| |
一:需要包含的包
import java.security.*;
import java.io.*;
import java.util.*;
import java.security.*;
import java.security.cert.*;
import sun.security.x509.*
import java.security.cert.certificate;
import java.security.cert.certificatefactory;
二:从文件中读取证书
用keytool将.keystore中的证书写入文件中,然后从该文件中读取证书信息
certificatefactory cf=certificatefactory.getinstance("x.509");
fileinputstream in=new fileinputstream("out.csr");
certificate c=cf.generatecertificate(in);
string s=c.tostring();
三:从密钥库中直接读取证书
string pass="123456";
fileinputstream in=new fileinputstream(".keystore");
keystore ks=keystore.getinstance("jks");
ks.load(in,pass.tochararray());
java.security.cert.certificate c=ks.getcertificate(alias);//alias为条目的别名
四:java程序中显示证书指定信息
system.out.println("输出证书信息:/n"+c.tostring());
system.out.println("版本号:"+t.getversion());
system.out.println("序列号:"+t.getserialnumber().tostring(16));
system.out.println("主体名:"+t.getsubjectdn());
system.out.println("签发者:"+t.getissuerdn());
system.out.println("有效期:"+t.getnotbefore());
system.out.println("签名算法:"+t.getsigalgname());
byte [] sig=t.getsignature();//签名值
publickey pk=t.getpublickey();
byte [] pkenc=pk.getencoded();
system.out.println("公钥");
for(int i=0;i<pkenc.length;i++)system.out.print(pkenc[i]+",");
五:java程序列出密钥库所有条目
string pass="123456";
fileinputstream in=new fileinputstream(".keystore");
keystore ks=keystore.getinstance("jks");
ks.load(in,pass.tochararray());
enumeration e=ks.aliases();
while(e.hasmoreelements())
java.security.cert.certificate c=ks.getcertificate((string)e.nextelement());
六:java程序修改密钥库口令
string oldpass="123456";
string newpass="654321";
fileinputstream in=new fileinputstream(".keystore");
keystore ks=keystore.getinstance("jks");
ks.load(in,oldpass.tochararray());
in.close();
fileoutputstream output=new fileoutputstream(".keystore");
ks.store(output,newpass.tochararray());
output.close();
七:java程序修改密钥库条目的口令及添加条目
fileinputstream in=new fileinputstream(".keystore");
keystore ks=keystore.getinstance("jks");
ks.load(in,storepass.tochararray());
certificate [] cchain=ks.getcertificate(alias);获取别名对应条目的证书链
privatekey pk=(privatekey)ks.getkey(alias,oldkeypass.tochararray());获取别名对应条目的私钥
ks.setkeyentry(alias,pk,newkeypass.tochararray(),cchain);向密钥库中添加条目
第一个参数指定所添加条目的别名,假如使用已存在别名将覆盖已存在条目,使用新别名将增加一个新条目,第二个参数为条目的私钥,第三个为设置的新口令,第四个为该私钥的公钥的证书链
fileoutputstream output=new fileoutputstream("another");
ks.store(output,storepass.tochararray())将keystore对象内容写入新文件
八:java程序检验别名和删除条目
fileinputstream in=new fileinputstream(".keystore");
keystore ks=keystore.getinstance("jks");
ks.load(in,storepass.tochararray());
ks.containsalias("sage");检验条目是否在密钥库中,存在返回true
ks.deleteentry("sage");删除别名对应的条目
fileoutputstream output=new fileoutputstream(".keystore");
ks.store(output,storepass.tochararray())将keystore对象内容写入文件,条目删除成功
九:java程序签发数字证书
(1)从密钥库中读取ca的证书
fileinputstream in=new fileinputstream(".keystore");
keystore ks=keystore.getinstance("jks");
