import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Vector;
import java.util.Map.Entry;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.x509.CertAndKeyGen;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateExtensions;
import sun.security.x509.CertificateSerialNumber;
import sun.security.x509.CertificateValidity;
import sun.security.x509.CertificateVersion;
import sun.security.x509.CertificateX509Key;
import sun.security.x509.ExtendedKeyUsageExtension;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.SerialNumber;
import sun.security.x509.SubjectKeyIdentifierExtension;
import sun.security.x509.X500Name;
import sun.security.x509.X500Signer;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CertInfo;
public class GenX509Cert {
private SecureRandom sr = new SecureRandom();
private String root = "Root";// 根证书前缀
private static String rootUser = "签名服务器";// 证书颁发者
public GenX509Cert() {
try {
sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
} catch (Exception e) {
System.err.println("实例化SecureRandom出错:"+e.getMessage());
}
}
public void createCert(X509Certificate certificate, PrivateKey rootPrivKey,
KeyPair kp, String certPath, String user, String password,
String sbh, String ip) throws Exception {
byte certbytes[] = certificate.getEncoded();
X509CertImpl x509certimpl = new X509CertImpl(certbytes);
X509CertInfo x509certinfo = (X509CertInfo) x509certimpl
.get("x509.info");
x509certinfo.set("key", new CertificateX509Key(kp.getPublic()));
CertificateExtensions certificateextensions = new CertificateExtensions();
certificateextensions.set("SubjectKeyIdentifier",
new SubjectKeyIdentifierExtension((new KeyIdentifier(kp
.getPublic())).getIdentifier()));
x509certinfo.set("extensions", certificateextensions);
// 设置issuer域
X500Name issuer = new X500Name("CN=" + rootUser
+ ",OU=hackwp,O=wp,L=BJ,S=BJ,C=CN");
x509certinfo.set("issuer.dname", issuer);
X500Name subject = new X500Name("CN=" + user
+ ", OU=wps, O=wps, L=BJ, ST=BJ, C=CN");
x509certinfo.set("subject.dname", subject);
Signature signature = Signature.getInstance("MD5WithRSA");
signature.initSign(kp.getPrivate());
X500Signer signer = new X500Signer(signature, issuer);
AlgorithmId algorithmid = signer.getAlgorithmId();
x509certinfo
.set("algorithmID", new CertificateAlgorithmId(algorithmid));
Date bdate = new Date();
Date edate = new Date();
// 天 小时 分 秒 毫秒
edate.setTime(bdate.getTime() + 3650L * 24L * 60L * 60L * 1000L);
// validity为有效时间长度 单位为秒
CertificateValidity certificatevalidity = new CertificateValidity(
bdate, edate);
x509certinfo.set("validity", certificatevalidity);
// 设置有效期域(包含开始时间和到期时间)域名等同与x509certinfo.VALIDITY
x509certinfo.set("serialNumber", new CertificateSerialNumber(
(int) (new Date().getTime() / 1000L)));
// 设置序列号域
CertificateVersion cv = new CertificateVersion(CertificateVersion.V3);
x509certinfo.set(X509CertInfo.VERSION, cv);
// 设置版本号 只有v1 ,v2,v3这几个合法值
/**
*以上是证书的基本信息 如果要添加用户扩展信息 则比较麻烦 首先要确定version必须是v3否则不行 然后按照以下步骤
**/
String userData = "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)";
byte l = (byte) userData.length();// 数据总长17位
byte f = 0x04;
byte[] bs = new byte[userData.length() + 2];
bs[0] = f;
bs[1] = l;
for (int i = 2; i < bs.length; i++) {
bs[i] = (byte) userData.charAt(i - 2);
}
KeyUsageExtension keyUsage = new KeyUsageExtension();
keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
keyUsage.set(KeyUsageExtension.NON_REPUDIATION, true);
keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
// 增强密钥用法
ObjectIdentifier ekeyOid = new ObjectIdentifier(new int[] { 1, 3, 6, 1,
5, 5, 7, 3, 3 });
Vector<ObjectIdentifier> vkeyOid = new Vector<ObjectIdentifier>();
vkeyOid.add(ekeyOid);
ExtendedKeyUsageExtension exKeyUsage = new ExtendedKeyUsageExtension(
vkeyOid);
CertificateExtensions exts = new CertificateExtensions();
exts.set("keyUsage", keyUsage);
exts.set("extendedKeyUsage", exKeyUsage);
// 如果有多个extension则都放入CertificateExtensions 类中,
