package java.security.cert 包下的X509Certificate.java 是X.509证书的抽象类。这提供了一个标准访问X.509证书所有属性的方法。
使用ASN.1语言描述,我们可以将X509Certificate抽象为以下结构:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
即基本证书域、签名算法、签名值。
其中TBSCertificate的结构为:
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version must be v3
}
即版本、序列号、签名算法、颁发者、有效期、使用者、主体公钥信息、扩展项。
主体公钥信息:
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
算法标识符:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
package java.security包下Key.java的一段注释:
* The Key interface is the top-level interface for all keys. It * defines the functionality shared by all key objects. All keys * have three characteristics: * * <UL> * * <LI>An Algorithm * * <P>This is the key algorithm for that key. The key algorithm is usually * an encryption or asymmetric operation algorithm (such as DSA or * RSA), which will work with those algorithms and with related * algorithms (such as MD5 with RSA, SHA-1 with RSA, Raw DSA, etc.) * The name of the algorithm of a key is obtained using the * {@link #getAlgorithm() getAlgorithm} method.
可知秘钥具有的三个特征,其一为Algorithm,通过getAlgorithm()获取。所以获取秘钥算法的方法为cert.getAlgorithm();
另一常用方法:获取签名算法
/**
* Gets the signature algorithm name for the certificate
* signature algorithm. An example is the string "SHA256withRSA".
* The ASN.1 definition for this is:
* <pre>
* signatureAlgorithm AlgorithmIdentifier
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* -- contains a value of the type
* -- registered for use with the
* -- algorithm object identifier value
* </pre>
*
* <p>The algorithm name is determined from the {@code algorithm}
* OID string.
*
* @return the signature algorithm name.
*/
public abstract String getSigAlgName();