在java中生成证书链
发布时间:2020-05-24 08:52:38 所属栏目:Java 来源:互联网
导读:问题是如何在 Java中以编程方式生成证书链.换句话说,我想在java中执行这里详述的操作: http://fusesource.com/docs/broker/5.3/security/i382664.html 通常,我可以为新客户创建RSA密钥: private KeyPair genRSAKeyPair(){ // Get RSA key factory: KeyPairG
|
问题是如何在 Java中以编程方式生成证书链.换句话说,我想在java中执行这里详述的操作: http://fusesource.com/docs/broker/5.3/security/i382664.html 通常,我可以为新客户创建RSA密钥: private KeyPair genRSAKeyPair(){
// Get RSA key factory:
KeyPairGenerator kpg = null;
try {
kpg = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
log.error(e.getMessage());
e.printStackTrace();
return null;
}
// Generate RSA public/private key pair:
kpg.initialize(RSA_KEY_LEN);
KeyPair kp = kpg.genKeyPair();
return kp;
} 我生成相应的证书: private X509Certificate generateCertificate(String dn,KeyPair pair,int days,String algorithm)
throws GeneralSecurityException,IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from,to);
BigInteger sn = new BigInteger(64,new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY,interval);
info.set(X509CertInfo.SERIAL_NUMBER,new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT,new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER,new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY,new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION,new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID,new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey,algorithm);
// Update the algorith,and resign.
algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,algo);
cert = new X509CertImpl(info);
cert.sign(privkey,algorithm);
return cert;
} 然后我生成证书签名请求,并将其保存到csrFile文件: public static void writeCertReq(File csrFile,String alias,String keyPass,KeyStore ks)
throws KeyStoreException,NoSuchAlgorithmException,InvalidKeyException,IOException,CertificateException,SignatureException,UnrecoverableKeyException {
Object objs[] = getPrivateKey(ks,alias,keyPass.toCharArray());
PrivateKey privKey = (PrivateKey) objs[0];
PKCS10 request = null;
Certificate cert = ks.getCertificate(alias);
request = new PKCS10(cert.getPublicKey());
String sigAlgName = "MD5WithRSA";
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());
X500Signer signer = new X500Signer(signature,subject);
request.encodeAndSign(signer);
request.print(System.out);
FileOutputStream fos = new FileOutputStream(csrFile);
PrintStream ps = new PrintStream(fos);
request.print(ps);
fos.close();
}
哪里 private static Object[] getPrivateKey(KeyStore ks,char keyPass[])
throws UnrecoverableKeyException,KeyStoreException,NoSuchAlgorithmException {
key = null;
key = ks.getKey(alias,keyPass);
return (new Object[]{ (PrivateKey) key,keyPass });
}
现在我应该使用CA私钥对CSR进行签名,但是我无法看到如何在java中实现这一点.我的jks中有“我自己的”CA私钥. 此外,一旦我设法签署CSR,我应该使用签名的CSR链接CA证书:如何在java中完成? 我宁愿不使用bc或其他外部库,只是“sun.security”类. 谢谢. 解决方法抱歉,尽管你有自己的愿望,除了编写你的所有加密代码并将其包含在你的项目中(不推荐),我建议你在这里使用Bouncy Castle.具体来说,请参考https://stackoverflow.com/a/7366757/751158 – 其中包含您正在寻找的确切代码. (编辑:安卓应用网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |