是否可以在不使用 Bouncy CastleX509V*CertificateGenerator类的情况下在 Java 代码中创建 X509 证书?
问问题
56397 次
5 回答
86
是的,但不是公开记录的课程。我已在本文中记录了该过程。
import sun.security.x509.*;
import java.security.cert.*;
import java.security.*;
import java.math.BigInteger;
import java.util.Date;
import java.io.IOException
/**
* Create a self-signed X.509 Certificate
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
*/
X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException
{
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
编辑 2021 - 不幸的是,这种方法在 Java 17 下不起作用,因为sun.*无法访问层次结构。所以它回到了 BouncyCastle 或滚动你自己的 ASN.1 序列化程序。
于 2011-03-30T16:08:15.893 回答
21
签署证书的能力不是标准 Java 库或扩展的一部分。
很多需要自己做的代码是核心的一部分。有一些类可以编码和解码 X.500 名称、X.509 证书扩展、各种算法的公钥,当然还有实际执行数字签名的类。
自己实现这一点并非易事,但这绝对是可行的——我第一次制作证书签名的工作原型时可能花了 4 到 5 天。这对我来说是一个很棒的学习练习,但是当有免费的可用库时,很难证明这笔费用是合理的。
于 2009-10-23T21:26:29.197 回答
12
import sun.security.x509.*;
import java.security.cert.*;
import java.security.*;
import java.math.BigInteger;
import java.security.cert.Certificate;
import java.util.Date;
import java.io.IOException;
public class Example {
/**
* Create a self-signed X.509 Example
*
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Example is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
*/
public X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
public static void main (String[] argv) throws Exception {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyPairGenerator.generateKeyPair();
Example example = new Example();
String distinguishedName = "CN=Test, L=London, C=GB";
Certificate certificate = example.generateCertificateOriginal(distinguishedName, keyPair, 365, "SHA256withRSA");
System.out.println("it worked!");
}
}
我喜欢 vbence 的回答,但我不断收到以下异常:
java.security.cert.CertificateException:主题类类型无效。
经过大量尝试找出有效的主题类后,我发现 X509CerInfo 想要一个 X500Name 的实例。
1 info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
2 info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
3 info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
4 info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
所以需要将第 2 行和第 3 行更改为
2 info.set(X509CertInfo.SUBJECT, owner);
3 info.set(X509CertInfo.ISSUER, owner);
于 2017-06-24T15:36:56.703 回答
4
JRE 中提供了制作自签名证书的所有基本组件(签名、X509 编码等)。与 BC 不同,Sun 的 JCE 不提供任何公开调用来签署证书。但是,所有功能都在 Keytool 中可用。您可以简单地从 keytool 复制代码来执行此操作。您需要复制的方法是doSelfCert().
于 2009-10-23T22:05:30.873 回答
1
取决于您到底想做什么(可能还有您对“Sanely”的定义)。正如 ZZ Coder 指出的,您可以通过复制keytool直接创建自签名证书。但我不相信您可以使用标准 JCE 创建 PKCS10 证书请求对象,如果您想创建标准 CA 签名的 EEC,您可能需要这样做。
于 2010-01-10T16:43:07.493 回答