BouncyCastle下载:
链接:http://pan.baidu.com/s/1vrcL4 密码:6i27
package com.what21.security05;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Calendar;
import java.util.Date;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
public final class CreateCert {
/**
* 生成秘钥对
*
* @param type
* @param keyLen
* @return
* @throws Exception
*/
public static KeyPair makeKeyPair(String type,int keyLen) throws Exception {
Security.addProvider(new BouncyCastleProvider());
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(type);
keyPairGenerator.initialize(keyLen);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
return keyPair;
}
/**
* 制作X509证书
*
* @param publicKey 公钥
* @param privateKey 私钥
* @param issuerDN 发行者
* @param subjectDN 主题
* @param year 年限 eg : 10
* @param algorithm 算法 eg : MD5WithRSA
* @return
* @throws Exception
*/
public static X509Certificate makeCertificate(PublicKey publicKey, PrivateKey privateKey,
String issuerDN,String subjectDN, int year,String algorithm) throws Exception {
X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
certGenerator.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
X509Name issuerDNName = new X509Name(issuerDN);
certGenerator.setIssuerDN(issuerDNName);
X509Name subjectDNName = new X509Name(subjectDN);
certGenerator.setSubjectDN(subjectDNName);
certGenerator.setPublicKey(publicKey);
certGenerator.setNotBefore(new Date());
int daysTillExpiry = year * 365;
Calendar expiry = Calendar.getInstance();
expiry.add(Calendar.DAY_OF_YEAR, daysTillExpiry);
certGenerator.setNotAfter(expiry.getTime());
certGenerator.setSignatureAlgorithm(algorithm);
return certGenerator.generate(privateKey);
}
/**
* 生成 KeyStore
*
* @param keyLen
* @param alias
* @param storePasswd
* @param trustPasswd
* @param fullDN
* @param output
* @throws Exception
*/
public static void generateKeyStore(int keyLen,String alias, String storePasswd,
String trustPasswd,String fullDN, OutputStream output)throws Exception {
//==============================================================================//
KeyPair rsaKeyPair = makeKeyPair("RSA",keyLen);
RSAPublicKey rsaPublicKey = (RSAPublicKey) rsaKeyPair.getPublic();
RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) rsaKeyPair.getPrivate();
//==============================================================================//
X509Certificate certificate = makeCertificate(rsaPublicKey,rsaPrivateKey, fullDN, fullDN, 10, "MD5WithRSA");
X509Certificate[] certificateChain = { certificate };
//==============================================================================//
char[] storeCPW = storePasswd.toCharArray();
char[] trustCPW = trustPasswd.toCharArray();
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null);
keyStore.setKeyEntry(alias, rsaPrivateKey, trustCPW, certificateChain);
keyStore.store(output, storeCPW);
}
/**
* @param type JKS、PKCS12...
* @param input
* @param storePasswd
* @param alias
* @param trustPasswd
* @return
* @throws Exception
*/
public static Object[] getCertAllInfo(String type,InputStream input,String storePasswd,
String alias,String trustPasswd)throws Exception {
Object[] objs = new Object[3];
char[] storeCPW = storePasswd.toCharArray();
char[] trustCPW = trustPasswd.toCharArray();
KeyStore keyStore = KeyStore.getInstance(type);
keyStore.load(input, storeCPW);
Key key = keyStore.getKey(alias, trustCPW);
if (key instanceof PrivateKey) {
Certificate cert = keyStore.getCertificate(alias);
PublicKey publicKey = cert.getPublicKey();
objs[0] = keyStore;
objs[1] = cert;
objs[2] = new KeyPair(publicKey, (PrivateKey) key);
}
return objs;
}
/**
* @param type
* @param input
* @param storePasswd
* @param alias
* @param trustPasswd
* @param keyLen2
* @param alias2
* @param storePasswd2
* @param trustPasswd2
* @param fullDN2
* @param output2
* @throws Exception
*/
public static void makeCertChain(String type,InputStream input,String storePasswd,
String alias,String trustPasswd,int keyLen2,String alias2, String storePasswd2,
String trustPasswd2,String fullDN2, OutputStream output2)throws Exception{
// 签名证书信息
Object[] objs = getCertAllInfo(type,input,storePasswd,alias,trustPasswd);
X509Certificate masterCert = (X509Certificate)objs[1];
KeyPair masterKeyPair = (KeyPair)objs[2];
masterCert.checkValidity();
//==============================================================================//
KeyPair rsaKeyPair = makeKeyPair("RSA",keyLen2);
RSAPublicKey rsaPublicKey = (RSAPublicKey) rsaKeyPair.getPublic();
RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) rsaKeyPair.getPrivate();
//==============================================================================//
X509Certificate certificate = makeCertificate(rsaPublicKey,rsaPrivateKey, fullDN2, fullDN2, 10, "MD5WithRSA");
certificate.checkValidity();
//==============================================================================//
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(masterCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 10000));
certGen.setSubjectDN(certificate.getSubjectX500Principal());
certGen.setPublicKey(rsaPublicKey);
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(masterCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(rsaPublicKey));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage( KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
certificate = certGen.generate(rsaPrivateKey);
//==============================================================================//
X509Certificate[] certificateChain = { masterCert,certificate };
//==============================================================================//
Security.addProvider(new BouncyCastleProvider());
char[] storeCPW = storePasswd2.toCharArray();
char[] trustCPW = trustPasswd2.toCharArray();
KeyStore outStore = KeyStore.getInstance("JKS");
outStore.load(null, null);
outStore.setKeyEntry(alias2, masterKeyPair.getPrivate(), trustCPW, certificateChain);
outStore.store(output2, storeCPW);
}
}