getInstance(certType);
- FileInputStream in = new FileInputStream(path);
- Certificate c = cf.generateCertificate(in);
- in.close();
- return c;
- }
- /**
- * 生成一个由根证书签名的store
- *
- * @param rootStore
- * @param rootAlias
- * @param rootKeyPass
- * @param subjectStr
- * @param storeType
- * @param storePass
- * @param alg
- * @param keySize
- * @param keyPass
- * @return
- * @throws Exception
- */
- public KeyStore generateSignedKeyStore(KeyStore rootStore,
- String rootAlias, String rootKeyPass, String subjectStr,
- String storeType, String storePass, String alias, String alg,
- int keySize, String keyPass) throws Exception {
- PrivateKey rootKey = null;
- X509CertImpl rootCert = null;
- X509CertInfo rootInfo = null;
- CertificateSubjectName rootsubject = null;
- // 签发者
- X500Name issueX500Name = new X500Name(subjectStr);
- if (null != rootStore) {
- rootKey = (PrivateKey) rootStore.getKey(rootAlias,
- rootKeyPass.toCharArray());
- rootCert = (X509CertImpl) rootStore.getCertificate(rootAlias);
- rootInfo = (X509CertInfo) rootCert.get(X509CertImpl.NAME + "."
- + X509CertImpl.INFO);
- rootsubject = (CertificateSubjectName) rootInfo
- .get(X509CertInfo.SUBJECT);
- issueX500Name = (X500Name) rootsubject
- .get(CertificateIssuerName.DN_NAME);
- }
- // 签发者
- CertificateIssuerName issuerName = new CertificateIssuerName(
- issueX500Name);
- // 被签发者
- X500Name subjectX500Name = new X500Name(subjectStr);
- CertificateSubjectName subjectName = new CertificateSubjectName(
- subjectX500Name);
- // 有效期设置
- Calendar calendar = Calendar.getInstance();
- Date startDate = calendar.getTime();
- calendar.add(Calendar.DATE, 85);
- Date endDate = calendar.getTime();
- CertificateValidity certificateValidity = new CertificateValidity(
- startDate, endDate);
- // 序列号
- CertificateSerialNumber sn = new CertificateSerialNumber(
- (int) (startDate.getTime() / 1000L));
- // 版本
- CertificateVersion certVersion = new CertificateVersion(
- CertificateVersion.V3);
- // 算法
- // TODO 获取算法的代码有问题
- AlgorithmId algorithmId = new AlgorithmId(
- "RSA".equals(alg) ? AlgorithmId.sha1WithRSAEncryption_oid
- : AlgorithmId.sha1WithDSA_oid);
- // 密钥对
- KeyPairGenerator keygen = KeyPairGenerator.getInstance(alg);
- keygen.initialize(keySize, new SecureRandom());
- KeyPair kp = keygen.genKeyPair();
- X509CertInfo certInfo = new X509CertInfo();
- certInfo.set("version", certVersion);
- certInfo.set("serialNumber", sn);
- // localX500Signer.getAlgorithmId();
- certInfo.set("algorithmID", new CertificateAlgorithmId(algorithmId));
- certInfo.set("key", new CertificateX509Key(kp.getPublic()));
- certInfo.set("validity", certificateValidity);
- certInfo.set("subject", subjectName);
- certInfo.set("issuer", issuerName);
- // 扩展信息
- // if (System.getProperty("sun.security.internal.keytool.skid") !=
- // null)
- // {
- // CertificateExtensions localCertificateExtensions = new
- // CertificateExtensions();
- // localCertificateExtensions.set("SubjectKeyIdentifier", new
- // SubjectKeyIdentifierExtension(new
- // KeyIdentifier(this.publicKey).getIdentifier()));
- // certInfo.set("extensions", localCertificateExtensions);
- // }
- X509CertImpl newcert = new X509CertImpl(certInfo);
- // TODO 这里的签名算法可能有问题 貌似应该用rootcert的签名算法 待测试
- KeyStore ks = this.createKeyStore(storePass, storeType);
- Certificate[] certChain = null;
- // 如果rootStore为空 则生成自签名证书
- if (null == rootStore) {
- newcert.sign(kp.getPrivate(), "SHA1WithRSA");
- certChain = new Certificate[] { newcert };
- } else {
- newcert.sign(rootKey, "SHA1WithRSA");
- certChain = new Certificate[] { newcert, rootCert };
- }
- // ks.setCertificateEntry("zrbin", newcert);