x509certinfo.set(X509CertInfo.EXTENSIONS, exts);
X509CertImpl x509certimpl1 = new X509CertImpl(x509certinfo);
SerialNumber sn = new SerialNumber(new BigInteger(ip
+ System.currentTimeMillis()));
x509certimpl1.set(X509CertImpl.SERIAL_ID, sn);// 设置证书序列号
x509certimpl1.sign(rootPrivKey, "MD5WithRSA");// 使用另一个证书的私钥来签名此证书 这里使用
// md5散列 用rsa来加密
Certificate[] certChain = { x509certimpl1 };
savePfx(Util.certCA, kp.getPrivate(), password, certChain, certPath);
// 生成文件
x509certimpl1.verify(certificate.getPublicKey(), null);
}
/**
* 保存pfx文件,里面包括公钥,私钥,证书链别名
*
* @param alias
* @param privKey
* @param pwd
* @param certChain
* @param filepath
* @throws Exception
*/
public void savePfx(String alias, PrivateKey privKey, String pwd,
Certificate[] certChain, String filepath) throws Exception {
FileOutputStream out = null;
try {
KeyStore outputKeyStore = KeyStore.getInstance("pkcs12");
outputKeyStore.load(null, pwd.toCharArray());
outputKeyStore.setKeyEntry(alias, privKey, pwd.toCharArray(),
certChain);
out = new FileOutputStream(filepath);
outputKeyStore.store(out, pwd.toCharArray());
} finally {
if (out != null)
out.close();
}
}
/**
* 生成用户证书
*
* @param sbh
* 纳税人识别号(文件名,不包含后缀)
* @param user
* 证书使用者
* @param path
* 证书保存路径(不包括文件名),如要保存在D盘的home目录下则输入:D:/home
* @param password
* 证书密码
* @param ip
* 客户端请求的ip
* @return map里面包含两个key,一个code,一个msg,如果code等于0000则为生成成功,如果code不等于0000则为生成失败,
* msg里面保存失败原因
*/
public Map<String, String> createCA(String sbh, String user, String path,
String password, String ip) {
Map<String, String> map = new HashMap<String, String>();
if (sbh == null || "".equals(sbh)) {
map.put("code", "-1");
map.put("msg", "纳税人识别号不能为空");
return map;
}
if (user == null || "".equals(user)) {
map.put("code", "-1");
map.put("msg", "证书使用者不能为空");
return map;
}
if (path == null || "".equals(path)) {
map.put("code", "-1");
map.put("msg", "保存路径不能为空");
return map;
}
if (password == null || "".equals(password)) {
map.put("code", "-1");
map.put("msg", "证书密码不能为空");
return map;
}
if (!Util.ipCheck(ip)) {// 验证IP地址是否合法
map.put("code", "-1");
map.put("msg", "IP地址不合法");
return map;
}
if(!new File(path).exists()){
map.put("code", "5555");
map.put("msg", "保存文件的目录不存在");
return map;
}
String rootPath = path + File.separator + root + sbh + ".pfx";
String certPath = path + File.separator + sbh + ".pfx";
File file = new File(rootPath);
if (file.exists()) {
map.put("code", "6666");
map.put("msg", "文件已存在");
return map;
}
try {
CertAndKeyGen cak = new CertAndKeyGen("RSA", "MD5WithRSA", null);
// 参数分别为 公钥算法 签名算法 providername(因为不知道确切的 只好使用null 既使用默认的provider)
cak.generate(1024);
cak.setRandom(sr);
// 生成一对key 参数为key的长度 对于rsa不能小于512
X500Name subject = new X500Name(
"CN=root,OU=root,O=wp,L=BJ,S=BJ,C=CN");
// subject name
X509Certificate certificate = cak.getSelfCertificate(subject,
new Date(), 365L * 24L * 60L * 60L * 1000L * 5L);
X509Certificate[] certs = { certificate };
savePfx(Util.rootCA, cak.getPrivateKey(), password, certs, rootPath);
ip = Util.getIpNum(ip);
signCert(rootPath, certPath, user, password, sbh, ip);
map.put("code", "0000");
map.put("msg", "用户证书生成成功");
return map;
} catch (Exception e) {
if (file != null) {
file.delete();
}
File file2 = new File(certPath);
if (file2.exists())
file2.delete();
map.put("code", "9999");
map.put("msg", "生成用户证书发生异常:" + e.getMessage());
return map;
}
}
/**
*
* @param rootPath
* 根证书路径
* @param certPath
* 用户证书路径
* @param user
* 证书使用者
* @param password
* 证书密码
* @param sbh
* 纳税人识别号
* @param ip
* 请求地址的ip
* @throws Exception
*/
public void signCert(String rootPath, String certPath, String user,
String password, String sbh, String ip) throws Exception {
FileInputStream ksfis = null;
try {
KeyStore ks = KeyStore.getInstance("pkcs12");
ksfis = new FileInputStream(rootPath);
char[] storePwd = password.toCharArray();
char[] keyPwd = password.toCharArray();
ks.load(ksfis, storePwd);
// 从密钥仓库得到私钥
PrivateKey privK = (PrivateKey) ks.getKey(Util.rootCA, keyPwd);
X509Certificate certificate = (X509Certificate) ks
