CreateCert.java
package com.secpki.jce.demo;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.util.Date;
import java.util.Hashtable;
import java.util.Random;
import java.util.Vector;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERBoolean;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERGeneralizedTime;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTCTime;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Attribute;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.GeneralSubtree;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.bouncycastle.asn1.x509.PolicyMappings;
import org.bouncycastle.asn1.x509.PrivateKeyUsagePeriod;
import org.bouncycastle.asn1.x509.SubjectDirectoryAttributes;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.asn1.x509.X509ExtensionsGenerator;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.provider.X509CertificateObject;
public class CreateCert {
public BigInteger genCertSerial() {
// BigInteger bigInteger = new BigInteger(val);
byte[] b = new byte[32];
Random random = new Random(new Date().getTime());
for (int i = 0; i < 32; i++) {
byte[] tmp = new byte[10];
random.nextBytes(tmp);
b[i] = tmp[random.nextInt(tmp.length - 1)];
}
return new BigInteger(b);
}
public X509Certificate createAcIssuerCert(X500Name issuer,
BigInteger serial, Date notBefore, Date notAfter, X500Name subject,
final SubjectPublicKeyInfo publicKeyInfo, PrivateKey privKey)
throws Exception {
V3TBSCertificateGenerator certificateGenerator = new V3TBSCertificateGenerator();
certificateGenerator.setExtensions(getCertGen());
certificateGenerator.setSignature(publicKeyInfo.getAlgorithmId());
certificateGenerator.setIssuer(issuer);
certificateGenerator.setSubject(subject);
certificateGenerator.setSerialNumber(new DERInteger(serial));
certificateGenerator.setStartDate(new DERUTCTime(notBefore));
certificateGenerator.setEndDate(new DERUTCTime(notAfter));
certificateGenerator.setSubjectPublicKeyInfo(publicKeyInfo);
System.out.println(certificateGenerator.generateTBSCertificate()
.getEncoded().length);
ASN1EncodableVector asn1encodablevector = new ASN1EncodableVector();
asn1encodablevector.add(certificateGenerator.generateTBSCertificate());
asn1encodablevector.add(publicKeyInfo.getAlgorithmId());
byte[] pubData = new byte[65];
pubData[0] = 0;
for(byte i=1;i<pubData.length;i++){
pubData[i] = i;
}
byte[] signInfo = new byte[69];//.....
for(byte i=1;i<pubData.length;i++){
pubData[i] = i;
}
asn1encodablevector.add(new DERBitString(signInfo));
X509CertificateObject cert = new X509CertificateObject(new X509CertificateStructure(new DERSequence(asn1encodablevector)));
return cert;
}
@SuppressWarnings("deprecation")
static X509Extensions getCertGen() {
// 添加扩展
X509ExtensionsGenerator certGen = new X509ExtensionsGenerator();
// 基本限制
certGen.addExtension(X509Extensions.BasicConstraints, false,
new DEREncodable() {
@Override
public DERObject getDERObject() {
// TODO Auto-generated method stub
ASN1EncodableVector bConstraints = new ASN1EncodableVector();
// 是否是CA证书
boolean bCA = false;
bConstraints.add(new DERBoolean(bCA));
// 证书路径长度限制
int pathLenConstraint = 3;
if ((pathLenConstraint >= 0) && (bCA))
bConstraints.add(new DERInteger(pathLenConstraint));
return new DERSequence(bConstraints);
}
});
// 密钥用法
certGen.addExtension(X509Extensions.KeyUsage, false,
new DEREncodable() {
@SuppressWarnings("unused")
public int keyUsage;
public static final int digitalSignature = (1 << 7);
public static final int nonRepudiation = (1 << 6);
public static final int keyEncipherment = (1 << 5);
public static final int dataEncipherment = (1 << 4);
public static final int keyAgreement = (1 << 3);
public static final int keyCertSign = (1 << 2);
public static final int cRLSign = (1 << 1);
public static final int encipherOnly = (1 << 0);
public static final int decipherOnly = (1 << 15);
@Override
public DERObject getDERObject() {
// TODO Auto-generated method stub
return new KeyUsage(digitalSignature | nonRepudiation
| keyEncipherment | dataEncipherment
| keyAgreement | keyCertSign | cRLSign
| encipherOnly | decipherOnly);
}
});
// 扩展密钥用法
certGen.addExtension(X509Extensions.ExtendedKeyUsage, false,
new DEREncodable() {
private static final String id_kp = "1.3.6.1.5.5.7.3";
@SuppressWarnings("unused")
public final KeyPurposeId anyExtendedKeyUsage = new KeyPurposeId(
X509Extensions.ExtendedKeyUsage.getId() + ".0");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_serverAuth = new KeyPurposeId(
id_kp + ".1");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_clientAuth = new KeyPurposeId(
id_kp + ".2");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_codeSigning = new KeyPurposeId(
id_kp + ".3");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_emailProtection = new KeyPurposeId(
id_kp + ".4");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_ipsecEndSystem = new KeyPurposeId(
id_kp + ".5");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_ipsecTunnel = new KeyPurposeId(
id_kp + ".6");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_ipsecUser = new KeyPurposeId(
id_kp + ".7");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_timeStamping = new KeyPurposeId(
id_kp + ".8");
public final KeyPurposeId id_kp_OCSPSigning = new KeyPurposeId(
id_kp + ".9");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_dvcs = new KeyPurposeId(
id_kp + ".10");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_sbgpCertAAServerAuth = new KeyPurposeId(
id_kp + ".11");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_scvp_responder = new KeyPurposeId(
id_kp + ".12");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_eapOverPPP = new KeyPurposeId(
id_kp + ".13");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_eapOverLAN = new KeyPurposeId(
id_kp + ".14");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_scvpServer = new KeyPurposeId(
id_kp + ".15");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_scvpClient = new KeyPurposeId(
id_kp + ".16");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_ipsecIKE = new KeyPurposeId(
id_kp + ".17");
public final KeyPurposeId id_kp_capwapAC = new KeyPurposeId(
id_kp + ".18");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_capwapWTP = new KeyPurposeId(
id_kp + ".19");
@SuppressWarnings("unused")
public final KeyPurposeId id_kp_smartcardlogon = new KeyPurposeId(
"1.3.6.1.4.1.311.20.2.2");
ASN1EncodableVector extKeyUsage = new ASN1EncodableVector();
@Override
public DERObject getDERObject() {
// TODO Auto-generated method stub
extKeyUsage.add(id_kp_OCSPSigning);
extKeyUsage.add(id_kp_capwapAC);
return new DERSequence(extKeyUsage);
}
});
// 主题备用名称
certGen.addExtension(X509Extensions.SubjectAlternativeName, false,
new DEREncodable() {
@SuppressWarnings("unused")
public static final int otherName = 0;
@SuppressWarnings("unused")
public static final int rfc822Name = 1;
@SuppressWarnings("unused")
public static final int dNSName = 2;
@SuppressWarnings("unused")
public static final int x400Address = 3;
@Suppr