java 在java中生成证书链
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12330975/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Generate certificate chain in java
提问by matteo rulli
The question is how to generate certificate chains programmatically in Java. In other words, I would like to perform in java the operations detailed here: http://fusesource.com/docs/broker/5.3/security/i382664.html
问题是如何在 Java 中以编程方式生成证书链。换句话说,我想在java中执行这里详述的操作:http: //fusesource.com/docs/broker/5.3/security/i382664.html
Besically, I can create the RSA keys for a new client:
Besically,我可以为新客户端创建 RSA 密钥:
private KeyPair genRSAKeyPair(){
// Get RSA key factory:
KeyPairGenerator kpg = null;
try {
kpg = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
log.error(e.getMessage());
e.printStackTrace();
return null;
}
// Generate RSA public/private key pair:
kpg.initialize(RSA_KEY_LEN);
KeyPair kp = kpg.genKeyPair();
return kp;
}
}
and I generate the corresponding certificate:
我生成了相应的证书:
private X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
}
Then I generate the cert signing request and I save it to csrFile file:
然后我生成证书签名请求并将其保存到 csrFile 文件:
public static void writeCertReq(File csrFile, String alias, String keyPass, KeyStore ks)
throws KeyStoreException,
NoSuchAlgorithmException,
InvalidKeyException,
IOException,
CertificateException,
SignatureException,
UnrecoverableKeyException {
Object objs[] = getPrivateKey(ks, alias, keyPass.toCharArray());
PrivateKey privKey = (PrivateKey) objs[0];
PKCS10 request = null;
Certificate cert = ks.getCertificate(alias);
request = new PKCS10(cert.getPublicKey());
String sigAlgName = "MD5WithRSA";
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());
X500Signer signer = new X500Signer(signature, subject);
request.encodeAndSign(signer);
request.print(System.out);
FileOutputStream fos = new FileOutputStream(csrFile);
PrintStream ps = new PrintStream(fos);
request.print(ps);
fos.close();
}
where
在哪里
private static Object[] getPrivateKey(KeyStore ks, String alias, char keyPass[])
throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException {
key = null;
key = ks.getKey(alias, keyPass);
return (new Object[]{ (PrivateKey) key, keyPass });
}
Now I should sign the CSR with the CA private key, but I cannot see how to achive that in java. I have "my own" CA private key in my jks.
现在我应该用 CA 私钥对 CSR 进行签名,但是我看不到如何在 java 中实现它。我的 jks 中有“我自己的”CA 私钥。
Besides, once I manage to sign the CSR I should chain the CA cert with the signed CSR: how that can be done in java?
此外,一旦我设法签署了 CSR,我应该将 CA 证书与已签署的 CSR 链接起来:如何在 java 中完成?
I would prefer not to use bc or other external libs, just "sun.security" classes.
我不想使用 bc 或其他外部库,只使用“sun.security”类。
Thank you.
谢谢你。
采纳答案by ziesemer
Sorry, but despite your desires, and besides writing all of your crypto code and including it with your project (not recommended), I'd recommend using Bouncy Castle here.
抱歉,尽管您有此愿望,除了编写所有加密代码并将其包含在您的项目中(不推荐)之外,我还是建议您在此处使用 Bouncy Castle。
Specifically, please refer to https://stackoverflow.com/a/7366757/751158- which includes code for exactly what you're looking to do.
具体来说,请参阅https://stackoverflow.com/a/7366757/751158- 其中包含您要执行的操作的代码。
回答by PixelsTech
I believe the code example in the post http://www.pixelstech.net/article/1406726666-Generate-certificate-in-Java----2will show you how to generate certificate chain with pure Java. It doesn't require you to use Bouncy Castle.
我相信http://www.pixelstech.net/article/1406726666-Generate-certificate-in-Java----2帖子中的代码示例将向您展示如何使用纯 Java 生成证书链。它不需要您使用充气城堡。
回答by grauwulf
I see you've already gone over to the BouncyCastle side of the house but just in case anyone else was wondering; you can add the cert chain to the entry when putting the key into the KeyStore. For example
我看到您已经去了房子的 BouncyCastle 一侧,但以防万一其他人想知道;您可以在将密钥放入 KeyStore 时将证书链添加到条目中。例如
// build your certs
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load([keystore stream], password.toCharArray());// or null, null if it's a brand new store
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _clientCert;
chain[1] = _caCert;
keyStore.setKeyEntry("Alias", _clientCertKey, password.toCharArray(), chain);
keyStore.store([output stream], password.toCharArray());
// do other stuff