.getCertificate(Util.rootCA);
createCert(certificate, privK, genKey(), certPath, user, password,
sbh, ip);
} finally {
if (ksfis != null)
ksfis.close();
}
}
public KeyPair genKey() throws NoSuchAlgorithmException {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024, sr);
KeyPair kp = kpg.generateKeyPair();
return kp;
}
/**
* 获取证书序列号和公钥
*
* @param path
* 证读取证书的路径
* @param pass
* 读取证书的密码
* @return
*/
public Map<String, String> getCertMessage(String path, String pass) {
Map<String, String> map = new HashMap<String, String>();
KeyStore ks;
FileInputStream fis = null;
if (pass == null || "".equals(pass) || path == null || "".equals(path)) {
map.put("code", "-1");
map.put("msg", "参数错误");
return map;
}
try {
ks = KeyStore.getInstance("PKCS12");
fis = new FileInputStream(path);
char[] nPassword = null;
if ((pass == null) || pass.trim().equals("")) {
nPassword = null;
} else {
nPassword = pass.toCharArray();
}
ks.load(fis, nPassword);
X509Certificate cert = (X509Certificate) ks
.getCertificate(Util.certCA);
PublicKey pubkey = cert.getPublicKey();
byte pb[] = Serializer.serialize(pubkey);
map.put("code", "0000");
map.put("msg", "数据返回成功");
map.put("certNumber", cert.getSerialNumber().toString());
map.put("cert", Base64Utils.encode(pb));
return map;
} catch (FileNotFoundException e) {
map.put("code", "1111");
map.put("msg", "文件没有找到:" + e.getMessage());
return map;
} catch (CertificateException e) {
map.put("code", "2222");
map.put("msg", "读取证书异常:" + e.getMessage());
return map;
} catch (IOException e) {
map.put("code", "4444");
map.put("msg", "IO异常:" + e.getMessage());
return map;
} catch (Exception e) {
map.put("code", "9999");
map.put("msg", "未知异常:" + e.getMessage());
return map;
}finally{
if(fis!=null)
try {
fis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
/**
* 签名数据
*
* @param path
* 读取证书路径
* @param pass
* 读取证书密码
* @param data
* 待签名数据
* @return
*/
public Map<String, String> signData(String path, String pass, String data) {
Map<String, String> map = new HashMap<String, String>();
KeyStore ks;
FileInputStream fis = null;
if (pass == null || "".equals(pass) || path == null || "".equals(path)
|| data == null || "".equals(data)) {
map.put("code", "-1");
map.put("msg", "参数错误");
return map;
}
try {
ks = KeyStore.getInstance("PKCS12");
fis = new FileInputStream(path);
char[] nPassword = null;
if ((pass == null) || pass.trim().equals("")) {
nPassword = null;
} else {
nPassword = pass.toCharArray();
}
ks.load(fis, nPassword);
X509Certificate cert = (X509Certificate) ks.getCertificate(Util.certCA);
PrivateKey prikey = (PrivateKey) ks.getKey(Util.certCA, nPassword);
Signature sig = Signature.getInstance("MD5WithRSA");
sig.initSign(prikey);
sig.update(data.getBytes("UTF-8"));
byte b[] = sig.sign();
map.put("code", "0000");
map.put("msg", "数据返回成功");
map.put("certNumber", cert.getSerialNumber().toString());
map.put("sign", Base64Utils.encode(b));
return map;
} catch (FileNotFoundException e) {
map.put("code", "1111");
map.put("msg", "文件没有找到:" + e.getMessage());
return map;
} catch (CertificateException e) {
map.put("code", "2222");
map.put("msg", "读取证书异常:" + e.getMessage());
return map;
} catch (NoSuchAlgorithmException e) {
map.put("code", "2222");
map.put("msg", "读取证书异常:" + e.getMessage());
return map;
} catch (SignatureException e) {
map.put("code", "3333");
map.put("msg", "签名异常:" + e.getMessage());
return map;
} catch (IOException e) {
map.put("code", "4444");
map.put("msg", "IO异常:" + e.getMessage());
return map;
} catch (Exception e) {
map.put("code", "9999");
map.put("msg", "未知异常:" + e.getMessage());
return map;
} finally {
if (fis != null)
try {
fis.close();
} catch (IOException e) {
System.out.println(e.getMessage());
}
}
}
public void verify(String key,String sign,String signData) throws Exception{
byte []pb = Base64Utils.decode(key);
PublicKey pk = (PublicKey) Serializer.unserialize(pb);
Signature sig2=Signature.getInstance("MD5WithRSA");
