一需要包含的包
1
import
java.security.
*
;
2
3 import java.io. * ;
4
5 import java.util. * ;
6
7 import java.security. * ;
8
9 import java.security.cert. * ;
10
11 import sun.security.x509. *
12
13 import java.security.cert.Certificate;
14
15 import java.security.cert.CertificateFactory;
2
3 import java.io. * ;
4
5 import java.util. * ;
6
7 import java.security. * ;
8
9 import java.security.cert. * ;
10
11 import sun.security.x509. *
12
13 import java.security.cert.Certificate;
14
15 import java.security.cert.CertificateFactory;
二 从文件中读取证书
用keytool将.keystore中的证书写入文件中,然后从该文件中读取证书信息
1
CertificateFactory cf
=
CertificateFactory.getInstance(
"
X.509
"
);
2
3 FileInputStream in = new FileInputStream( " out.csr " );
4
5 Certificate c = cf.generateCertificate(in); String s = c.toString();
2
3 FileInputStream in = new FileInputStream( " out.csr " );
4
5 Certificate c = cf.generateCertificate(in); String s = c.toString();
三 从密钥库中直接读取证书
1
String pass
=
"
123456
"
;
2
3 FileInputStream in = new FileInputStream( " .keystore " );
4
5 KeyStore ks = KeyStore.getInstance( " JKS " );
6
7 ks.load(in,pass.toCharArray());
8
9 java.security.cert.Certificate c = ks.getCertificate(alias); // alias为条目的别名
10
2
3 FileInputStream in = new FileInputStream( " .keystore " );
4
5 KeyStore ks = KeyStore.getInstance( " JKS " );
6
7 ks.load(in,pass.toCharArray());
8
9 java.security.cert.Certificate c = ks.getCertificate(alias); // alias为条目的别名
10
四 JAVA程序中显示证书指定信息
1
System.out.println(
"
输出证书信息:\n
"
+
c.toString());
2
3 System.out.println( " 版本号: " + t.getVersion());
4
5 System.out.println( " 序列号: " + t.getSerialNumber().toString( 16 ));
6
7 System.out.println( " 主体名: " + t.getSubjectDN());
8
9 System.out.println( " 签发者: " + t.getIssuerDN());
10
11 System.out.println( " 有效期: " + t.getNotBefore());
12
13 System.out.println( " 签名算法: " + t.getSigAlgName());
14
15 byte [] sig = t.getSignature(); // 签名值
16
17 PublicKey pk = t.getPublicKey();
18
19 byte [] pkenc = pk.getEncoded();
20
21 System.out.println( " 公钥 " );
22
23 for ( int i = 0 ;i < pkenc.length;i ++ )System.out.print(pkenc + " , " );
24
2
3 System.out.println( " 版本号: " + t.getVersion());
4
5 System.out.println( " 序列号: " + t.getSerialNumber().toString( 16 ));
6
7 System.out.println( " 主体名: " + t.getSubjectDN());
8
9 System.out.println( " 签发者: " + t.getIssuerDN());
10
11 System.out.println( " 有效期: " + t.getNotBefore());
12
13 System.out.println( " 签名算法: " + t.getSigAlgName());
14
15 byte [] sig = t.getSignature(); // 签名值
16
17 PublicKey pk = t.getPublicKey();
18
19 byte [] pkenc = pk.getEncoded();
20
21 System.out.println( " 公钥 " );
22
23 for ( int i = 0 ;i < pkenc.length;i ++ )System.out.print(pkenc + " , " );
24
五 JAVA程序列出密钥库所有条目
1
String pass
=
"
123456
"
;
2
3 FileInputStream in = new FileInputStream( " .keystore " );
4
5 KeyStore ks = KeyStore.getInstance( " JKS " );
6
7 ks.load(in,pass.toCharArray());
8
9 Enumeration e = ks.aliases();
