java 产生p10证书_PKCS#10 以及证书颁发过程具体实现

用户首先产生自己的密钥对，并将公共密钥及部分个人信息传送给CA(通过P10请求)

CertAndKeyGen gen = new CertAndKeyGen("RSA", "SHA1WithRSA");

gen.generate(1024);//生成1024位密钥

PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(

new X500Principal("CN = " + name), gen.getPublicKey());// CN和公钥

JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");// 签名算法

ContentSigner signer = null;

signer = csBuilder.build(gen.getPrivateKey());

PKCS10CertificationRequest csr = p10Builder.build(signer);// PKCS10的请求

return csr;//返回PKCS10的请求

CA接受请求并生成证书

CertificateFactory certFactory = CertificateFactory.getInstance("X.509");

X509Certificate cacert = (X509Certificate) certFactory.generateCertificate(new FileInputStream(certPath));

//一大堆参数 ,填充到生成器里

AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA");

AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);

org.bouncycastle.asn1.x500.X500Name issuer = new org.bouncycastle.asn1.x500.X500Name(

cacert.getSubjectX500Principal().getName());

BigInteger serial = new BigInteger(32, new SecureRandom());

Date from = new Date();

Date to = new Date(System.currentTimeMillis() + (365 * 80 * 86400000L));

X509v3CertificateBuilder certgen = new X509v3CertificateBuilder(issuer, serial, from, to, csr.getSubject(),

csr.getSubjectPublicKeyInfo())

Key privateKey = productPrivateKey();

// CA端进行签名, 才有具有法律效力

ContentSigner signer = new BcRSAContentSignerBuilder(sigAlgId, digAlgId)

.build(PrivateKeyFactory.createKey(privateKey.getEncoded()));

// 生成BC结构的证书

Security.addProvider(new BouncyCastleProvider());

X509Certificate resultBc = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certgen.build(signer));

return resultBc;//返回证书

CSR：证书签发请求(Certificate Signing Request)，

CSR也叫做认证申请，是一个发送到CA的请求认证信息。 有两种格式，应用最广泛的是由PKCS#10定义的，另一个用的少的是由SPKAC定义的，主要应用于网景浏览器。

在PKCS#10定义中，CSR有两种编码格式：二进制(ASN.1或DER (Distinguished Encoding Rules))和文本格式(the text or PEM (Privacy Enhanced Mail)formatted CSR is the binary CSR after it has been Base-64 encoded to create a text version of the CSR.)

CSR文件生成步骤如下：

根据Version、Distinguished Name、Public Key、Attributes生成请求证书；

用Private Key加密证书请求信息；

根据请求信息、签名算法和签名生成CSR文件；

CSR文件包含的信息描述如下

CertificationRequest ::= SEQUENCE {

certificationRequestInfo CertificationRequestInfo,//证书信息

signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},//签名算法

signature BIT STRING //签名

}//另外还可能有可选的字段，如postal address和Email address，这两个字段可以应用于证书的撤销。

注意：私钥不包含在CSR文件中，但是应用于数字签名。

签名分两步

将certificateRequestInfo 进行DER编码，产生八位字节字符串；

将步骤一的结果用请求者的私钥在指定的签名算法下，产生签名；

请求信息定义如下

CertificationRequestInfo ::= SEQUENCE {

version INTEGER { v1(0) } (v1,...),

subject Name, //证书主体的专有名称

subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},

attributes [0] Attributes{{ CRIAttributes }}

}

subjectPublicKeyInfo 包含被认证的公钥

attributes 关于认证主提其他信息属性集合

SubjectPublicKeyInfo { ALGORITHM : IOSet} ::= SEQUENCE {

algorithm AlgorithmIdentifier {{IOSet}},

subjectPublicKey BIT STRING

}

PKInfoAlgorithms ALGORITHM ::= {

... -- add any locally defined algorithms here -- }

Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}

CRIAttributes ATTRIBUTE ::= {

... -- add any locally defined attributes here -- }

Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {

type ATTRIBUTE.&id({IOSet}),

values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})

}

等价写法

CertificationRequest ::= SIGNED { EncodedCertificationRequestInfo }

(CONSTRAINED BY { -- Verify or sign encoded

-- CertificationRequestInfo -- })

EncodedCertificationRequestInfo ::=

TYPE-IDENTIFIER.&Type(CertificationRequestInfo)

SIGNED { ToBeSigned } ::= SEQUENCE {

toBeSigned ToBeSigned,

algorithm AlgorithmIdentifier { {SignatureAlgorithms} },

signature BIT STRING

}