- ks.setKeyEntry(alias, kp.getPrivate(), keyPass.toCharArray(), certChain);
- return ks;
- }
- @Test
- public void testReadCer() throws Exception {
- String path = "d:\\test.cer";
- String certType = "X.509";
- CertificateFactory cf = CertificateFactory.getInstance(certType);
- FileInputStream in = new FileInputStream(path);
- Collection<certificate> cs = (Collection<certificate>) cf
- .generateCertificates(in);
- in.close();
- System.out.println("size=" + cs.size());
- for (Certificate c : cs) {
- readX509Certificate((X509Certificate) c);
- }
- }
- @Test
- public void testReadP12() throws Exception {
- String storePass = "123456";
- String keyPass = "123456";
- String path = "d:\\zrbin.p12";
- KeyStore ks = loadKeyStore(path, storePass, "PKCS12");
- listKeyAndCertificate(ks, storePass, keyPass);
- }
- @Test
- public void testReadKeyStore() throws Exception {
- String storePass = "123456";
- String keyPass = "123456";
- String path = "d:\\test.keystore";
- KeyStore ks = loadKeyStore(path, storePass, "JCEKS");
- listKeyAndCertificate(ks, storePass, keyPass);
- }
- @Test
- public void testExportCert() throws FileNotFoundException, Exception {
- String pass = "123456";
- FileInputStream in = new FileInputStream("d:\\zrbin.p12");
- boolean rfc = true;
- KeyStore ks = KeyStore.getInstance("PKCS12");
- ks.load(in, pass.toCharArray());
- Certificate cert = ks.getCertificate("zrbin");
- PrintStream out = new PrintStream("D:\\zrbin.cer");
- if (rfc) {
- BASE64Encoder encoder = new BASE64Encoder();
- out.println("-----BEGIN CERTIFICATE-----");
- encoder.encodeBuffer(cert.getEncoded(),
- out);
- out.println("-----END CERTIFICATE-----");
- } else {
- out.write(cert.getEncoded());
- }
- out.write(cert.getEncoded());
- }
- @Test
- public void testImportCert() throws Exception {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- FileInputStream storeIn = new FileInputStream("d:\\server.keystore");
- FileInputStream in = new FileInputStream("d:\\zrbin.cer");
- FileInputStream rootin = new FileInputStream("d:\\root.cer");
- X509CertImpl cert = (X509CertImpl) cf.generateCertificate(in);
- X509CertImpl rootcert = (X509CertImpl) cf.generateCertificate(rootin);
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(null, "123456".toCharArray());
- ks.deleteEntry("zrbin");
- // ks.setCertificateEntry("zrbin", cert);
- ks.setCertificateEntry("root", rootcert);
- in.close();
- FileOutputStream out = new FileOutputStream("d:\\server.keystore");
- ks.store(out, "123456".toCharArray());
- }
- @Test
- public void testImportSigenedCert() throws Exception {
- String alias = "test";
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- FileInputStream storeIn = new FileInputStream("d:\\test.keystore");
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(storeIn, "123456".toCharArray());
- PrivateKey priKey = (PrivateKey) ks.getKey(alias,
- "123456".toCharArray());
- FileInputStream in = new FileInputStream("d:\\test.cer");
- Collection<certificate> certCollection = (Collection<certificate>) cf
- .generateCertificates(in);
- System.out.println(certCollection.size());
- if (certCollection.size() == 0) {
- System.out.println("没有要导入的证书");
- return;
- }
- // 如果没有对应的私钥,直接导入certficateEntry
- if (null == priKey) {
- for (Certificate _cert : certCollection) {
- ks.setCertificateEntry(alias, _cert);
- break;
- }
- } else {
- Certificate importCert = null;
- for (Certificate cert : certCollection) {
- if (ks.getCertificate(alias).getPublicKey()
- .equals(cert.getPublicKey())) {
- importCert = cert;
- break;
- }
- }
- if (null == importCert) {
- System.out.println("错误:no replay cert");
- }
