| « | September 2025 | » | | 日 | 一 | 二 | 三 | 四 | 五 | 六 | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | | | | | |
|
公告 |
| 暂无公告... |
| Blog信息 |
|
blog名称:天地无用
日志总数:55
评论数量:43
留言数量:1
访问次数:194171
建立时间:2008年4月17日 |
| |
|
 JAVA对数字证书的常用操作(转2)
软件技术
kkk888929 发表于 2008/4/22 14:15:21 |
|
九 JAVA程序签发数字证书
(1)从密钥库中读取CA的证书FileInputStream in=new FileInputStream(".keystore");KeyStore ks=KeyStore.getInstance("JKS");ks.load(in,storepass.toCharArray());java.security.cert.Certificate c1=ks.getCertificate("caroot");(2)从密钥库中读取CA的私钥PrivateKey caprk=(PrivateKey)ks.getKey(alias,cakeypass.toCharArray());(3)从CA的证书中提取签发者的信息byte[] encod1=c1.getEncoded(); 提取CA证书的编码X509CertImpl cimp1=new X509CertImpl(encod1); 用该编码创建X509CertImpl类型对象X509CertInfo cinfo1=(X509CertInfo)cimp1.get(X509CertImpl.NAME+"."+X509CertImpl.INFO); 获取X509CertInfo对象X500Name issuer=(X500Name)cinfo1.get(X509CertInfo.SUBJECT+"."+CertificateIssuerName.DN_NAME); 获取X509Name类型的签发者信息(4)获取待签发的证书CertificateFactory cf=CertificateFactory.getInstance("X.509");FileInputStream in2=new FileInputStream("user.csr");java.security.cert.Certificate c2=cf.generateCertificate(in);(5)从待签发的证书中提取证书信息byte [] encod2=c2.getEncoded();X509CertImpl cimp2=new X509CertImpl(encod2); 用该编码创建X509CertImpl类型对象X509CertInfo cinfo2=(X509CertInfo)cimp2.get(X509CertImpl.NAME+"."+X509CertImpl.INFO); 获取X509CertInfo对象(6)设置新证书有效期Date begindate=new Date(); 获取当前时间Date enddate=new Date(begindate.getTime()+3000*24*60*60*1000L); 有效期为3000天CertificateValidity cv=new CertificateValidity(begindate,enddate); 创建对象cinfo2.set(X509CertInfo.VALIDITY,cv); 设置有效期(7)设置新证书序列号int sn=(int)(begindate.getTime()/1000); 以当前时间为序列号CertificateSerialNumber csn=new CertificateSerialNumber(sn);cinfo2.set(X509CertInfo.SERIAL_NUMBER,csn);(8)设置新证书签发者cinfo2.set(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer);应用第三步的结果(9)设置新证书签名算法信息AlgorithmId algorithm=new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);cinfo2.set(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM,algorithm);(10)创建证书并使用CA的私钥对其签名X509CertImpl newcert=new X509CertImpl(cinfo2);newcert.sign(caprk,"MD5WithRSA"); 使用CA私钥对其签名(11)将新证书写入密钥库ks.setCertificateEntry("lf_signed",newcert);FileOutputStream out=new FileOutputStream("newstore");ks.store(out,"newpass".toCharArray()); 这里是写入了新的密钥库,也可以使用第七条来增加条目
十 数字证书的检验
(1)验证证书的有效期(a)获取X509Certificate类型对象CertificateFactory cf=CertificateFactory.getInstance("X.509");FileInputStream in1=new FileInputStream("aa.crt");java.security.cert.Certificate c1=cf.generateCertificate(in1);X509Certificate t=(X509Certificate)c1;in2.close();(b)获取日期Date TimeNow=new Date();(c)检验有效性try{t.checkValidity(TimeNow);System.out.println("OK");}catch(CertificateExpiredException e){ //过期System.out.println("Expired");System.out.println(e.getMessage());}catch((CertificateNotYetValidException e){ //尚未生效System.out.println("Too early");System.out.println(e.getMessage());}(2)验证证书签名的有效性(a)获取CA证书CertificateFactory cf=CertificateFactory.getInstance("X.509");FileInputStream in2=new FileInputStream("caroot.crt"); |
|
|