java生成证书

本文介绍了一个用于生成客户端证书的Java类。该类使用根证书和密钥文件来创建客户端密钥对,并为客户端生成签名证书。它还包含了将证书和密钥保存到PKCS12格式文件的功能。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >




import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;
import java.util.Hashtable;
import java.util.Vector;

import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DERInputStream;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.provider.JDKPKCS12KeyStore;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import org.springframework.core.io.Resource;

import steel.share.clientcert.ClientCert;


public class ClientCertGenerator {

private Resource rootCertFilePath;

private Resource rootKeyFilePath;

private int serialNumber;

public void genClientCert(ClientCert clientCert, OutputStream fileOutputStream) {
try {

X509Certificate rootCert = loadRootCertificate();

PrivateKey rootPrivateKey = loadRootPrivateKeyByKeyFile();

KeyPair clientKeyPair = genClientKeyPair();

X509Certificate signedCert = signCert(rootCert.getPublicKey(), rootPrivateKey, rootCert, clientKeyPair,
clientCert);


PKCS12BagAttributeCarrier bagAttributeCarrier = (PKCS12BagAttributeCarrier) signedCert;
bagAttributeCarrier.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(
clientCert.getCommonName() + "'s key"));
bagAttributeCarrier.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
new SubjectKeyIdentifierStructure(clientKeyPair.getPublic()));


Certificate[] certChain = new Certificate[1];
certChain[0] = signedCert;

JDKPKCS12KeyStore ks = new JDKPKCS12KeyStore.BCPKCS12KeyStore();
ks.engineSetKeyEntry(clientCert.getCommonName(), clientKeyPair.getPrivate(), clientCert.getPassword()
.toCharArray(), certChain);
ks.engineStore(fileOutputStream, clientCert.getPassword().toCharArray());

} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}


private X509Certificate loadRootCertificate() {
InputStream certIn = null;
try {

CertificateFactory fac = CertificateFactory.getInstance("X.509");

return (X509Certificate) fac.generateCertificate(rootCertFilePath.getInputStream());
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
} finally {
if (certIn != null) {
try {
certIn.close();
} catch (IOException ie) {
}
}
}
}


private PrivateKey loadRootPrivateKeyByKeyFile() {
BufferedInputStream privateIn = null;
ByteArrayOutputStream privateByteOut = null;
try {

privateIn = (BufferedInputStream) rootKeyFilePath.getInputStream();
privateByteOut = new ByteArrayOutputStream();
int len = 0;
while ((len = privateIn.read()) != -1) {
privateByteOut.write(len);
}
byte[] privateBytes = privateByteOut.toByteArray();

PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey rootPrivateKey = keyFactory.generatePrivate(keySpec);

return rootPrivateKey;
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
} finally {
if (privateIn != null) {
try {
privateIn.close();
} catch (IOException ie) {
}
}
if (privateByteOut != null) {
try {
privateByteOut.close();
} catch (IOException ie) {
}
}
}
}


private KeyPair genClientKeyPair() {
try {

KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048);

return generator.generateKeyPair();
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}


@SuppressWarnings("unchecked")
private X509Certificate signCert(PublicKey rootPublicKey, PrivateKey rootPrivateKey, X509Certificate certificate,
KeyPair clientKeyPair, ClientCert clientCert) throws Exception {

Security.addProvider(new BouncyCastleProvider());


Hashtable attrs = new Hashtable();
Vector order = new Vector();

attrs.put(X509Principal.C, clientCert.getCountryCode());
attrs.put(X509Principal.O, clientCert.getOrganizationCode());
attrs.put(X509Principal.OU, clientCert.getOrganizationalName());
attrs.put(X509Principal.CN, clientCert.getCommonName());
attrs.put(X509Principal.L, clientCert.getCityName());
attrs.put(X509Principal.ST, clientCert.getProvinceName());

order.addElement(X509Principal.CN);
order.addElement(X509Principal.OU);
order.addElement(X509Principal.O);
order.addElement(X509Principal.L);
order.addElement(X509Principal.ST);
order.addElement(X509Principal.C);

X509V3CertificateGenerator _v3CertGenerator = new X509V3CertificateGenerator();

_v3CertGenerator.reset();

Date beginDate = new Date();

_v3CertGenerator.setSerialNumber(BigInteger.valueOf(serialNumber));

_v3CertGenerator.setIssuerDN(certificate.getIssuerX500Principal());

_v3CertGenerator.setNotBefore(new Date());

_v3CertGenerator.setNotAfter(new Date(beginDate.getTime() + 730 * 24 * 60 * 60 * 1000L));

_v3CertGenerator.setSubjectDN(new X509Principal(order, attrs));
_v3CertGenerator.setPublicKey(clientKeyPair.getPublic());
_v3CertGenerator.setSignatureAlgorithm("SHA1withRSA");


_v3CertGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false,
createSubjectKeyIdentifier(clientKeyPair.getPublic()));

_v3CertGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
createAuthorityKeyIdentifier(rootPublicKey));
_v3CertGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false));


X509Certificate cert = _v3CertGenerator.generate(rootPrivateKey, "BC");


cert.checkValidity(new Date());
cert.verify(rootPublicKey);

return cert;
}


@SuppressWarnings("deprecation")
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey rootPublicKey) {
try {
ByteArrayInputStream bIn = new ByteArrayInputStream(rootPublicKey.getEncoded());
SubjectPublicKeyInfo info = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream(bIn).readObject());
return new AuthorityKeyIdentifier(info);
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}


@SuppressWarnings("deprecation")
public SubjectKeyIdentifier createSubjectKeyIdentifier(PublicKey clientPublicKey) {
try {
ByteArrayInputStream bIn = new ByteArrayInputStream(clientPublicKey.getEncoded());
SubjectPublicKeyInfo info = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream(bIn).readObject());
return new SubjectKeyIdentifier(info);
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}

public Resource getRootCertFilePath() {
return rootCertFilePath;
}

public void setRootCertFilePath(Resource rootCertFilePath) {
this.rootCertFilePath = rootCertFilePath;
}

public Resource getRootKeyFilePath() {
return rootKeyFilePath;
}

public void setRootKeyFilePath(Resource rootKeyFilePath) {
this.rootKeyFilePath = rootKeyFilePath;
}

public int getSerialNumber() {
return serialNumber;
}

public void setSerialNumber(int serialNumber) {
this.serialNumber = serialNumber;
}

}

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值