- certCollection.remove(importCert);
- if (X509CertImpl.isSelfSigned((X509Certificate) importCert, null)) {
- System.out.println("证书未被ca签名,无需导入");
- } else {
- // 构建认证链
- List<certificate> certList = new ArrayList<certificate>(
- ks.size());
- Map<principal certificate=""> cerMap = new HashMap<principal certificate="">();
- Enumeration<string> aliasEnum = ks.aliases();
- // 把不包括当前回复的都加到map里
- while (aliasEnum.hasMoreElements()) {
- String _alias = aliasEnum.nextElement();
- if (!_alias.equals(alias)) {
- X509CertImpl _cert = (X509CertImpl) ks
- .getCertificate(_alias);
- cerMap.put(_cert.getSubjectDN(), _cert);
- }
- }
- for (Certificate cert : certCollection) {
- cerMap.put(((X509Certificate) cert).getSubjectDN(), cert);
- }
- certList.add(importCert);
- Principal issuerName = ((X509Certificate) importCert)
- .getIssuerDN();
- while (cerMap.keySet().contains(issuerName)) {
- X509Certificate _rootCert = (X509Certificate) cerMap
- .remove(issuerName);
- if (null == _rootCert) {
- System.out.println(issuerName + "的根证书为空");
- return;
- }
- certList.add(_rootCert);
- issuerName = _rootCert.getIssuerDN();
- }
- X509CertImpl rootCert = (X509CertImpl) certList.get(certList
- .size() - 1);
- if (!X509CertImpl.isSelfSigned(rootCert, null)) {
- System.out.println("构建证书链错误,请先导入颁发者(" + issuerName
- + ")的CA证书");
- return;
- }
- Certificate[] certChain = certList
- .toArray(new Certificate[certList.size()]);
- ks.setKeyEntry(alias, priKey, "123456".toCharArray(), certChain);
- }
- }
- in.close();
- FileOutputStream out = new FileOutputStream("d:\\test.keystore");
- ks.store(out, "123456".toCharArray());
- out.close();
- }
- @Test
- public void testGenerateKeyStore() throws Exception {
- KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
- KeyPair kp = kg.genKeyPair();
- System.out.println(KeyStoreUtil.niceStoreTypeName("PKCS12"));
- System.out.println(kp.getPrivate());
- System.out.println(kp.getPublic());
- KeyStore ks = KeyStore.getInstance("JKS");
- }
- @Test
- public void testX500Name() throws IOException, CertificateException {
- // for(byte i=48;i<=57;i++){
- // System.out.println((char)i);
- // }
- // RFC 1779 (CN, L, ST, O, OU, C, STREET)
- // RFC 2253 (CN/name, L/location, ST/station, O/org, OU/orgunit,
- // C/country, STREET, DC, UID)
- X500Name subjectName = new X500Name(
- "CN=www.jiangtech.com,L=ZuChongZhi road,ST=Shang Hai,O=Jiangdatech,OU=ENTERPRISE APP,C=China,STREET=ZuChongZhi Road");
- X500Name subjectName1 = new X500Name(
- "CN=www.jiangtech.com,L=ZuChongZhi road,ST=Shang Hai,O=Jiangdatech,OU=ENTERPRISE APP,C=China,STREET=ZuChongZhi Road");
- // X509CertInfo certInfo = new X509CertInfo();
- // certInfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
- // subjectName));
- System.out.println(subjectName.hashCode());
- System.out.println(subjectName1.hashCode());
- }
- /**
- * 证书验证
- *
- * @throws Exception
- */
- @Test
- public void testValidate() throws Exception {
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- // kpg.initialize()
- KeyPair kp = kpg.genKeyPair();
- KeyStore rootStore = this.loadKeyStore("d:/root.keystore", "123456",
- "JKS");
- PrivateKey rootKey = (PrivateKey) rootStore.getKey("jdcert",
- "123456".toCharArray());
- KeyStore store1 = this.loadKeyStore("d:/jd_signed.keystore", "123456",
- "JKS");
- X509CertImpl rootCert = (X509CertImpl) rootStore
- .getCertificate("jdcert");
- X509CertInfo rootInfo = (X509CertInfo) rootCert.get(X509CertImpl.NAME
- + "." + X509CertImpl.INFO);
- CertificateSubjectName rootsubject = (CertificateSubjectName) rootInfo
- .get(X509CertInfo.SUBJECT);
- Certificate[] chain = rootStore.getCertificateChain("jdcert");
