[转]PKCS12 证书的生成及验证

ttsiangogole

浏览: 72155 次

最近访客更多访客>>

tianbrave

东方微微亮

muyuan

落叶换新叶

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

java
[转]PKCS12 证书的生成及验证

[转]PKCS12 证书的生成及验证 java 工作

http://blog.csdn.net/kmyhy/article/details/6431609

?

本文首先感谢 Apple 开发者论坛的eskimo1，他是我见过的最热心肠的人，对任何人他都不吝于给予无私帮助。



一、

生成证书



keytool -genkey -v
-alias root -keyalg RSA -storetype PKCS12 -keystore dlt.p12 -dname "CN=www.handtimes.com,OU=ipcc,O=云电同方,L=昆明,ST=云南,C=中国"
-storepass ipcc@95598 -keypass ipcc@95598

keytool -genkey -v
-alias p12client -keyalg RSA -storetype PKCS12 -keystore dlt.p12 -dname
"CN=www.handtimes.com,OU=ipcc,O=云电同方,L=昆明,ST=云南,C=中国" -storepass ipcc@95598
-keypass 123456 -validity 1

keytool -list -v
-alias p12client -keystore dlt.p12 -storepass ipcc@95598 -storetype PKCS12

keytool -list -v
-keystore IPCCCA 
–
dlt.p12 ipcc@95598 -storetype PKCS12



keytool -export
-alias p12client -keystore dlt.p12 -storetype PKCS12 -storepass ipcc@95598 -rfc
-file p12.cer



keytool -printcert
-v -file /Users/kmyhy/Desktop/client.cer



Keytool.exe
-importkeystore -srckeystore IPCCCA -srcstoretype jks -srcstorepass ipcc@95598 -srcalias
p12client?
-destkeystore dltclient.p12
-deststoretype pkcs12 -deststorepass ipcc@95598 -destkeypass 123456 
–
validity 3





重新输入密码123456，回车，将在用户主目录下生成dltclient.p12文件。





keytool.exe -list
-keystore dltclient.p12 -storepass ipcc@95598 -storetype pkcs12

?

<img src="http://hi.csdn.net/attachment/201105/19/0_1305774857vB0C.gif" alt="">

可以看到其中包含了证书和私钥,并且其认证指纹是和IPCCCA中的一模一样的。



一、

提供证书下载



[/b]
 
class

 GetP12Cert 
extends

 HttpServlet {


private

 
static

 
final

 
long

 
serialVersionUID

 = 1L;

???

private

 
static

 
final

 
int

 
max_days

=1;??


???

/**

????
* 
@see

 HttpServlet#HttpServlet()

????
*/

???

public

 GetP12Cert() {

???????

super

();

???????

// 
TODO

 Auto-generated constructor stub

???
}


/**

?
* 
@see

 HttpServlet#doGet(HttpServletRequest
request, HttpServletResponse response)

?
*/


protected

 
void

 doGet(HttpServletRequest
request, HttpServletResponse response) 
throws

 ServletException, IOException {

String filename=
"C://Documents and
Settings//Administrator//dlt.cer"
;

String pass=
"ipcc@95598"
;

Pkcs12Manager man=
null

;

String alias=
"p12client"
;

String keypass=
"123456"
;


try

{

man=
new

 Pkcs12Manager(
new

 File(filename),pass);



man.updateExpiration(alias,
keypass,
max_days

);

exportCert(man,alias,response);

//

man.saveCert(alias,
"123456");


//man.saveCert(alias,
"123456");



}
catch

(Exception e){

e.printStackTrace();

}

}


// 
导出证书


private

 
void

 exportCert(Pkcs12Manager
man,String alias,HttpServletResponse response){

OutputStream out=
null

;


try

{

???
Certificate cert = man.
keyStore
.getCertificate(alias);

???

// 
得到证书内容（以编码过的格式）

???

byte

[] buf = cert.getEncoded();


// 
写证书文件

???
response.setContentType(
"application/x-download"
);??


