java 怎么验证文件为数字签名认证文件

Python018

java 怎么验证文件为数字签名认证文件,第1张

1)从密钥库中读取CA的证书

FileInputStream in=new FileInputStream(".keystore")

KeyStore ks=KeyStore.getInstance("JKS")

ks.load(in,storepass.toCharArray())

java.security.cert.Certificate c1=ks.getCertificate("caroot")

(2)从密钥库中读取CA的私钥

PrivateKey caprk=(PrivateKey)ks.getKey(alias,cakeypass.toCharArray())

(3)从CA的证书中提取签发者的信息

byte[] encod1=c1.getEncoded() 提取CA证书的编码

X509CertImpl cimp1=new X509CertImpl(encod1)用该编码创建X509CertImpl类型对象

X509CertInfo cinfo1=(X509CertInfo)cimp1.get(X509CertImpl.NAME+"."+X509CertImpl.INFO)获取X509CertInfo对象

X500Name issuer=(X500Name)cinfo1.get(X509CertInfo.SUBJECT+"."+CertificateIssuerName.DN_NAME)获取X509Name类型的签发者信息

(4)获取待签发的证书

CertificateFactory cf=CertificateFactory.getInstance("X.509")

FileInputStream in2=new FileInputStream("user.csr")

java.security.cert.Certificate c2=cf.generateCertificate(in)

(5)从待签发的证书中提取证书信息

byte [] encod2=c2.getEncoded()

X509CertImpl cimp2=new X509CertImpl(encod2)用该编码创建X509CertImpl类型对象

X509CertInfo cinfo2=(X509CertInfo)cimp2.get(X509CertImpl.NAME+"."+X509CertImpl.INFO)获取X509CertInfo对象

(6)设置新证书有效期

Date begindate=new Date()获取当前时间

Date enddate=new Date(begindate.getTime()+3000*24*60*60*1000L)有效期为3000天

CertificateValidity cv=new CertificateValidity(begindate,enddate)创建对象

cinfo2.set(X509CertInfo.VALIDITY,cv)设置有效期

(7)设置新证书序列号

int sn=(int)(begindate.getTime()/1000) 以当前时间为序列号

CertificateSerialNumber csn=new CertificateSerialNumber(sn)

cinfo2.set(X509CertInfo.SERIAL_NUMBER,csn)

(8)设置新证书签发者

cinfo2.set(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer)应用第三步的结果

(9)设置新证书签名算法信息

AlgorithmId algorithm=new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid)

cinfo2.set(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM,algorithm)

(10)创建证书并使用CA的私钥对其签名

X509CertImpl newcert=new X509CertImpl(cinfo2)

newcert.sign(caprk,"MD5WithRSA")使用CA私钥对其签名

(11)将新证书写入密钥库

ks.setCertificateEntry("lf_signed",newcert)

FileOutputStream out=new FileOutputStream("newstore")

ks.store(out,"newpass".toCharArray())这里是写入了新的密钥库,也可以使用第七条来增加条目

签名一般是使用公私密钥对。自己使用私钥加密,其他人可以任意获取到公钥用来解密,既然解出来了,就说明是私钥加密的。 用私钥加密的过程叫做签名。

当然实际过程没这么简单,还包括,找个合适的第三方再次签名公钥已证明公钥的安全性等。不过只要知道上面的东西基本就可以了。

import java.security.InvalidKeyException

import java.security.Key

import java.security.KeyPair

import java.security.KeyPairGenerator

import java.security.NoSuchAlgorithmException

import java.security.PrivateKey

import java.security.PublicKey

import java.security.SecureRandom

import java.security.Signature

import java.security.SignatureException

import java.util.logging.Level

import java.util.logging.Logger

/**

 * ECDSA 160bit 签名及签名验证例子

 */

public class ECDSASignature {

    public static void main(String argv[]) {

        signatureTest()

    }

    public static void signatureTest() {

        /**

         * 密钥对生成

         */

        KeyPairGenerator keyPairGenerator = null

        try {

            keyPairGenerator = KeyPairGenerator.getInstance("EC")

        } catch (NoSuchAlgorithmException ex) {

            return

        }

        SecureRandom secureRandom = new SecureRandom()

        keyPairGenerator.initialize(160, secureRandom)

        KeyPair pair = keyPairGenerator.generateKeyPair()

        Key publicKey = pair.getPublic()

        Key privateKey = pair.getPrivate()

        // 字符串

        String hako = "test"

        /**

         * 私钥签名(ECDSA 160bit)

         */

        byte[] sign = null

        try {

            Signature signatureSign = null

            signatureSign = Signature.getInstance("NONEwithECDSA")

            signatureSign.initSign((PrivateKey) privateKey, secureRandom)

            signatureSign.update(hako.getBytes())

            sign = signatureSign.sign()

            System.out.println("sign: " + new String(sign))

        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException ex) {

            Logger.getLogger(ECDSASignature.class.getName()).log(Level.SEVERE, null, ex)

        }

        /**

         * 用公钥进行签名验证

         */

        Signature signatureVerify = null

        try {

            signatureVerify = Signature.getInstance("NONEwithECDSA")

            signatureVerify.initVerify((PublicKey) publicKey)

            signatureVerify.update(hako.getBytes())

            boolean verifyResult = signatureVerify.verify(sign)

            System.out.println(verifyResult ? "签名OK" : "签名NG")

        } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {

            Logger.getLogger(ECDSASignature.class.getName()).log(Level.SEVERE, null, e)

        }

    }

}

http://www.huuinn.com/java-%E7%94%B5%E5%AD%90%E7%AD%BE%E5%90%8D%E8%8C%83%E4%BE%8B%E4%BB%A3%E7%A0%81/