sig2.initVerify(pk);
sig2.update(sign.getBytes("UTF-8"));
System.out.println("验签结果是:"+sig2.verify(Base64Utils.decode(signData)));
}
public static void main(String[] args) {
try {
GenX509Cert gcert = new GenX509Cert();
String data = "adowdn@#&kajdk";
Map<String, String> map = gcert.createCA("133456", "小科", "e:",
"123456", "10.26.27.28");
System.out.println(map.get("code") + "\t" + map.get("msg"));
Map<String, String> map1 = gcert.getCertMessage("e:/133456.pfx",
"123456");
for (Entry<String, String> e : map1.entrySet()) {
System.out.println(e.getKey() + "-->" + e.getValue());
}
Map<String, String> map2 = gcert.signData("e:/133456.pfx",
"123456", data);
for (Entry<String, String> e : map2.entrySet()) {
System.out.println(e.getKey() + "-->" + e.getValue());
}
gcert.verify(map1.get("cert"), data, map2.get("sign"));
} catch (Exception e) {
e.printStackTrace();
}
}
}
package com.zrsf.cert;
import java.io.IOException;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
public class Base64Utils {
/**
* 解码
* @param requestString
* @return
* @throws IOException
*/
public static byte[] decode(String requestString) throws IOException{
return new BASE64Decoder().decodeBuffer(requestString);
}
/*
* 编码
*/
public static String encode(byte[] bytes) throws IOException{
BASE64Encoder enc = new BASE64Encoder();
String encStr =enc.encode(bytes);
return encStr;
}
}
package com.zrsf.cert;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
/**
*
* @ClassName Serializer
*/
public final class Serializer
{
/**
* 序列化。
* @param object 需要序列化的对象。
* @return 字节数组。
*/
public static final byte[] serialize(Object object)
{
ObjectOutputStream oos = null;
ByteArrayOutputStream baos = null;
try
{
baos = new ByteArrayOutputStream();
oos = new ObjectOutputStream(baos);
oos.writeObject(object);
return baos.toByteArray();
}
catch(Exception ex)
{
System.err.println("序列化对象失败");
}
finally
{
if(oos != null)
{
try {
oos.close();
}catch (IOException e) {
e.printStackTrace();
}
}
if(baos != null)
{
try {
baos.close();
}catch (IOException e) {
e.printStackTrace();
}
}
}
return null;
}
/**
* 反序列化。
* @param bytes 字节数组。
* @return 反序列化后的对象。
*/
public static final Object unserialize(byte[] bytes)
{
ByteArrayInputStream bais = null;
ObjectInputStream ois = null;
try
{
bais = new ByteArrayInputStream(bytes);
ois = new ObjectInputStream(bais);
return ois.readObject();
}
catch(Exception ex)
{
System.err.println("反序列化对象失败");
}
finally
{
if(ois != null)
{
try {
ois.close();
}catch (IOException e) {
e.printStackTrace();
}
}
if(bais != null)
{
try {
bais.close();
}catch (IOException e) {
e.printStackTrace();
}
}
}
return null;
}
}
package com.zrsf.cert;
import java.security.SecureRandom;
public class Util {
public static String rootCA = "RootCA";
public static String certCA = "client";
/**
* 生成三位随机数
* @return
*/
public static String getRandomNum(){
SecureRandom sr = new SecureRandom();
return ""+sr.nextInt(10)+sr.nextInt(10)+sr.nextInt(10);
}
/**
* 验证ip是否合法
* @param ip ip地址
* @return ip合法返回true,否则返回false
*/
public static boolean ipCheck(String ip) {
if (ip != null && !ip.isEmpty()) {
String regex = "^(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]\\d|[1-9])\\." +
"(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]\\d|\\d)\\." +
"(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]\\d|\\d)\\." +
"(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]\\d|[1-9])$";
if (ip.matches(regex)) {
return true;
} else {
return false;
}
}
return false;
}
/**
* 得到ip的数字,不足三位的在后面补0,调用ipCheck方法之后再调用此方法
* @param ip
* @return
*/
public static String getIpNum(String ip){
StringBuffer sb = new StringBuffer();
String len[] = ip.split("\\.");
for(int i = 0;i<len.length;i++){
String s = len[i];
if(s.length()==3){
sb.append(s);
}else if(s.length()==2){
sb.append(s).append("0");
}else if(s.length()==1){
sb.append(s).append("00");
}
}
return sb.toString();
}
}
4651
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
