Java 使用自签名证书生成签名
我有以下示例代码,用于使用自签名证书生成签名Java 使用自签名证书生成签名,java,php,x509certificate,self-signed-certificate,Java,Php,X509certificate,Self Signed Certificate,我有以下示例代码,用于使用自签名证书生成签名 public static String generateSignature(String data) throws Exception { System.out.println("@@inside generateSignature: " + data); String signature; String jksFilepath = "E:\\test.jks"; try {
public static String generateSignature(String data) throws Exception {
System.out.println("@@inside generateSignature: " + data);
String signature;
String jksFilepath = "E:\\test.jks";
try {
// Adding Security Provider for PKCS 12
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// Setting password for the e-Token
// logging into token
ks = KeyStore.getInstance("jks");
FileInputStream fileInputStream = new FileInputStream(jksFilepath);
// Loading Keystore
// System.out.println("loading keystore");
ks.load(fileInputStream, JKSPassword);
Enumeration<String> e = ks.aliases();
while (e.hasMoreElements()) {
alias = e.nextElement();
// System.out.println("Alias of the e-Token : "+ alias);
UserCert = (X509Certificate) ks.getCertificate(alias);
UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
// System.out.println("loading Private key");
UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);
}
// Method Call to generate Signature
signature = MakeSignature(data);
return signature;
} catch (Exception e) {
e.printStackTrace();
System.out.println("generateSignature" + e.getCause());
throw new Exception();
}
}
private static String MakeSignature(String data) {
System.out.println("@@inside MakeSignature...");
try {
PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);
myPubCert = (X509Certificate) ks.getCertificate(alias);
Store certs = new JcaCertStore(Arrays.asList(myPubCert));
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));
generator.addCertificates(certs);
CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());
CMSSignedData signed = generator.generate(data1, true);
BASE64Encoder encoder = new BASE64Encoder();
String signedContent = encoder.encode((byte[]) signed.getSignedContent().getContent());
String envelopedData = encoder.encode(signed.getEncoded());
return envelopedData;
} catch (Exception e) {
e.printStackTrace();
System.out.println("MakeSignature ==" + e.getCause());
return "";
}
}
<?php
$dn = array(
"countryName" => "GB",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Documentation Team",
"commonName" => "Wez Furlong",
"emailAddress" => "wez@example.com"
);
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new(array(
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
));
// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
// Generate a self-signed cert, valid for 365 days
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
// Save your private key, CSR and self-signed cert for later use
openssl_csr_export($csr, $csrout) and var_dump($csrout);
openssl_x509_export($x509, $certout) and var_dump($certout);
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
公共静态字符串generateSignature(字符串数据)引发异常{
System.out.println(“@@in-generateSignature:”+数据);
字符串签名;
字符串jksFilepath=“E:\\test.jks”;
试一试{
//为PKCS 12添加安全提供程序
addProvider(新org.bouncycastle.jce.provider.BouncyCastleProvider());
//设置电子令牌的密码
//登录令牌
ks=KeyStore.getInstance(“jks”);
FileInputStream FileInputStream=新的FileInputStream(jksFilepath);
//加载密钥库
//System.out.println(“加载密钥库”);
加载(fileInputStream、JKSPassword);
枚举e=ks.alias();
而(e.hasMoreElements()){
别名=e.nextElement();
//System.out.println(“电子令牌的别名:“+别名”);
UserCert=(X509Certificate)ks.getCertificate(别名);
UserCertPubKey=(PublicKey)ks.getCertificate(别名).getPublicKey();
//System.out.println(“加载私钥”);
UserCertPrivKey=(PrivateKey)ks.getKey(别名,JKSPassword);
}
//方法调用以生成签名
签名=生成签名(数据);
返回签名;
}捕获(例外e){
e、 printStackTrace();
System.out.println(“generateSignature”+e.getCause());
抛出新异常();
}
}
私有静态字符串MakeSignature(字符串数据){
System.out.println(“@@in-MakeSignature…”);
试一试{
PrivateKey PrivateKey=(PrivateKey)ks.getKey(别名,JKSPassword);
myPubCert=(X509Certificate)ks.getCertificate(别名);
storecerts=newjcacertstore(Arrays.asList(myPubCert));
CMSSignedDataGenerator生成器=新的CMSSignedDataGenerator();
generator.addSignerInfoGenerator(新的JcaSimpleSignerInfoGeneratorBuilder().setProvider(“BC”).build(“SHA256withRSA”,privateKey,myPubCert));
发电机。添加证书(证书);
CMSTypedData data1=新的CMSProcessableByteArray(data.getBytes());
CMSSignedData signed=generator.generate(data1,true);
BASE64Encoder=新的BASE64Encoder();
字符串signedContent=encoder.encode((字节[])signed.getSignedContent().getContent());