10
11 while (e.hasMoreElements())
12
13 java.security.cert.Certificate c = ks.getCertificate((String)e.nextElement());
2
3 FileInputStream in = new FileInputStream( " .keystore " );
4
5 KeyStore ks = KeyStore.getInstance( " JKS " );
6
7 ks.load(in,pass.toCharArray());
8
9 Enumeration e = ks.aliases();
10
11 while (e.hasMoreElements())
12
13 java.security.cert.Certificate c = ks.getCertificate((String)e.nextElement());
六 JAVA程序修改密钥库口令
1
String oldpass
=
"
123456
"
;
2
3 String newpass = " 654321 " ;
4
5 FileInputStream in = new FileInputStream( " .keystore " );
6
7 KeyStore ks = KeyStore.getInstance( " JKS " );
8
9 ks.load(in,oldpass.toCharArray());
10
11 in.close();
12
13 FileOutputStream output = new FileOutputStream( " .keystore " );
14
15 ks.store(output,newpass.toCharArray());
16
17 output.close();
2
3 String newpass = " 654321 " ;
4
5 FileInputStream in = new FileInputStream( " .keystore " );
6
7 KeyStore ks = KeyStore.getInstance( " JKS " );
8
9 ks.load(in,oldpass.toCharArray());
10
11 in.close();
12
13 FileOutputStream output = new FileOutputStream( " .keystore " );
14
15 ks.store(output,newpass.toCharArray());
16
17 output.close();
七 JAVA程序修改密钥库条目的口令及添加条目
1
FileInputStream in
=
new
FileInputStream(
"
.keystore
"
);
2
3 KeyStore ks = KeyStore.getInstance( " JKS " );
4
5 ks.load(in,storepass.toCharArray());
6
7 Certificate [] cchain = ks.getCertificate(alias); // 获取别名对应条目的证书链
8
9 PrivateKey pk = (PrivateKey)ks.getKey(alias,oldkeypass.toCharArray()); // 获取别名对应条目的私钥
10
11 ks.setKeyEntry(alias,pk,newkeypass.toCharArray(),cchain); // 向密钥库中添加条目
2
3 KeyStore ks = KeyStore.getInstance( " JKS " );
4
5 ks.load(in,storepass.toCharArray());
6
7 Certificate [] cchain = ks.getCertificate(alias); // 获取别名对应条目的证书链
8
9 PrivateKey pk = (PrivateKey)ks.getKey(alias,oldkeypass.toCharArray()); // 获取别名对应条目的私钥
10
11 ks.setKeyEntry(alias,pk,newkeypass.toCharArray(),cchain); // 向密钥库中添加条目
第一个参数指定所添加条目的别名,假如使用已存在别名将覆盖已存在条目,使用新别名将增加一个新条目,第二个参数为条目的私钥,第三个为设置的新口令,第四个为该私钥的公钥的证书链
1
FileOutputStream output
=
new
FileOutputStream(
"
another
"
);
2
3 ks.store(output,storepass.toCharArray()) // 将keystore对象内容写入新文件
2
3 ks.store(output,storepass.toCharArray()) // 将keystore对象内容写入新文件
八 JAVA程序检验别名和删除条目
1
FileInputStream in
=
new
FileInputStream(
"
.keystore
"
);
2
3 KeyStore ks = KeyStore.getInstance( " JKS " );
4
5 ks.load(in,storepass.toCharArray());
6
7 ks.containsAlias( " sage " ); // 检验条目是否在密钥库中,存在返回true
8
9 ks.deleteEntry( " sage " ); // 删除别名对应的条目
10
11 FileOutputStream output = new FileOutputStream( " .keystore " );
12
13 ks.store(output,storepass.toCharArray()) // 将keystore对象内容写入文件,条目删除成功
2
3 KeyStore ks = KeyStore.getInstance( " JKS " );
4
5 ks.load(in,storepass.toCharArray());
6
7 ks.containsAlias( " sage " ); // 检验条目是否在密钥库中,存在返回true
8
9 ks.deleteEntry( " sage " ); // 删除别名对应的条目
10
11 FileOutputStream output = new FileOutputStream( " .keystore " );
12
