java生成电子证书_java – 如何用x509证书生成数字签名？

我知道问题已经有一段时间了,但我有同样的问题,我解决了,所以我想分享解决方案它使用从安全令牌获得的密钥库使用iaik pkcs工具：

用于替换singletonList的技巧

KeyInfo ki =

kif.newKeyInfo(Collections.singletonList(kv));

对于包含证书和keyvalue的列表.

整个魔法的代码(希望它可以帮助某人)：

public void generateSignatureforResumen(String originalXmlFilePath,

String destnSignedXmlFilePath, IAIKPkcs11 pkcs11Provider_, KeyStore tokenKeyStore, String pin) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, GeneralSecurityException, TokenException {

//Get the XML Document object

Document doc = getXmlDocument(originalXmlFilePath);

//Create XML Signature Factory

PrivateKey signatureKey_ = null;

PublicKey pubKey_ = null;

X509Certificate signingCertificate_ = null;

Boolean prik = false;

Boolean pubk = false;

Enumeration aliases = tokenKeyStore.aliases();

while (aliases.hasMoreElements()) {

String keyAlias = aliases.nextElement().toString();

java.security.Key key = tokenKeyStore.getKey(keyAlias, pin.toCharArray());

if (key instanceof java.security.interfaces.RSAPrivateKey) {

Certificate[] certificateChain = tokenKeyStore.getCertificateChain(keyAlias);

X509Certificate signerCertificate = (X509Certificate) certificateChain[0];

boolean[] keyUsage = signerCertificate.getKeyUsage();

// check for digital signature or non-repudiation,

// but also accept if none is set

if ((keyUsage == null) || keyUsage[0] || keyUsage[1]) {

signatureKey_ = (PrivateKey) key;

signingCertificate_ = signerCertificate;

prik = true;

pubKey_ = signerCertificate.getPublicKey();

break;

}

}

}

if (signatureKey_ == null) {

throw new GeneralSecurityException(

"Found no signature key. Ensure that a valid card is inserted.");

}

XMLSignatureFactory xmlSigFactory = XMLSignatureFactory.getInstance("DOM");

Reference ref = null;

SignedInfo signedInfo = null;

try {

ref = xmlSigFactory.newReference("", xmlSigFactory.newDigestMethod(DigestMethod.SHA1, null),

Collections.singletonList(xmlSigFactory.newTransform(Transform.ENVELOPED,

(TransformParameterSpec) null)), null, null);

signedInfo = xmlSigFactory.newSignedInfo(

xmlSigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,

(C14NMethodParameterSpec) null),

xmlSigFactory.newSignatureMethod(SignatureMethod.RSA_SHA1, null),

Collections.singletonList(ref));

} catch (NoSuchAlgorithmException ex) {

ex.printStackTrace();

}

KeyInfoFactory kif = xmlSigFactory.getKeyInfoFactory();

X509Data x509data = kif.newX509Data(Collections.nCopies(1, signingCertificate_));

KeyValue kval = kif.newKeyValue(pubKey_);

List keyInfoItems = new ArrayList();

keyInfoItems.add(kval);

keyInfoItems.add(x509data);

//Object list[];

KeyInfo keyInfo = kif.newKeyInfo(keyInfoItems);

//Create a new XML Signature

XMLSignature xmlSignature = xmlSigFactory.newXMLSignature(signedInfo, keyInfo);

DOMSignContext domSignCtx = new DOMSignContext((Key) signatureKey_, doc.getDocumentElement());

try {

//Sign the document

xmlSignature.sign(domSignCtx);

} catch (MarshalException ex) {

ex.printStackTrace();

} catch (XMLSignatureException ex) {

ex.printStackTrace();

}

//Store the digitally signed document inta a location

storeSignedDoc(doc, destnSignedXmlFilePath);