字符串envelopedData=encoder.encode(signed.getEncoded());
返回信封数据;
}捕获(例外e){
e、 printStackTrace();
System.out.println(“MakeSignature==”+e.getCause());
返回“”;
}
}
还有一些相关的函数,但为了简单起见,我不添加它
现在我想用PHP做同样的事情
JKS不能在PHP上作为Java的密钥库
我用不同的加密方法尝试了open_ssl函数。但是我没有得到预期的结果,这与我通过java代码得到的结果相同(“不一样”是关于生成的签名的比特率和长度)
有人能帮我用PHP实现相同的签名生成吗?我认为PHP官方文档非常清楚: 示例#1创建自签名证书
public static String generateSignature(String data) throws Exception {
System.out.println("@@inside generateSignature: " + data);
String signature;
String jksFilepath = "E:\\test.jks";
try {
// Adding Security Provider for PKCS 12
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// Setting password for the e-Token
// logging into token
ks = KeyStore.getInstance("jks");
FileInputStream fileInputStream = new FileInputStream(jksFilepath);
// Loading Keystore
// System.out.println("loading keystore");
ks.load(fileInputStream, JKSPassword);
Enumeration<String> e = ks.aliases();
while (e.hasMoreElements()) {
alias = e.nextElement();
// System.out.println("Alias of the e-Token : "+ alias);
UserCert = (X509Certificate) ks.getCertificate(alias);
UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
// System.out.println("loading Private key");
UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);
}
// Method Call to generate Signature
signature = MakeSignature(data);
return signature;
} catch (Exception e) {
e.printStackTrace();
System.out.println("generateSignature" + e.getCause());
throw new Exception();
}
}
private static String MakeSignature(String data) {
System.out.println("@@inside MakeSignature...");
try {
PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);
myPubCert = (X509Certificate) ks.getCertificate(alias);
Store certs = new JcaCertStore(Arrays.asList(myPubCert));
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));
generator.addCertificates(certs);
CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());
CMSSignedData signed = generator.generate(data1, true);
BASE64Encoder encoder = new BASE64Encoder();
String signedContent = encoder.encode((byte[]) signed.getSignedContent().getContent());
String envelopedData = encoder.encode(signed.getEncoded());
return envelopedData;
} catch (Exception e) {
e.printStackTrace();
System.out.println("MakeSignature ==" + e.getCause());
return "";
}
}
<?php
$dn = array(
"countryName" => "GB",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Documentation Team",
"commonName" => "Wez Furlong",
"emailAddress" => "wez@example.com"
);
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new(array(
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
));
// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
// Generate a self-signed cert, valid for 365 days
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
// Save your private key, CSR and self-signed cert for later use
openssl_csr_export($csr, $csrout) and var_dump($csrout);
openssl_x509_export($x509, $certout) and var_dump($certout);
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
以下代码Java和PHP从PKCS12密钥库(keystore.pfx
)获取私钥,并对data.txt
文件的内容进行签名。使用相同的密钥库和数据,两种实现返回完全相同的输出:
我只使用纯Java(没有bouncycastle)作为Java。安全性类可以很好地处理PKCS12输入:
publicstaticvoidmain(字符串[]args)引发异常{
字符串keyStoreFile=“keystore.pfx”;
char[]password=“password”.toCharArray();
字符串dataFile=“data.txt”;
PrivateKey priv=loadPrivateKey(keyStoreFile,密码);
字节[]签名=签名数据(priv,数据文件);
System.out.println(Base64.getEncoder().encodeToString(签名));
}
私有静态字节[]signData(PrivateKey priv,字符串数据文件)引发异常{
Signature dsa=Signature.getInstance(“SHA256withRSA”);
dsa.initSign(priv);
try(FileInputStream fis=newfileinputstream(dataFile);
BufferedInputStream bufin=新的BufferedInputStream(fis);){
字节[]缓冲区=新字节[1024];
内伦;
而((len=bufin.read(buffer))>=0){
dsa.update(缓冲区,0,len);
}
bufin.close();
字节[]realSig=dsa.sign();
返回realSig;
}
}
private static PrivateKey loadPrivateKey(字符串keyStoreFile,char[]密码)引发异常{
try(FileInputStream fin=newfileinputstream(keyStoreFile)){
KeyStore ks=KeyStore.getInstance(“PKCS12”、“SunJSSE”);
ks.加载(fin、密码);
PrivateKey priv=(PrivateKey)ks.getKey(“1”,密码);
返回priv;
}
}
PHP版本:
我使用OpenSSL生成PKCS12keystore.pfx
文件:
#生成新的RSA私钥
openssl genrsa-out private.pem 1024
#需要CSR和签名证书才能导出为PKCS12存储
openssl req-new-key private.pem-out certificate.csr
openssl x509-req-days 365-in certificate.csr-signkey private.pem-out certificate.crt
#导出为PKCS12密钥库
openssl pkcs12-export-out keystore.pfx-inkey private.pem-in certificate.crt-passout pass:password
您也可以使用OpenSSL对data.txt
进行签名:
openssl dgst -sha256 -sign private.pem < data.txt | openssl base64
还有一件事需要注意,因为这似乎总是令人困惑:
您不能使用证书对数据进行签名。你是谁