- rootCert.verify(kp.getPublic());
- }
- /**
- * 测试签发证书
- */
- @Test
- public void testGenerateSignedKeyStore() {
- try {
- KeyStore rootStore = this.loadKeyStore("d:/root.keystore",
- "123456", "JKS");
- String rootAlias = "test";
- String subjectStr = "CN=zhaorb@jiangdatech.com,L=PU Dong,ST=Shang Hai,O=Jiangdatech,OU=ENTERPRISE APP,C=China,STREET=ZuChongZhi Road";
- String alg = "RSA";
- String storeType = "JKS";
- int keySize = 1024;
- String keyPass = "123456";
- String rootKeyPass = "123456";
- String storePass = "123456";
- String alias = "test";
- KeyStore ks = this.generateSignedKeyStore(null, rootAlias,
- rootKeyPass, subjectStr, storeType, storePass, alias, alg,
- keySize, keyPass);
- OutputStream out = new FileOutputStream(
- new File("d:/test.keystore"));
- ks.store(out, "123456".toCharArray());
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- /**
- * 测试签发证书
- */
- @Test
- public void testGenerateSecKeyStore() {
- try {
- String rootAlias = "test";
- String subjectStr = "CN=zhaorb@jiangdatech.com,L=PU Dong,ST=Shang Hai,O=Jiangdatech,OU=ENTERPRISE APP,C=China,STREET=ZuChongZhi Road";
- String alg = "DES";
- String storeType = "JKS";
- int keySize = 1024;
- String keyPass = "123456";
- String rootKeyPass = "123456";
- String storePass = "123456";
- String alias = "test";
- KeyStore ks = this.createKeyStore("123456", "JCEKS");
- KeyGenerator keygen = KeyGenerator.getInstance("DES");
- SecretKey secKey = keygen.generateKey();
- ks.setKeyEntry(alias, secKey, "123456".toCharArray(),null);
- OutputStream out = new FileOutputStream(
- new File("d:/test.keystore"));
- ks.store(out, "123456".toCharArray());
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- @Test
- /**
- * 关于p7b的操作 未实现
- */
- public void testGeneratePKCS7KeyStore() {
- try {
- /*ContentInfo info = new ContentInfo(arg0);
- //PKCS7 pkcs7 = new PKCS7()
- String rootAlias = "test";
- String subjectStr = "CN=zhaorb@jiangdatech.com,L=PU Dong,ST=Shang Hai,O=Jiangdatech,OU=ENTERPRISE APP,C=China,STREET=ZuChongZhi Road";
- String alg = "DES";
- String storeType = "JKS";
- int keySize = 1024;
- String keyPass = "123456";
- String rootKeyPass = "123456";
- String storePass = "123456";
- String alias = "test";
- KeyStore ks = this.createKeyStore("123456", "PKCS7");
- KeyGenerator keygen = KeyGenerator.getInstance("RSA");
- //SecretKey secKey = keygen.generateKey();
- //ks.setKeyEntry(alias, secKey, "123456".toCharArray(),null);
- OutputStream out = new FileOutputStream(
- new File("d:/test.keystore"));
- ks.store(out, "123456".toCharArray());*/
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- @Test
- public void testReadJCEKS() throws Exception{
- KeyStore ks = this.loadKeyStore("D:/test.keystore","123456", "JCEKS");
- Enumeration<string> aliasEnum = ks.aliases();
- while(aliasEnum.hasMoreElements()){
- String alias = aliasEnum.nextElement();
- SecretKeySpec secKey = (SecretKeySpec) ks.getKey(alias, "123456".toCharArray());
- System.out.println(ks.getCertificate(alias));
- //System.out.println(ks.);
- System.out.println(secKey.getClass());
- System.out.println(secKey.getFormat());
- System.out.println(secKey.getEncoded());
- }
- }
- public PKCS10 readCsr() throws Exception {
- File f = new File("D:/test.csr");
- InputStream in = new FileInputStream(f);
- ByteArrayOutputStream out = new ByteArrayOutputStream(1024);
- byte[] bytes = new byte[(int) f.length()];
- in.read(bytes);
- String base64String = new String(bytes, "ISO-8859-1");
- System.out.println(base64String);
- Pattern p = Pattern
- .compile("-----BEGIN NEW CERTIFICATE REQUEST-----([\\s\\S]*?)-----END NEW CERTIFICATE REQUEST-----([\\s\\S]*)");
