Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/397.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/security/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
用java生成证书链_Java_Security_Rsa_X509certificate_Jce - Fatal编程技术网
Fatal编程技术网
  • java/
  • 用java生成证书链

用java生成证书链

java security

用java生成证书链,java,security,rsa,x509certificate,jce,Java,Security,Rsa,X509certificate,Jce,问题是如何在Java中以编程方式生成证书链。换言之,我想用java执行此处详述的操作: 实际上,我可以为新客户端创建RSA密钥: private KeyPair genRSAKeyPair(){ // Get RSA key factory: KeyPairGenerator kpg = null; try { kpg = KeyPairGenerator.getInstance("RSA"); } catch (NoSuchAlgorithmEx

问题是如何在Java中以编程方式生成证书链。换言之,我想用java执行此处详述的操作:

实际上,我可以为新客户端创建RSA密钥:

private KeyPair genRSAKeyPair(){
    // Get RSA key factory:
    KeyPairGenerator kpg = null;
    try {
        kpg = KeyPairGenerator.getInstance("RSA");
    } catch (NoSuchAlgorithmException e) {
        log.error(e.getMessage());
        e.printStackTrace();
        return null;
    }
    // Generate RSA public/private key pair:
    kpg.initialize(RSA_KEY_LEN);
    KeyPair kp = kpg.genKeyPair();
    return kp;
}

并生成相应的证书:

private X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
  throws GeneralSecurityException, IOException  {
    PrivateKey privkey = pair.getPrivate();
    X509CertInfo info = new X509CertInfo();
    Date from = new Date();
    Date to = new Date(from.getTime() + days * 86400000l);
    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(dn);

    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
    info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

    // Sign the cert to identify the algorithm that's used.
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(privkey, algorithm);

    // Update the algorith, and resign.
    algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
    info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
    cert = new X509CertImpl(info);
    cert.sign(privkey, algorithm);
    return cert;
}

然后生成证书签名请求并将其保存到csrFile文件:

public static void writeCertReq(File csrFile, String alias, String keyPass, KeyStore ks) 
        throws KeyStoreException, 
               NoSuchAlgorithmException, 
               InvalidKeyException, 
               IOException, 
               CertificateException, 
               SignatureException, 
               UnrecoverableKeyException {

    Object objs[] = getPrivateKey(ks, alias, keyPass.toCharArray());
    PrivateKey privKey = (PrivateKey) objs[0];

    PKCS10 request = null;

    Certificate cert = ks.getCertificate(alias);
    request = new PKCS10(cert.getPublicKey());
    String sigAlgName = "MD5WithRSA";
    Signature signature = Signature.getInstance(sigAlgName);
    signature.initSign(privKey);
    X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());
    X500Signer signer = new X500Signer(signature, subject);
    request.encodeAndSign(signer);
    request.print(System.out);
    FileOutputStream fos = new FileOutputStream(csrFile);
    PrintStream ps = new PrintStream(fos);
    request.print(ps);
    fos.close();
}
在哪里

现在我应该用CA私钥对CSR进行签名,但我不知道如何在java中实现这一点。我的jks中有“我自己的”CA私钥

此外,一旦我成功签署了CSR,我就应该将CA证书与已签署的CSR链接起来:在java中如何做到这一点

我不希望使用bc或其他外部LIB,只希望使用“sun.security”类

谢谢。

对不起,尽管你有这个愿望,除了写下你所有的密码并将其包含在你的项目中(不推荐),我还是建议你在这里使用Bouncy Castle

具体地说,请参考-其中包括您想要做什么的代码。

我看到您已经到了房子的BouncyCastle一侧,但以防万一其他人想知道;将密钥放入密钥库时,可以将证书链添加到条目中。比如说

// build your certs 

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load([keystore stream], password.toCharArray());// or null, null if it's a brand new store
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _clientCert;
chain[1] = _caCert;
keyStore.setKeyEntry("Alias", _clientCertKey, password.toCharArray(), chain);
keyStore.store([output stream], password.toCharArray());

// do other stuff
我相信本文中的代码示例将向您展示如何使用纯Java生成证书链。它不要求您使用Bouncy Castle。

好的。就这样吧。我将加入BC,我将受益于您的链接。谢谢提醒:您需要SUN提供的“CertAndKeyGen”才能使其正常工作。 
// build your certs 

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load([keystore stream], password.toCharArray());// or null, null if it's a brand new store
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _clientCert;
chain[1] = _caCert;
keyStore.setKeyEntry("Alias", _clientCertKey, password.toCharArray(), chain);
keyStore.store([output stream], password.toCharArray());

// do other stuff