???
response.addHeader(
"Content-Disposition"
, 
"attachment;filename="
?


???????????
+ man.
file
.getName());??


???
out= response.getOutputStream(); 

???
out.write(buf);

???


}


catch

(Exception e){e.printStackTrace();}


finally

{


try

{

out.close();

}
catch

(Exception e){



}

}

}


/**

?
* 
@see


HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)

?
*/


protected

 
void


doPost(HttpServletRequest request, HttpServletResponse response) 
throws

 ServletException,
IOException {

doGet(request,response);

}



[/b]
 
class

 Pkcs12Manager {

???

public

 File 
file
;

???

public

 KeyStore 
keyStore
;

???

private

 
char

[] 
storePass
;

???

public

 Pkcs12Manager(File file, String pass) 
throws

 IOException, Exception {

???????

this

.
file
 = file;

???????

this

.
storePass
=pass.toCharArray();

???????
getKeyStore();
// 
加载
KeyStore
文件

???
}

???

// 
加载
KeyStore
文件

???

public

 
synchronized

 KeyStore getKeyStore() 
throws

 IOException, Exception {

???????

if

 (
keyStore
 == 
null

) {

???????????
FileInputStream fin = 
new

 FileInputStream(
file
);

???????????
KeyStore store = KeyStore.getInstance
(
"PKCS12"
);

???????????

try

 {

???????????????
store.load(fin,
storePass
);???????????????


???????????
} 

???????????

finally

 {

???????????????

try

 {

??????????????????
?
fin.close();

???????????????
} 
catch

 (IOException e) { }

???????????
}

???????????

keyStore
 = store;

???????
}

???????

return

 
keyStore
;

???
}

???

// 
读取
alias
指定的证书内容


public

 X509CertInfo
getX509CertInfo(String alias)
throws

 Exception {

X509CertImpl cimp=getX509CertImpl(alias);


//
获取
X509CertInfo
对象


return

 (X509CertInfo) cimp.get(X509CertImpl.
NAME

+ 
"."
 + X509CertImpl.
INFO

);

}

???

// 
根据
alias
获取
X509CertImpl
对象


private

 X509CertImpl
getX509CertImpl(String alias)
throws

 Exception{

Certificate c = 
keyStore
.getCertificate(alias);
// 
读取证书


// 
从待签发的证书中提取证书信息　　


byte

[] enc = c.getEncoded();
//
获取
 
证书内容（经过编码的字节）

X509CertImpl cimp= 
new

 X509CertImpl(enc);
//
创建
X509CertImpl
象


return

 cimp;

}


// 
修改证书过期时间
:
过期时间顺延
n
天


public

 
void

 updateExpiration(String
alias,String keypass,
int

 n)
throws

 Exception{

System.
out

.println(getExpiration(alias));

X509CertInfo cinfo=getX509CertInfo(alias);

// 
获取
X509CertInfo
对象

X509CertImpl cimp=getX509CertImpl(alias);

// 
获取
X509CertImpl
对象

String sigAlgrithm=cimp.getSigAlgName();

// 
获取签名算法

CertificateValidity
cv=(CertificateValidity)cinfo.get(X509CertInfo.
VALIDITY

);


// 
有效期为当前日期后延
n
天

Date d2 = 
new

 Date(
new

 Date().getTime() + n * 24 * 60 * 60 *
1000L);

System.
out

.println(
"new date:"
+d2.toString());


// 
创建有效期对象

cv.set(CertificateValidity.
NOT_AFTER

, d2);

cinfo.set(X509CertInfo.
VALIDITY

, cv);
//
设置有效期



saveCert(alias,keypass,cinfo,sigAlgrithm);

System.
out

.println(getExpiration(alias));

}


//?

