`
sswh
  • 浏览: 161647 次
  • 性别: Icon_minigender_1
社区版块
存档分类
最新评论

证书制作

    博客分类:
  • java
阅读更多

使用bouncycastle库来制作证书(包括一个自签名证书和为他人签发证书)。

<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcpkix-jdk15on</artifactId>
	<version>1.54</version>
</dependency>

 

import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;

import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

public class CertMakeDemo {

	public static void main(String[] args) throws Exception {
		X500Name subject = new X500Name("CN=root, O=root, OU=root");
		KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
		gen.initialize(1024);
		KeyPair pair = gen.generateKeyPair();
		X509Certificate certificate = signerSelf(subject, pair);
		System.out.println("证书:" + certificate);

		KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
		pkcs12.load(null, null);
		pkcs12.setKeyEntry("root", pair.getPrivate(), "123456".toCharArray(), new Certificate[] { certificate });
		for (Enumeration<String> e = pkcs12.aliases(); e.hasMoreElements();) {
			String alias = e.nextElement();
			System.out.println(pkcs12.getCertificateChain(alias));
			System.out.println(pkcs12.getKey(alias, "123456".toCharArray()));
		}
		OutputStream out = new FileOutputStream("f:/temp/root.pfx");
		pkcs12.store(out, "123456".toCharArray());
		out.close();

		//root为张三签发证书
		X500Name zsSubject = new X500Name("CN=张三, O=张三, OU=张三");
		gen = KeyPairGenerator.getInstance("RSA");
		gen.initialize(1024);
		KeyPair zsKeypair = gen.generateKeyPair();
		X509Certificate zsCertificate = signer(zsSubject, zsKeypair.getPublic(), certificate, pair.getPrivate());
		System.out.println("张三证书:" + zsCertificate);
		out = new FileOutputStream("f:/temp/zhangsan.cer");
		out.write(zsCertificate.getEncoded());
		out.close();
	}

	public static X509Certificate signer(X500Name subject, PublicKey subjectPublicKey,// 
		X509Certificate issuerCert, PrivateKey issuerPrivateKey) throws Exception {

		X500Name issuer = X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded());
		String signatureAlgorithm = issuerCert.getSigAlgName();
		return signer(subject, subjectPublicKey, issuer, issuerPrivateKey, signatureAlgorithm);
	}

	public static X509Certificate signerSelf(X500Name subject, KeyPair pair) throws Exception {
		String signatureAlgorithm = "SHA1With" + pair.getPrivate().getAlgorithm();
		return signer(subject, pair.getPublic(), subject, pair.getPrivate(), signatureAlgorithm);
	}

	public static X509Certificate signer(X500Name subject, PublicKey subjectPublicKey,//
		X500Name issuer, PrivateKey issuerPrivateKey, String signatureAlgorithm) throws Exception {

		BigInteger sn = new BigInteger(new SimpleDateFormat("yyyyMMdd").format(new Date()));
		Date notBefore = new Date();
		Date notAfter = new Date(notBefore.getTime() + 365L * 24 * 60 * 60 * 1000);
		SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded());
		ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey);

		X509v3CertificateBuilder builder = new X509v3CertificateBuilder(//
			issuer, sn, notBefore, notAfter, subject, publicKeyInfo);
		byte[] certBytes = builder.build(signer).getEncoded();

		X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X509")//
			.generateCertificate(new ByteArrayInputStream(certBytes));

		return certificate;
	}
}

 

 

1
3
分享到:
| JAR数字签名格式解析示例
评论
1 楼 sswh 2016-07-07   
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.Security;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

import javax.crypto.Cipher;
import javax.security.auth.x500.X500Principal;

import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.pkcs.ContentInfo;
import org.bouncycastle.asn1.pkcs.SignedData;
import org.bouncycastle.asn1.pkcs.SignerInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Hex;

public class PKCS7Demo {

	static Map<String, String> OIDS = new HashMap<String, String>();
	static {
		OIDS.put("1.3.14.3.2.26", "SHA1");
		OIDS.put("1.2.840.113549.1.1.1", "RSA");
	}

	public static void main(String[] args) throws Exception {
		Security.addProvider(new BouncyCastleProvider());

		InputStream in = new FileInputStream("JCE_RSA.RSA");
		byte[] content = new byte[in.available()];
		in.read(content);
		in.close();

		ASN1InputStream asnin = new ASN1InputStream(content);
		ASN1Sequence asndata = (ASN1Sequence) asnin.readObject();
		asnin.close();

		DERTaggedObject tag0 = (DERTaggedObject) asndata.getObjectAt(1);
		SignedData pkcs7 = SignedData.getInstance(tag0.getObject());
		System.out.println("版本:" + pkcs7.getVersion());
		System.out.println("消息摘要算法:" + pkcs7.getDigestAlgorithms());
		ContentInfo contentInfo = pkcs7.getContentInfo();
		System.out.println("数据类型:" + contentInfo.getContentType());
		System.out.println("数据正文:" + contentInfo.getContent());

		for (ASN1Encodable certNode : pkcs7.getCertificates().toArray()) {
			System.out.println("证书:" + new String(Hex.encode(certNode.toASN1Primitive().getEncoded())));
		}

