MOYUN(/Java/SQL/Linux/DevOps/运维/架构/管理/敏捷/开发)

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::

一、使用keytool工具制作一个jks证书、并导出公钥

进入D:\jkstest目录下,使用命令生成merKey.jks证书文件

keytool -genkey -alias yunbo2 -keypass 123456 -keyalg RSA -keysize 1024 -validity 3650 -keystore merKey.jks -storepass abc@2018 -dname "CN=localhost,OU=localhost, O=localhost, L=深圳, ST=广东, C=CN"

进入D:\jkstest目录下,导出公钥yunbo2.cer文件,输入以下命令,回车,输入秘钥库密码 abc@2018

keytool -export -alias yunbo2 -keystore merKey.jks -file yunbo2.cer

生成证书文件如下

二、简单代码实现加解密、加签、验签

 

/**
 * desc area
 * Created by yunBo on 2018/9/25 0025.
 */
public class CertificateUtils {
	
	public  static final String KEY_STORE = "JKS";
	public  static final String X509 = "X.509";
	private static final int CACHE_SIZE = 2048;
	private static final int MAX_ENCRYPT_BLOCK = 117;
	private static final int MAX_DECRYPT_BLOCK = 128;
	
	private static final String SHA1WithRSA = "SHA1WithRSA";
	private static final String RSA = "RSA";
	private static final String ECB = "ECB";
	
	public static final Map<String, Object> signData = Maps.newConcurrentMap();
	public static final String CRRECEPAY_SIGN_KEYSTORE="YUNBO_SIGN_KEYSTORE";
	public static final String CRRECEPAY_SIGN_X509CERTIFICATE="YUNBO_SIGN_X509CERTIFICATE";
	
	
	public  static final String keyPass   = "123456";
	public  static final String storePass = "abc@2018";
	public  static final String alias     = "yunbo2";
	public  static final String jksFile   = "D:/jkstest/merKey.jks";
	public  static final String pubFile   = "D:/jkstest/yunbo2.cer";
	
	
	public static void initX509Certificate(String cerFilePath) throws Exception {
		
		InputStream inputStream = null;
		try {
			CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
			inputStream = new FileInputStream(cerFilePath);
			X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(inputStream);
			signData.put(CRRECEPAY_SIGN_X509CERTIFICATE, x509Certificate);
		} finally {
			IOUtils.closeQuietly(inputStream);
		}
	}
	
	/**
	 * 获取私钥信息
	 * @param jksFilePath
	 * @param keyAlias
	 * @param keyPass
	 * @param storePass
	 * @return
	 * @throws Exception
	 */
	public static PrivateKey getPrivateKey(String jksFilePath, String keyAlias, String keyPass, String storePass) throws Exception {
		
		File jksFile = new File(jksFilePath);
		InputStream in = new FileInputStream(jksFile);
		KeyStore keyStore = KeyStore.getInstance("JKS");
		keyStore.load(in, storePass.toCharArray());
		PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPass.toCharArray());
		if (in != null) {
			IOUtils.closeQuietly(in);
		}
		return privateKey;
	}
	
	/**
	 * 获取公钥信息
	 * @param cerFilePath
	 * @return
	 * @throws KeyStoreException
	 * @throws IOException
	 * @throws CertificateException
	 * @throws NoSuchAlgorithmException
	 */
	public static PublicKey getPublicKey(String cerFilePath) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
		PublicKey publicKey = null;
		try {
			
			X509Certificate x509Certificate = (X509Certificate)signData.get(CRRECEPAY_SIGN_X509CERTIFICATE);
			if (x509Certificate == null) {
				initX509Certificate(cerFilePath);
				x509Certificate = (X509Certificate)signData.get(CRRECEPAY_SIGN_X509CERTIFICATE);
			}
			publicKey = x509Certificate.getPublicKey();
		} catch (Exception e) {
			e.printStackTrace();
		}
		return publicKey;
	}
	
	/**
	 * 加密
	 * @param requestStr
	 * @return
	 * @throws Exception
	 */
	public static byte[] encryptContentBytes(String requestStr) throws Exception {
		
		try {
			PublicKey publicKey = getPublicKey(pubFile);
			String pubKey  = Base64.encodeBase64String(publicKey.getEncoded());
			byte[] content = encryptByPublicKey(requestStr.getBytes(), pubKey);
			return content;
		} catch (Exception e) {
			e.printStackTrace();
		}
		return null;
	}
	
	/**
	 * 公钥加密
	 * @param data
	 * @param publicKey
	 * @return
	 * @throws Exception
	 */
	public static byte[] encryptByPublicKey(byte[] data, String publicKey) throws Exception {
		
		byte[] keyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(publicKey);
		X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
		KeyFactory keyFactory = KeyFactory.getInstance(RSA);
		Key publicK = keyFactory.generatePublic(x509KeySpec);
		// 对数据加密
		Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
		cipher.init(Cipher.ENCRYPT_MODE, publicK);
		int inputLen = data.length;
		ByteArrayOutputStream out = new ByteArrayOutputStream();
		int offSet = 0;
		byte[] cache;
		int i = 0;
		// 对数据分段加密
		while (inputLen - offSet > 0) {
			if (inputLen - offSet > MAX_ENCRYPT_BLOCK) {
				cache = cipher.doFinal(data, offSet, MAX_ENCRYPT_BLOCK);
			} else {
				cache = cipher.doFinal(data, offSet, inputLen - offSet);
			}
			out.write(cache, 0, cache.length);
			i++;
			offSet = i * MAX_ENCRYPT_BLOCK;
		}
		byte[] encryptedData = out.toByteArray();
		out.close();
		return encryptedData;
	}
	