读取证书过期时间


public

 String
getExpiration(String alias)
throws

 Exception{

X509CertInfo cinfo=getX509CertInfo(alias);

CertificateValidity
cv=(CertificateValidity)cinfo.get(X509CertInfo.
VALIDITY

);


// 
创建有效期对象

Date d=(Date)cv.get(CertificateValidity.
NOT_AFTER

);


return

 d.toString();

}

//?

存储证书


private

 
void

 saveCert(String
alias,String keypass,

X509CertInfo
cinfo,String algrithm) 
throws

 Exception{


// 
从密钥库中读取
CA
的私钥

PrivateKey pKey = (PrivateKey) 
keyStore
.getKey(alias,
keypass.toCharArray());

X509CertImpl cert = 
new

 X509CertImpl(cinfo);
// 
新建证书

cert.sign(pKey,
algrithm); 
//
使用
CA
私钥对其签名


//
获取别名对应条目的证书链

Certificate[]
chain = 
new

 Certificate[] { cert };


// 
向密钥库中添加条目
,
使用已存在别名将覆盖已存在条目


keyStore
.setKeyEntry(alias, pKey,
keypass.toCharArray(), chain);


// 
将
keystore

存储至文件

FileOutputStream
fOut = 
new

 FileOutputStream(
file
);


keyStore
.store(fOut, 
storePass
);

fOut.close();

}


// 
获取签名算法


public

 String
getSigAlgName(String alias)
throws

 Exception{

Certificate c = 
keyStore
.getCertificate(alias);
// 
读取证书


// 
获取
 
证书内容（经过编码的字节）　　


byte

[] enc = c.getEncoded();


//
创建
X509CertImpl
对象

X509CertImpl cimp2 = 
new

 X509CertImpl(enc);

String sigAlgrithm=cimp2.getSigAlgName();


return

 sigAlgrithm;

}

Servlet
和javabean 部署到服务器中。这样，通过访问<a href="http://localhost/GetP12Cert">http://localhost/GetP12Cert
</a>
就可以获得一个有效的证书dlt.cer。


二、

证书的验证



* path=[[
NSBundle
 
mainBundle
]
pathForResource
:
@"dlt.cer"
 
ofType
:
nil
];

参数为任意一个有效的日期（在证书有效期之内）

* myTrust=[[
MyTrustService
 
alloc
]

initWithFilename
:path 
EfficientDate
:
@"2011-05-10 0:0:0"
];

 ret=[myTrust 
trustValuate
:[[
NSDate
 
alloc
]
init
]];

 (ret) {


case
 
ValuateResultOK
:


NSLog
(
@"
证书有效
"
);


break
;


case
 
ValuateResultEXPIRED
:


NSLog
(
@"
证书已过期
"
);


break
;


default
:


NSLog
(
@"
证书校验失败
"
);


break
;

release
];



<Foundation/Foundation.h>

<Security/Security.h>

 
const
 
char
 * 
kTrustNames
[
8
] = {


"Invalid"
,


"Proceed"
,


"Confirm"
,


"Deny"
,


"Unspecified"
,


"RecoverableTrustFailure"
,


"FatalTrustFailure"
,


"OtherError"

 
enum


ValuateResultINVALID
 = 
0
,

// 
评估结果无效，表明评估出错或未经过评估


ValuateResultFAILED
,


// 
证书签名无效


ValuateResultEXPIRED
,


// 
证书过期


ValuateResultOK



// 
证书有效

 MyTrustService :
NSObject {


NSString
 *
file
;



NSDate
* 
efficientDate
;

id
)initWithFilename:(
NSString
*)filename EfficientDate:(
NSString
*)date;

ValuateResult
)trustValuate:(
NSDate
*)date;

ValuateResult
)valuate:(
SecCertificateRef
)cert Trust:(
SecTrustRef
)trust Date:(
NSDate
*)date;

"MyTrustService.h"

 MyTrustService

id
)initWithFilename:(
NSString
*)filename
EfficientDate:(
NSString
*)date{


if
 (
self
=[
super
 
init
]) {


file
=filename;


// 
设置有效日期，注意，第
2
个参数是一个有效的证书日期，只要这个日期对证书而言是有效的就行


efficientDate
=[[
NSDate
 
alloc
]
initWithString
:date];



}


return
 
self
;

ValuateResult
)trustValuate:(
NSDate
*)date{


ValuateResult
 ret;


OSStatus
???????????
err;

???