		System.out.println("作废证书:" + pkcs7.getCRLs());
		for (ASN1Encodable signerNode : pkcs7.getSignerInfos().toArray()) {
			SignerInfo signer = SignerInfo.getInstance(signerNode);
			System.out.println("签名者信息:" + new String(Hex.encode(signerNode.toASN1Primitive().getEncoded())));
			System.out.println("版本:" + signer.getVersion());
			System.out.println("证书发行者:" + signer.getIssuerAndSerialNumber().getName());
			System.out.println("证书序列号:" + signer.getIssuerAndSerialNumber().getCertificateSerialNumber());
			System.out.println("消息摘要算法:" + signer.getDigestAlgorithm().getAlgorithm());
			System.out.println("签名时间:" + signer.getAuthenticatedAttributes());
			System.out.println("签名算法:" + signer.getDigestEncryptionAlgorithm().getAlgorithm());
			System.out.println("签名:" + signer.getEncryptedDigest());
		}

		System.out.println("-----验证签名-----");
		SignerInfo signer = SignerInfo.getInstance(pkcs7.getSignerInfos().getObjectAt(0));
		X500Principal issuer = new X500Principal(signer.getIssuerAndSerialNumber().getName().getEncoded());
		BigInteger sn = signer.getIssuerAndSerialNumber().getCertificateSerialNumber().getValue();
		CertificateFactory factory = CertificateFactory.getInstance("X.509");
		X509Certificate cert = null;
		for (ASN1Encodable certNode : pkcs7.getCertificates().toArray()) {
			X509Certificate acert = (X509Certificate) factory.generateCertificate(//  
				new ByteArrayInputStream(certNode.toASN1Primitive().getEncoded()));
			if (issuer.equals(acert.getIssuerX500Principal()) && sn.equals(acert.getSerialNumber())) {
				cert = acert;
				break;
			}
		}
		System.out.println("签名证书:" + cert.getIssuerX500Principal());
		System.out.println("证书序号:" + cert.getSerialNumber());

		String signerAlgorithm = OIDS.get(signer.getDigestEncryptionAlgorithm().getAlgorithm().getId());
		System.out.println("签名算法:" + signerAlgorithm);

		Cipher cipher = Cipher.getInstance(signerAlgorithm);
		cipher.init(Cipher.DECRYPT_MODE, cert.getPublicKey());
		cipher.update(signer.getEncryptedDigest().getOctets());
		byte[] derDecrypt = cipher.doFinal();
		System.out.println("DER格式的解密签名:" + new String(Hex.encode(derDecrypt)));

		asnin = new ASN1InputStream(derDecrypt);
		ASN1Sequence derDecryptSeq = (ASN1Sequence) asnin.readObject();
		asnin.close();
		System.out.println("解密签名中的消息摘要算法:" + ((ASN1Sequence) derDecryptSeq.getObjectAt(0)).getObjectAt(0));
		String digestAlgorithm = OIDS.get(//  
			((ASN1ObjectIdentifier) //   
			((ASN1Sequence) derDecryptSeq.getObjectAt(0)).getObjectAt(0)//  
			).getId()//  
			);
		System.out.println("解密签名中的消息摘要算法::" + digestAlgorithm);
		byte[] decryptDigest = ((ASN1OctetString) derDecryptSeq.getObjectAt(1)).getOctets();
		System.out.println("解密的消息摘要:" + new String(Hex.encode(decryptDigest)));

		in = new FileInputStream("JCE_RSA.SF");
		byte[] raw = new byte[in.available()];
		in.read(raw);
		in.close();
		MessageDigest md = MessageDigest.getInstance(digestAlgorithm);
		md.update(raw);
		byte[] rawDigest = md.digest();
		System.out.println("明文消息摘要:" + new String(Hex.encode(rawDigest)));
		System.out.println("验证通过:" + Arrays.equals(decryptDigest, rawDigest));

		System.out.println("-----使用签名服务验证-----");
		DERSequence hash = (DERSequence) pkcs7.getDigestAlgorithms().getObjectAt(0);
		String hashAlgorithm = OIDS.get(((ASN1ObjectIdentifier) hash.getObjectAt(0)).getId());
		System.out.println("签名算法:" + hashAlgorithm + "With" + signerAlgorithm);

		Signature signature = Signature.getInstance(hashAlgorithm + "With" + signerAlgorithm);
		signature.initVerify(cert);
		signature.update(raw);
		boolean result = signature.verify(signer.getEncryptedDigest().getOctets());
		System.out.println("验证通过:" + result);

	}
}
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics