本文介绍了如何利用密码机和BouncyCastle(BC)组件生成基于国密SM2算法的证书。虽然BC支持SM3,但不直接支持SM2。通过解析OID(对象标识符),如SM3withSM2的OID为1.2.156.10197.1.501,扩展JcaContentSignerBuilder以支持SM3withSM2,并解决了BC库与sun签名的冲突问题。最后,要在自定义的提供者中实现签名操作。
密码机:硬件加密模块、HSM,支持国密的SM3WITHSM2算法
BC:BouncyCastle,开源第三方安全组件,支持SM3摘要,尚不支持sm2
OIDS:
SM3withSM2 OID 为1.2.156.10197.1.501。
SM2的公钥参数OID为1.2.156.10197.1.301
<QQ:22066821>
正常的SHA1withRSA证书是这样的:
重点是new JcaContentSignerBuilder(alg),把SHA1withRSA更换成SM3withSM2,查看区别,
打开JcaContentSignerBuilder:
BC:BouncyCastle,开源第三方安全组件,支持SM3摘要,尚不支持sm2
OIDS:
SM3withSM2 OID 为1.2.156.10197.1.501。
SM2的公钥参数OID为1.2.156.10197.1.301
<QQ:22066821>
正常的SHA1withRSA证书是这样的:
X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(new X500Name(issuer),
serial, notBefore,notAfter, new X500Name(subject), publicKey);
// "SHA1withRSA"
ContentSigner sigGen = new JcaContentSignerBuilder(alg).setProvider("BC").build(privKey);
X509CertificateHolder holder = builder.build(sigGen);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream is1 = new ByteArrayInputStream(holder.toASN1Structure().getEncoded());
X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
is1.close();重点是new JcaContentSignerBuilder(alg),把SHA1withRSA更换成SM3withSM2,查看区别,
打开JcaContentSignerBuilder:
最低0.47元/天 解锁文章
扫一扫
4606
到【灌水乐园】发言
