1 Java程序从证书文件读取证书
import java.io.*;
import java.security.cert.*;
public class PrintCert{
public static void main(String args[ ]) throws Exception{
CertificateFactory cf=CertificateFactory.getInstance("X.509");
FileInputStream in=new FileInputStream("my.cer");
Certificate c=cf.generateCertificate(in);
in.close();
String s=c.toString( );
// 显示证书
FileOutputStream fout=new FileOutputStream("tmp.txt");
BufferedWriter out= new BufferedWriter(new OutputStreamWriter(fout));
out.write(s,0,s.length( ));
out.close();
}
}
2 Java程序从密钥库直接读取证书
import java.io.*;
import java.security.*;
import java.security.cert.Certificate;
public class PrintCert2{
public static void main(String args[ ]) throws Exception{
String pass="080302";
String alias="mykey";
String name=".keystore";
FileInputStream in=new FileInputStream(name);
KeyStore ks=KeyStore.getInstance("JKS");
ks.load(in,pass.toCharArray());
Certificate c=ks.getCertificate(alias);
in.close();
System.out.println(c.toString( ));
}
}
3 Java程序显示证书指定信息(全名/公钥/签名等)
import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.math.*;
public class ShowCertInfo{
public static void main(String args[ ]) throws Exception{
CertificateFactory cf=CertificateFactory.getInstance("X.509");
FileInputStream in=new FileInputStream("my.cer");
java.security.cert.Certificate c=cf.generateCertificate(in);
in.close();
X509Certificate t=(X509Certificate) c;
System.out.println("版本号 "+t.getVersion());
System.out.println("序列号 "+t.getSerialNumber().toString(16));
System.out.println("全名 "+t.getSubjectDN());
System.out.println("签发者全名n"+t.getIssuerDN());
System.out.println("有效期起始日 "+t.getNotBefore());
System.out.println("有效期截至日 "+t.getNotAfter());
System.out.println("签名算法 "+t.getSigAlgName());
byte[] sig=t.getSignature();
System.out.println("签名n"+new BigInteger(sig).toString(16));
PublicKey pk=t.getPublicKey();
byte[ ] pkenc=pk.getEncoded();
System.out.println("公钥");
for(int i=0;i< div="">
System.out.print(pkenc[i]+",");
}
}
}
4 数字签名-对数字证书的数字签名
import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import sun.security.x509.*;
/*
* CA密钥库和其密码、CA中要使用的条目和其密码,新密钥库和其密码、新的条目名称
* 特别注意:java中有些类得到特别保护(比如X509CertImpl),必须设置规则才能访问【项目属性-Java Build Path-JRE
* System Library-Access Rules-Edit-"sun/**"(Accessible)】
*/
public class SignCert{
public static void main(String args[ ]) throws Exception{
String signerName = "keystore/ibe";
String signerAlias = "he";
char[] signerStorePass = "080302".toCharArray( );
char[] signerKeyPass = "080302".toCharArray( );
String CertName = "cert/ibe-mao.cer";
String newStore = "keystore/newstore";
String newStoreAlias = "mao";
char[] newStorePass = "080302".toCharArray();
// CA证书
FileInputStream in=new FileInputStream(signerName);
KeyStore ks=KeyStore.getInstance("JKS");
ks.load(in,signerStorePass);
java.security.cert.Certificate c1=ks.getCertificate(signerAlias);
PrivateKey caprk=(PrivateKey)ks.getKey(signerAlias,signerKeyPass);
in.close();
//得到签发者
byte[] encod1=c1.getEncoded();
X509CertImpl cimp1=new X509CertImpl(encod1);
X509CertInfo cinfo1=(X509CertInfo)cimp1.get(X509CertImpl.NAME+"."+X509CertImpl.INFO);
X500Name issuer=(X500Name)cinfo1.get(X509CertInfo.SUBJECT+"."+CertificateIssuerName.DN_NAME);