- BASE64Decoder decoder = new BASE64Decoder();
- Matcher m = p.matcher(base64String);
- if (m.find()) {
- String s = m.group(1);
- System.out.println(s.trim());
- byte[] bArray = decoder.decodeBuffer(s);
- PKCS10 csr = new PKCS10(bArray);
- System.out.println(csr);
- return csr;
- }
- throw new Exception("文件错误 ,无法读取csr");
- }
- @Test
- public void testReadCsr() throws Exception {
- PKCS10 csr = readCsr();
- }
- @Test
- public void createCsr() throws Exception {
- String storePass = "123456";
- String alias = "test";
- String alg = null;
- KeyStore ks = this.loadKeyStore("d:/test.keystore", storePass, "JKS");
- Certificate cert = ks.getCertificate(alias);
- PrivateKey priKey = (PrivateKey) ks.getKey(alias,
- "123456".toCharArray());
- PublicKey pubKey = cert.getPublicKey();
- PKCS10 csr = new PKCS10(pubKey);
- String signAlg = null;
- if (alg == null) {
- alg = priKey.getAlgorithm();
- if (("DSA".equalsIgnoreCase(alg)) || ("DSS".equalsIgnoreCase(alg)))
- signAlg = "SHA1WithDSA";
- else if ("RSA".equalsIgnoreCase((String) alg))
- signAlg = "SHA1WithRSA";
- else
- throw new Exception("Cannot derive signature algorithm");
- }
- Signature signature = Signature.getInstance(signAlg);
- signature.initSign(priKey);
- X500Name x500Name = new X500Name(((X509Certificate) cert)
- .getSubjectDN().toString());
- X500Signer x500Signer = new X500Signer(signature, x500Name);
- ((PKCS10) csr).encodeAndSign(x500Signer);
- File f = new File("D:/test.csr");
- if (f.exists()) {
- f.delete();
- }
- ((PKCS10) csr).print(new PrintStream(new File("D:/test.csr")));
- }
- /**
- * 签名
- *
- * @throws Exception
- */
- @Test
- public void testSignature() throws Exception {
- KeyStore rootStore = this.loadKeyStore("d:/root.keystore", "123456",
- "JKS");
- PrivateKey rootKey = (PrivateKey) rootStore.getKey("root",
- "123456".toCharArray());
- X509CertImpl rootX509Cert = (X509CertImpl) rootStore
- .getCertificate("root");
- X500Name issuerX500Name = (X500Name) rootX509Cert.get(X509CertImpl.NAME
- + "." + X509CertImpl.INFO + "." + X509CertInfo.SUBJECT + "."
- + CertificateSubjectName.DN_NAME);
- // 有效期设置
- Calendar calendar = Calendar.getInstance();
- Date startDate = calendar.getTime();
- calendar.add(Calendar.DATE, 85);
- Date endDate = calendar.getTime();
- CertificateValidity certificateValidity = new CertificateValidity(
- startDate, endDate);
- // 序列号
- CertificateSerialNumber sn = new CertificateSerialNumber(
- (int) (startDate.getTime() / 1000L));
- PKCS10 csr = this.readCsr();
- PublicKey pubKey = csr.getSubjectPublicKeyInfo();
- X500Name subjectX500Name = csr.getSubjectName();
- // TODO 未实现
- Signature signature = Signature.getInstance("Sha1WithRSA");
- X500Signer signer = new X500Signer(signature, subjectX500Name);
- AlgorithmId algorithmId = signer.getAlgorithmId();
- X509CertInfo info = new X509CertInfo();
- info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(
- algorithmId));
- info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
- subjectX500Name));
- info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuerX500Name));
- info.set(X509CertInfo.KEY, new CertificateX509Key(pubKey));
- info.set(X509CertInfo.VERSION, new CertificateVersion(
- CertificateVersion.V3));
- info.set(X509CertInfo.VALIDITY, certificateValidity);
- info.set(X509CertInfo.SERIAL_NUMBER, sn);
- X509CertImpl newCert = new X509CertImpl(info);
- newCert.sign(rootKey, "SHA1WithRSA");
- OutputStream out = new FileOutputStream("d:/test.cer");
- out.write(newCert.getEncoded());
- out.write(rootX509Cert.getEncoded());
- out.close();
- }
- }
What Doesn't Kill Me Makes Me Stronger