13 ks.store(output,storepass.toCharArray()) // 将keystore对象内容写入文件,条目删除成功
九 JAVA程序签发数字证书
(1)从密钥库中读取CA的证书
1
FileInputStream in
=
new
FileInputStream(
"
.keystore
"
);
2
3 KeyStore ks = KeyStore.getInstance( " JKS " );
4
5 ks.load(in,storepass.toCharArray());
6
7 java.security.cert.Certificate c1 = ks.getCertificate( " caroot " );
2
3 KeyStore ks = KeyStore.getInstance( " JKS " );
4
5 ks.load(in,storepass.toCharArray());
6
7 java.security.cert.Certificate c1 = ks.getCertificate( " caroot " );
(2)从密钥库中读取CA的私钥
1
PrivateKey caprk
=
(PrivateKey)ks.getKey(alias,cakeypass.toCharArray());
(3)从CA的证书中提取签发者的信息
1
byte
[] encod1
=
cgetEncoded();
//
提取CA证书的编码
2
3 X509CertImpl cimp1 = new X509CertImpl(encod1); // 用该编码创建X509CertImpl类型对象
4
5 X509CertInfo cinfo1 = (X509CertInfo)cimpget(X509CertImpl.NAME + " . " + X509CertImpl.INFO); // 获取X509CertInfo对象
6
7 X500Name issuer = (X500Name)cinfoget(X509CertInfo.SUBJECT + " . " + CertificateIssuerName.DN_NAME); // 获取X509Name类型的签发者信息
2
3 X509CertImpl cimp1 = new X509CertImpl(encod1); // 用该编码创建X509CertImpl类型对象
4
5 X509CertInfo cinfo1 = (X509CertInfo)cimpget(X509CertImpl.NAME + " . " + X509CertImpl.INFO); // 获取X509CertInfo对象
6
7 X500Name issuer = (X500Name)cinfoget(X509CertInfo.SUBJECT + " . " + CertificateIssuerName.DN_NAME); // 获取X509Name类型的签发者信息
(4)获取待签发的证书
1
CertificateFactory cf
=
CertificateFactory.getInstance(
"
X.509
"
);
2
3 FileInputStream in2 = new FileInputStream( " user.csr " );
4
5 java.security.cert.Certificate c2 = cf.generateCertificate(in);
2
3 FileInputStream in2 = new FileInputStream( " user.csr " );
4
5 java.security.cert.Certificate c2 = cf.generateCertificate(in);
(5)从待签发的证书中提取证书信息
1
byte
[] encod2
=
cgetEncoded();
2
3 X509CertImpl cimp2 = new X509CertImpl(encod2); // 用该编码创建X509CertImpl类型对象
4
5 X509CertInfo cinfo2 = (X509CertInfo)cimpget(X509CertImpl.NAME + " . " + X509CertImpl.INFO); // 获取X509CertInfo对象
2
3 X509CertImpl cimp2 = new X509CertImpl(encod2); // 用该编码创建X509CertImpl类型对象
4
5 X509CertInfo cinfo2 = (X509CertInfo)cimpget(X509CertImpl.NAME + " . " + X509CertImpl.INFO); // 获取X509CertInfo对象
(6)设置新证书有效期
1
Date begindate
=
new
Date();
//
获取当前时间
2
3 Date enddate = new Date(begindate.getTime() + 3000 * 24 * 60 * 60 * 1000L ); // 有效期为3000天
4
5 CertificateValidity cv = new CertificateValidity(begindate,enddate); // 创建对象
6
7 cinfoset(X509CertInfo.VALIDITY,cv); // 设置有效期
2
3 Date enddate = new Date(begindate.getTime() + 3000 * 24 * 60 * 60 * 1000L ); // 有效期为3000天
4
5 CertificateValidity cv = new CertificateValidity(begindate,enddate); // 创建对象
6
7 cinfoset(X509CertInfo.VALIDITY,cv); // 设置有效期
(7)设置新证书序列号
1
int
sn
=
(
int
)(begindate.getTime()
/
1000
);
//
以当前时间为序列号
2
3 CertificateSerialNumber csn = new CertificateSerialNumber(sn);
4
5 cinfoset(X509CertInfo.SERIAL_NUMBER,csn);
2
3 CertificateSerialNumber csn = new CertificateSerialNumber(sn);
4
5 cinfoset(X509CertInfo.SERIAL_NUMBER,csn);
(8)设置新证书签发者
1
cinfoset(X509CertInfo.ISSUER
+
"
.