//要签名的证书
CertificateFactory cf=CertificateFactory.getInstance("X.509");
FileInputStream in2=new FileInputStream(CertName);
java.security.cert.Certificate c2=cf.generateCertificate(in2);
in2.close();
byte[] encod2=c2.getEncoded();
X509CertImpl cimp2=new X509CertImpl(encod2);
X509CertInfo cinfo2=(X509CertInfo)cimp2.get(
X509CertImpl.NAME+"."+X509CertImpl.INFO);
//设置新证书有效期
Date begindate =new Date();
//60 day
Date enddate =new Date(begindate.getTime()+3000*24*60*60*1000L);
CertificateValidity cv=new CertificateValidity(begindate,enddate);
cinfo2.set(X509CertInfo.VALIDITY,cv);
//设置新证书序列号
int sn=(int)(begindate.getTime()/1000);
CertificateSerialNumber csn=new CertificateSerialNumber(sn);
cinfo2.set(X509CertInfo.SERIAL_NUMBER,csn);
//设置新证书签发者
cinfo2.set(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer);
//设置新证书算法
AlgorithmId algorithm = new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid);
cinfo2.set(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM, algorithm);
// 创建证书
X509CertImpl newcert=new X509CertImpl(cinfo2);
// 签名
newcert.sign(caprk,"sha1WithRSA");
//打印到控制台,验证一下信息
System.out.println(newcert);
// 存入密钥库
ks.setCertificateEntry(newStoreAlias, newcert);
FileOutputStream out=new FileOutputStream(newStore);
ks.store(out,newStorePass);
out.close();
}
}
注意:SignCert.java需要进行下面的处理才能正常导包。(eclipse把默认访问受限的api设成了error)
选中项目--右键--进入Properties(属性)视图
选中Java Build Path--点击Libraries--展开JRE System Library[JavaSE-1.6],选中Access rules这一项(如果没有,那就是JDK安装和配置的问题)。
Edit--点击Add--在Rule Pattern(规则式样)编辑你允许导入的类库,如本例中输入(sun/**),允许就是在Resolution选项中选中Accessible(当然,有些项目需要可以选择Forbidden、Discourage某些类库)。
然后重启就可以了。
5 验证CertPath证书链
验证CertPath证书链-CertPathValidator类基于TrustAnchor验证证书链
CertPathValidator类中的validate( )方法可以使用现成的PKIX certification path验证算法直接验证CertPath类型的对象。方法的第一个参数传入要验证的CertPath对象,第二个参数传入PKIXParameters类型的对象,它提供了验证时所使用的参数。
为了得到PKIXParameters类型的对象,必须指定最信任哪些CA。
ValidateCP.java
package cert;
import java.io.*;
import java.security.cert.*;
import java.security.cert.Certificate;
import java.util.*;
public class ValidateCP{
public static void main(String args[ ]) throws Exception{
String[] arg=new String[]{"cert/ibe-mao-signed.cer","cert/ibe-he.cer"};
String trustAnchor = "cert/ibe-he.cer";
CertificateFactory cf = CertificateFactory.getInstance("X.509");
int i;
Listmylist = new ArrayList();
for (i=0;i<arg.length;i++){
FileInputStream in=new FileInputStream(arg[i]);
Certificate c=cf.generateCertificate(in);
mylist.add(c);
}
CertPath cp = cf.generateCertPath(mylist);
//以上将证书列表转换成证书链
//设置锚点
FileInputStream in=new FileInputStream(trustAnchor);
Certificate trust=cf.generateCertificate(in);
// Create TrustAnchor
TrustAnchor anchor = new TrustAnchor( (X509Certificate)trust,null);
// Set the PKIX parameters
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(false);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
try {
PKIXCertPathValidatorResult result =(PKIXCertPathValidatorResult) cpv.validate(cp, params);
System.out.println(result);
System.out.println(result.getTrustAnchor());
} catch (CertPathValidatorException cpve) {
System.out.println("Validation failure, cert[" + cpve.getIndex() + "] :" + cpve.getMessage());
}
}
}