@H_502_1@问题是如何在
Java中以编程方式生成证书链.换句话说,我想在java中执行这里详述的操作:
http://fusesource.com/docs/broker/5.3/security/i382664.html
通常,我可以为新客户创建RSA密钥:
private KeyPair genRSAKeyPair(){ // Get RSA key factory: KeyPairGenerator kpg = null; try { kpg = KeyPairGenerator.getInstance("RSA"); } catch (NoSuchAlgorithmException e) { log.error(e.getMessage()); e.printStackTrace(); return null; } // Generate RSA public/private key pair: kpg.initialize(RSA_KEY_LEN); KeyPair kp = kpg.genKeyPair(); return kp;
}
我生成相应的证书:
private X509Certificate generateCertificate(String dn,KeyPair pair,int days,String algorithm) throws GeneralSecurityException,IOException { PrivateKey privkey = pair.getPrivate(); X509CertInfo info = new X509CertInfo(); Date from = new Date(); Date to = new Date(from.getTime() + days * 86400000l); CertificateValidity interval = new CertificateValidity(from,to); BigInteger sn = new BigInteger(64,new SecureRandom()); X500Name owner = new X500Name(dn); info.set(X509CertInfo.VALIDITY,interval); info.set(X509CertInfo.SERIAL_NUMBER,new CertificateSerialNumber(sn)); info.set(X509CertInfo.SUBJECT,new CertificateSubjectName(owner)); info.set(X509CertInfo.ISSUER,new CertificateIssuerName(owner)); info.set(X509CertInfo.KEY,new CertificateX509Key(pair.getPublic())); info.set(X509CertInfo.VERSION,new CertificateVersion(CertificateVersion.V3)); AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); info.set(X509CertInfo.ALGORITHM_ID,new CertificateAlgorithmId(algo)); // Sign the cert to identify the algorithm that's used. X509CertImpl cert = new X509CertImpl(info); cert.sign(privkey,algorithm); // Update the algorith,and resign. algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG); info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,algo); cert = new X509CertImpl(info); cert.sign(privkey,algorithm); return cert;
}
public static void writeCertReq(File csrFile,String alias,String keyPass,KeyStore ks) throws KeyStoreException,NoSuchAlgorithmException,InvalidKeyException,IOException,CertificateException,SignatureException,UnrecoverableKeyException { Object objs[] = getPrivateKey(ks,alias,keyPass.tocharArray()); PrivateKey privKey = (PrivateKey) objs[0]; PKCS10 request = null; Certificate cert = ks.getCertificate(alias); request = new PKCS10(cert.getPublicKey()); String sigAlgName = "MD5WithRSA"; Signature signature = Signature.getInstance(sigAlgName); signature.initSign(privKey); X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString()); X500Signer signer = new X500Signer(signature,subject); request.encodeAndSign(signer); request.print(System.out); FileOutputStream fos = new FileOutputStream(csrFile); PrintStream ps = new PrintStream(fos); request.print(ps); fos.close(); }
哪里
private static Object[] getPrivateKey(KeyStore ks,char keyPass[]) throws UnrecoverableKeyException,KeyStoreException,NoSuchAlgorithmException { key = null; key = ks.getKey(alias,keyPass); return (new Object[]{ (PrivateKey) key,keyPass }); }
现在我应该使用CA私钥对CSR进行签名,但是我无法看到如何在java中实现这一点.我的jks中有“我自己的”CA私钥.
此外,一旦我设法签署CSR,我应该使用签名的CSR链接CA证书:如何在java中完成?
我宁愿不使用bc或其他外部库,只是“sun.security”类.
谢谢.
解决方法
抱歉,尽管你有自己的愿望,除了编写你的所有加密代码并将其包含在你的项目中(不推荐),我建议你在这里使用Bouncy Castle.
具体来说,请参考https://stackoverflow.com/a/7366757/751158 – 其中包含您正在寻找的确切代码.