FileInputStream in=new FileInputStream(".keystore")
KeyStore ks=KeyStore.getInstance("JKS")
ks.load(in,storepass.toCharArray())
java.security.cert.Certificate c1=ks.getCertificate("caroot")
(2)从密钥库中读取CA的私钥
PrivateKey caprk=(PrivateKey)ks.getKey(alias,cakeypass.toCharArray())
(3)从CA的证书中提取签发者的信息
byte[] encod1=c1.getEncoded() 提取CA证书的编码
X509CertImpl cimp1=new X509CertImpl(encod1)用该编码创建X509CertImpl类型对象
X509CertInfo cinfo1=(X509CertInfo)cimp1.get(X509CertImpl.NAME+"."+X509CertImpl.INFO)获取X509CertInfo对象
X500Name issuer=(X500Name)cinfo1.get(X509CertInfo.SUBJECT+"."+CertificateIssuerName.DN_NAME)获取X509Name类型的签发者信息
(4)获取待签发的证书
CertificateFactory cf=CertificateFactory.getInstance("X.509")
FileInputStream in2=new FileInputStream("user.csr")
java.security.cert.Certificate c2=cf.generateCertificate(in)
(5)从待签发的证书中提取证书信息
byte [] encod2=c2.getEncoded()
X509CertImpl cimp2=new X509CertImpl(encod2)用该编码创建X509CertImpl类型对象
X509CertInfo cinfo2=(X509CertInfo)cimp2.get(X509CertImpl.NAME+"."+X509CertImpl.INFO)获取X509CertInfo对象
(6)设置新证书有效期
Date begindate=new Date()获取当前时间
Date enddate=new Date(begindate.getTime()+3000*24*60*60*1000L)有效期为3000天
CertificateValidity cv=new CertificateValidity(begindate,enddate)创建对象
cinfo2.set(X509CertInfo.VALIDITY,cv)设置有效期
(7)设置新证书序列号
int sn=(int)(begindate.getTime()/1000) 以当前时间为序列号
CertificateSerialNumber csn=new CertificateSerialNumber(sn)
cinfo2.set(X509CertInfo.SERIAL_NUMBER,csn)
(8)设置新证书签发者
cinfo2.set(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer)应用第三步的结果
(9)设置新证书签名算法信息
AlgorithmId algorithm=new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid)
cinfo2.set(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM,algorithm)
(10)创建证书并使用CA的私钥对其签名
X509CertImpl newcert=new X509CertImpl(cinfo2)
newcert.sign(caprk,"MD5WithRSA")使用CA私钥对其签名
(11)将新证书写入密钥库
ks.setCertificateEntry("lf_signed",newcert)
FileOutputStream out=new FileOutputStream("newstore")
ks.store(out,"newpass".toCharArray())这里是写入了新的密钥库,也可以使用第七条来增加条目
签名一般是使用公私密钥对。自己使用私钥加密,其他人可以任意获取到公钥用来解密,既然解出来了,就说明是私钥加密的。 用私钥加密的过程叫做签名。当然实际过程没这么简单,还包括,找个合适的第三方再次签名公钥已证明公钥的安全性等。不过只要知道上面的东西基本就可以了。
import java.security.InvalidKeyExceptionimport java.security.Key
import java.security.KeyPair
import java.security.KeyPairGenerator
import java.security.NoSuchAlgorithmException
import java.security.PrivateKey
import java.security.PublicKey
import java.security.SecureRandom
import java.security.Signature
import java.security.SignatureException
import java.util.logging.Level
import java.util.logging.Logger
/**
* ECDSA 160bit 签名及签名验证例子
*/
public class ECDSASignature {
public static void main(String argv[]) {
signatureTest()
}
public static void signatureTest() {
/**
* 密钥对生成
*/
KeyPairGenerator keyPairGenerator = null
try {
keyPairGenerator = KeyPairGenerator.getInstance("EC")
} catch (NoSuchAlgorithmException ex) {
return
}
SecureRandom secureRandom = new SecureRandom()
keyPairGenerator.initialize(160, secureRandom)
KeyPair pair = keyPairGenerator.generateKeyPair()
Key publicKey = pair.getPublic()
Key privateKey = pair.getPrivate()
// 字符串
String hako = "test"
/**
* 私钥签名(ECDSA 160bit)
*/
byte[] sign = null
try {
Signature signatureSign = null
signatureSign = Signature.getInstance("NONEwithECDSA")
signatureSign.initSign((PrivateKey) privateKey, secureRandom)
signatureSign.update(hako.getBytes())
sign = signatureSign.sign()
System.out.println("sign: " + new String(sign))
} catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException ex) {
Logger.getLogger(ECDSASignature.class.getName()).log(Level.SEVERE, null, ex)
}
/**
* 用公钥进行签名验证
*/
Signature signatureVerify = null
try {
signatureVerify = Signature.getInstance("NONEwithECDSA")
signatureVerify.initVerify((PublicKey) publicKey)
signatureVerify.update(hako.getBytes())
boolean verifyResult = signatureVerify.verify(sign)
System.out.println(verifyResult ? "签名OK" : "签名NG")
} catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
Logger.getLogger(ECDSASignature.class.getName()).log(Level.SEVERE, null, e)
}
}
}
http://www.huuinn.com/java-%E7%94%B5%E5%AD%90%E7%AD%BE%E5%90%8D%E8%8C%83%E4%BE%8B%E4%BB%A3%E7%A0%81/