"
+
CertificateIssuerName.DN_NAME,issuer);
//
应用第三步的结果
(9)设置新证书签名算法信息
1
AlgorithmId algorithm
=
new
AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
2
3 cinfoset(CertificateAlgorithmId.NAME + " . " + CertificateAlgorithmId.ALGORITHM,algorithm);
2
3 cinfoset(CertificateAlgorithmId.NAME + " . " + CertificateAlgorithmId.ALGORITHM,algorithm);
(10)创建证书并使用CA的私钥对其签名
1
X509CertImpl newcert
=
new
X509CertImpl(cinfo2);
2
3 newcert.sign(caprk, " MD5WithRSA " ); // 使用CA私钥对其签名
2
3 newcert.sign(caprk, " MD5WithRSA " ); // 使用CA私钥对其签名
(11)将新证书写入密钥库
1
2 ks.setCertificateEntry( " lf_signed " ,newcert);
3
4 FileOutputStream out = new FileOutputStream( " newstore " );
5
6 ks.store(out, " newpass " .toCharArray()); // 这里是写入了新的密钥库,也可以使用第七条来增加条目
2 ks.setCertificateEntry( " lf_signed " ,newcert);
3
4 FileOutputStream out = new FileOutputStream( " newstore " );
5
6 ks.store(out, " newpass " .toCharArray()); // 这里是写入了新的密钥库,也可以使用第七条来增加条目
十 数字证书的检验
(1)验证证书的有效期
(a)获取X509Certificate类型对象
1
CertificateFactory cf
=
CertificateFactory.getInstance(
"
X.509
"
);
2
3 FileInputStream in1 = new FileInputStream( " aa.crt " );
4
5 java.security.cert.Certificate c1 = cf.generateCertificate(in1);
6
7 X509Certificate t = (X509Certificate)c1;
8
9 inclose();
2
3 FileInputStream in1 = new FileInputStream( " aa.crt " );
4
5 java.security.cert.Certificate c1 = cf.generateCertificate(in1);
6
7 X509Certificate t = (X509Certificate)c1;
8
9 inclose();
(b)获取日期
1
Date TimeNow
=
new
Date();
(c)检验有效性
1
try
{
2
3 t.checkValidity(TimeNow);
4
5 System.out.println( " OK " );
6
7 } catch (CertificateExpiredException e){ // 过期
8
9 System.out.println( " Expired " );
10
11 System.out.println(e.getMessage());
12
13 } catch ((CertificateNotYetValidException e){ // 尚未生效
14
15 System.out.println( " Too early " );
16
17 System.out.println(e.getMessage());}
2
3 t.checkValidity(TimeNow);
4
5 System.out.println( " OK " );
6
7 } catch (CertificateExpiredException e){ // 过期
8
9 System.out.println( " Expired " );
10
11 System.out.println(e.getMessage());
12
13 } catch ((CertificateNotYetValidException e){ // 尚未生效
14
15 System.out.println( " Too early " );
16
17 System.out.println(e.getMessage());}
(2)验证证书签名的有效性
(a)获取CA证书
1
CertificateFactory cf
=
CertificateFactory.getInstance(
"
X.509
"
);
2
3 FileInputStream in2 = new FileInputStream( " caroot.crt " );
4
5 java.security.cert.Certificate cac = cf.generateCertificate(in2);
6
7 inclose();
2
3 FileInputStream in2 = new FileInputStream( " caroot.crt " );
4
5 java.security.cert.Certificate cac = cf.generateCertificate(in2);
6
7 inclose();
(c)获取CA的公钥
1
PublicKey pbk
=
cac.getPublicKey();
(b)获取待检验的证书(上步已经获取了,就是C1)
(c)检验证书
1
boolean
pass
=
false
;
2
3 try {
4
5 cverify(pbk);
6
7 pass = true ;
8
9 } catch (Exception e){
10
11 pass = false ;
12
13 System.out.println(e);
14
15 }
16
2
3 try {
4
5 cverify(pbk);
6
7 pass = true ;
8
9 } catch (Exception e){
10
11 pass = false ;
12
13 System.out.println(e);
14
15 }
16