ks.load(in,storepass.tochararray());
java.security.cert.certificate c1=ks.getcertificate("caroot");
(2)从密钥库中读取ca的私钥
privatekey caprk=(privatekey)ks.getkey(alias,cakeypass.tochararray());
(3)从ca的证书中提取签发者的信息
byte[] encod1=c1.getencoded();提取ca证书的编码
x509certimpl cimp1=new x509certimpl(encod1); 用该编码创建x509certimpl类型对象
x509certinfo cinfo1=(x509certinfo)cimp1.get(x509certimpl.name+"."+x509certimpl.info); 获取x509certinfo对象
x500name issuer=(x500name)cinfo1.get(x509certinfo.subject+"."+certificateissuername.dn_name); 获取x509name类型的签发者信息
(4)获取待签发的证书
certificatefactory cf=certificatefactory.getinstance("x.509");
fileinputstream in2=new fileinputstream("user.csr");
java.security.cert.certificate c2=cf.generatecertificate(in);
(5)从待签发的证书中提取证书信息
byte [] encod2=c2.getencoded();
x509certimpl cimp2=new x509certimpl(encod2); 用该编码创建x509certimpl类型对象
x509certinfo cinfo2=(x509certinfo)cimp2.get(x509certimpl.name+"."+x509certimpl.info); 获取x509certinfo对象
(6)设置新证书有效期
date begindate=new date(); 获取当前时间
date enddate=new date(begindate.gettime()+3000*24*60*60*1000l); 有效期为3000天
certificatevalidity cv=new certificatevalidity(begindate,enddate); 创建对象
cinfo2.set(x509certinfo.validity,cv); 设置有效期
(7)设置新证书序列号
int sn=(int)(begindate.gettime()/1000);以当前时间为序列号
certificateserialnumber csn=new certificateserialnumber(sn);
cinfo2.set(x509certinfo.serial_number,csn);
(8)设置新证书签发者
cinfo2.set(x509certinfo.issuer+"."+certificateissuername.dn_name,issuer);应用第三步的结果
(9)设置新证书签名算法信息
algorithmid algorithm=new algorithmid(algorithmid.md5withrsaencryption_oid);
cinfo2.set(certificatealgorithmid.name+"."+certificatealgorithmid.algorithm,algorithm);
(10)创建证书并使用ca的私钥对其签名
x509certimpl newcert=new x509certimpl(cinfo2);
newcert.sign(caprk,"md5withrsa"); 使用ca私钥对其签名
(11)将新证书写入密钥库
ks.setcertificateentry("lf_signed",newcert);
fileoutputstream out=new fileoutputstream("newstore");
ks.store(out,"newpass".tochararray()); 这里是写入了新的密钥库,也可以使用第七条来增加条目
十:数字证书的检验
(1)验证证书的有效期
(a)获取x509certificate类型对象
certificatefactory cf=certificatefactory.getinstance("x.509");
fileinputstream in1=new fileinputstream("aa.crt");
java.security.cert.certificate c1=cf.generatecertificate(in1);
x509certificate t=(x509certificate)c1;
in2.close();
(b)获取日期
date timenow=new date();
(c)检验有效性
try{
t.checkvalidity(timenow);
system.out.println("ok");
}catch(certificateexpiredexception e){ //过期
system.out.println("expired");
system.out.println(e.getmessage());
}catch((certificatenotyetvalidexception e){ //尚未生效
system.out.println("too early");
system.out.println(e.getmessage());}
(2)验证证书签名的有效性
(a)获取ca证书
certificatefactory cf=certificatefactory.getinstance("x.509");
fileinputstream in2=new fileinputstream("caroot.crt");
java.security.cert.certificate cac=cf.generatecertificate(in2);
in2.close();
(c)获取ca的公钥
publickey pbk=cac.getpublickey();
(b)获取待检验的证书(上步已经获取了,就是c1)
(c)检验证书
boolean pass=false;
try{
c1.verify(pbk);
pass=true;
}catch(exception e){
pass=false;
system.out.println(e);
}
|
|