NSData
 *???????????
certData;

???

SecCertificateRef
??
cert;

???

SecPolicyRef
???????
policy;

???

SecTrustRef
????????
trust;

?



???

assert
(
file
 != 
nil
);

???

assert
(date != 
nil
);




// 
从文件获得
 DER 
数据

???
certData = [
NSData
 
dataWithContentsOfFile
:
file
];

???

assert
(certData != 
nil
);




// 
从
 NSData 
获得
 Certificate 
对象

???
cert = 
SecCertificateCreateWithData
(
NULL
, (
CFDataRef
) certData);

???

assert
(cert != 
NULL
);




// 
获得
 x509 policy

???
policy = 
SecPolicyCreateBasicX509
();

???

assert
(policy != 
NULL
);




// 
获得
 Trust 
对象

???
err = 
SecTrustCreateWithCertificates
(cert,
policy, &trust);

???

assert
(err == 
noErr
);




// 
由于是自签名证书，需要将锚证书设置为要验证的证书自己。注意，这样将使所有除了参数指定的锚证书之外的所有锚证书无效

???
err = 
SecTrustSetAnchorCertificates
(trust,
(
CFArrayRef
) [
NSArray
 
arrayWithObject
:(
id
) cert]);

???

assert
(err == 
noErr
);




// 
调用
 valuate 
方法进行评估

ret=[
self
 
valuate
:cert 
Trust
:trust 
Date
:date];




// 
评估结束，把
SecTrustSetAnchorCertificates
指定的锚证书失效，于是所有锚证书又可被信任了

??

err=
SecTrustSetAnchorCertificatesOnly
(trust,
NO
);

???

CFRelease
(trust);

???

CFRelease
(policy);

???

CFRelease
(cert);


return
 ret;

ValuateResult
)valuate:(
SecCertificateRef
)cert Trust:(
SecTrustRef
)trust Date:(
NSDate
*)date{


ValuateResult
 ret;


OSStatus
???????????
err;

???

SecTrustResultType
?
result;



???
err = 
SecTrustSetVerifyDate
(trust,
(
CFDateRef
) date);

???

assert
(err == 
noErr
);




CFAbsoluteTime

trustTime;

trustTime = 
SecTrustGetVerifyTime
(trust);



???
err = 
SecTrustEvaluate
(trust,
&result);

???

assert
(err == 
noErr
);



???

if
 (result < (
sizeof
(
kTrustNames
) / 
sizeof
(*
kTrustNames
))) {
// if(result <

???????

if
 (result==
5
) {
// if result=RecoverableTrustFailure


//

设了个有效的日期，进行再次评估

err=
SecTrustSetVerifyDate
(trust, (
CFDateRef
)
efficientDate
);


assert
(err==
noErr
);

err=
SecTrustEvaluate
(trust, &result);


assert
(err == 
noErr
);


if
 (result==
4
) {
// if result=Unspecified,


// 
返回证书已过期，这里我们假设把证书尚未生效的情况也算作过期

ret= 
ValuateResultEXPIRED
;

}

}
else
 
if
 (result==
4
) {
// 
如果第
1
次就通过评估，证书有效

ret=
ValuateResultOK
; 

}
else
 {

ret=
ValuateResultFAILED
;
//
证书
 
无效

}



???
} 
else
 {

???????

NSLog
(
@"result = unknown (%zu)"
, (
size_t
) result);

???
}


return
 ret;

void
)dealloc{

[
efficientDate
 
release
];

[
super
 
dealloc
];

0
顶

0
踩

分享到：

android： not find device | Errors occurred during the build. Error ...

2012-02-02 13:29
浏览 4936
评论(0)
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论