	/**
	 * 私钥解密
	 *
	 * @param encryptedData
	 * @param privateKey
	 * @return
	 * @throws Exception
	 */
	public static byte[] decryptByPrivateKey(byte[] encryptedData, String privateKey) throws Exception {
		
		byte[] keyBytes = Base64.decodeBase64(privateKey);
		PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
		KeyFactory keyFactory = KeyFactory.getInstance(RSA);
		Key privateK = keyFactory.generatePrivate(pkcs8KeySpec);
		Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
		cipher.init(Cipher.DECRYPT_MODE, privateK);
		int inputLen = encryptedData.length;
		ByteArrayOutputStream out = new ByteArrayOutputStream();
		int offSet = 0;
		byte[] cache;
		int i = 0;
		// 对数据分段解密
		while (inputLen - offSet > 0) {
			if (inputLen - offSet > MAX_DECRYPT_BLOCK) {
				cache = cipher.doFinal(encryptedData, offSet, MAX_DECRYPT_BLOCK);
			} else {
				cache = cipher.doFinal(encryptedData, offSet, inputLen - offSet);
			}
			out.write(cache, 0, cache.length);
			i++;
			offSet = i * MAX_DECRYPT_BLOCK;
		}
		byte[] decryptedData = out.toByteArray();
		out.close();
		return decryptedData;
	}
	
	/**
	 * 解密
	 * @param responseDataBytes
	 * @return
	 * @throws Exception
	 */
	public static String decryptContentBytes(byte[] responseDataBytes)
			throws Exception {
		
		try {
			PrivateKey privateKey = getPrivateKey(jksFile, alias, keyPass, storePass);
			String priKey = Base64.encodeBase64String(privateKey.getEncoded());
			byte[] decryptContentBytes = decryptByPrivateKey(responseDataBytes, priKey);
			return new String(decryptContentBytes, CharEncoding.UTF_8);
		} catch (Exception e) {
			e.printStackTrace();
		}
		return null;
	}
	
	/**
	 * 加签
	 * @param signData
	 * @return
	 * @throws Exception
	 */
	public static String sign(String signData) throws Exception {
		
		InputStream in = new FileInputStream(new File(jksFile));
		KeyStore keyStore = KeyStore.getInstance("JKS");
		keyStore.load(in, storePass.toCharArray());
		
		// 获取jks证书别名
		Enumeration en = keyStore.aliases();
		String pName = null;
		while (en.hasMoreElements()) {
			String n = (String) en.nextElement();
			if (keyStore.isKeyEntry(n)) {
				pName = n;
			}
		}
		PrivateKey key = getPrivateKey(jksFile,pName,keyPass,storePass);
		Signature signature = Signature.getInstance(SHA1WithRSA);
		signature.initSign(key);
		signature.update(signData.getBytes("UTF-8"));
		byte[] signedData = signature.sign();
		String signDate = new BASE64Encoder().encode(signedData);
		signDate = signDate.replaceAll("\r\n", "").replaceAll("\n", "");
		return signDate;
	}
	
	/**
	 * 验签
	 * @return
	 * @throws Exception
	 */
	public static boolean verifySign2(String originData,String returnSignData) throws Exception {
		
		PublicKey publicKey = getPublicKey(pubFile);
		Signature sign3 = Signature.getInstance(SHA1WithRSA);
		sign3.initVerify(publicKey);
		sign3.update(originData.getBytes("UTF-8"));
		boolean isVerifySign = sign3.verify(new BASE64Decoder().decodeBuffer(returnSignData));
		return isVerifySign;
	}
	
	public static void main(String[] args) throws Exception{
	
		String originData = "hello波波";
		System.out.println("========> 加密开始");
		byte[] enData = encryptContentBytes(originData);
		String signData = sign(originData);
		System.out.println("========> 加签 signData:"+signData);
		String deData = decryptContentBytes(enData);
		System.out.println("========> 解密 deData:"+deData);
		boolean verifySign = verifySign2(originData,signData);
		System.out.println("========> 解密 verifySign:"+verifySign);
	}
}

  

输出结果为:

Connected to the target VM, address: '127.0.0.1:13223', transport: 'socket'
========> 加密开始
========> 加签 signData:kR4GMEQGPsgltoQfK+6IboCHsi+JbsjrrUTA6aW...2J0K2UZwqMJfWCarzxsKvUMFThRhwnuqoZ9u1qWlIko=
========> 解密 deData:hello波波
========> 解密 verifySign:true
Disconnected from the target VM, address: '127.0.0.1:13223', transport: 'socket'

Process finished with exit code 0

  

 

三、总结

1、JKS文件是一个java中的密钥管理库,里面可以放各种密钥文件,仓库当然会有一把锁,防范别人随便乱拿,这个就是JKS文件的密 码.里面存放的密钥也各有不同,每个密钥都有一个名字(在下面叫别名),一类就密钥对,一类叫公钥,一类叫私钥,密钥对就是包含公钥和私钥的。这里的公钥 只要你能进入仓库你就可以随便查看拿走,私钥则是有密码的。只允许有权限的人查看拿走.对于读取公钥只需要 知道JKS文件(仓库)的密码就可以了,但是在读取私钥时则必须有私钥的密码。

2、在加载证书文件的时候,keyStore.load(in, storePass.toCharArray());storePass为获取私钥文件的密码,即仓库密码,我们这里为abc@2018

3、证书加解密、加签验签等功能在项目中非常常见,可以把证书获取放在静态对象Maps.newConcurrentMap()中,这样效率显著提升。

 

posted on 2018-09-25 23:39  moyun-  阅读(6161)  评论(0编辑  收藏  举报