java生成证书
来源:互联网 发布:windows字体文件 编辑:程序博客网 时间:2024/06/05 04:47
- import java.io.BufferedInputStream;
- import java.io.ByteArrayInputStream;
- import java.io.ByteArrayOutputStream;
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
- import java.math.BigInteger;
- import java.security.KeyFactory;
- import java.security.KeyPair;
- import java.security.KeyPairGenerator;
- import java.security.PrivateKey;
- import java.security.PublicKey;
- import java.security.Security;
- import java.security.cert.Certificate;
- import java.security.cert.CertificateFactory;
- import java.security.cert.X509Certificate;
- import java.security.spec.PKCS8EncodedKeySpec;
- import java.util.Date;
- import java.util.Hashtable;
- import java.util.Vector;
-
- import org.bouncycastle.asn1.ASN1Sequence;
- import org.bouncycastle.asn1.DERBMPString;
- import org.bouncycastle.asn1.DERInputStream;
- import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
- import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
- import org.bouncycastle.asn1.x509.BasicConstraints;
- import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
- import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
- import org.bouncycastle.asn1.x509.X509Extensions;
- import org.bouncycastle.jce.X509Principal;
- import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
- import org.bouncycastle.jce.provider.BouncyCastleProvider;
- import org.bouncycastle.jce.provider.JDKPKCS12KeyStore;
- import org.bouncycastle.x509.X509V3CertificateGenerator;
- import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
- import org.springframework.core.io.Resource;
-
- import steel.share.clientcert.ClientCert;
-
-
- public class ClientCertGenerator {
-
- private Resource rootCertFilePath;
-
- private Resource rootKeyFilePath;
-
- private int serialNumber;
-
- public void genClientCert(ClientCert clientCert, OutputStream fileOutputStream) {
- try {
-
- X509Certificate rootCert = loadRootCertificate();
-
- PrivateKey rootPrivateKey = loadRootPrivateKeyByKeyFile();
-
- KeyPair clientKeyPair = genClientKeyPair();
-
- X509Certificate signedCert = signCert(rootCert.getPublicKey(), rootPrivateKey, rootCert, clientKeyPair,
- clientCert);
-
-
- PKCS12BagAttributeCarrier bagAttributeCarrier = (PKCS12BagAttributeCarrier) signedCert;
- bagAttributeCarrier.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(
- clientCert.getCommonName() + "'s key"));
- bagAttributeCarrier.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
- new SubjectKeyIdentifierStructure(clientKeyPair.getPublic()));
-
-
- Certificate[] certChain = new Certificate[1];
- certChain[0] = signedCert;
-
- JDKPKCS12KeyStore ks = new JDKPKCS12KeyStore.BCPKCS12KeyStore();
- ks.engineSetKeyEntry(clientCert.getCommonName(), clientKeyPair.getPrivate(), clientCert.getPassword()
- .toCharArray(), certChain);
- ks.engineStore(fileOutputStream, clientCert.getPassword().toCharArray());
-
- } catch (Exception e) {
- throw new RuntimeException(e.getMessage(), e);
- }
- }
-
-
- private X509Certificate loadRootCertificate() {
- InputStream certIn = null;
- try {
-
- CertificateFactory fac = CertificateFactory.getInstance("X.509");
-
- return (X509Certificate) fac.generateCertificate(rootCertFilePath.getInputStream());
- } catch (Exception e) {
- throw new RuntimeException(e.getMessage(), e);
- } finally {
- if (certIn != null) {
- try {
- certIn.close();
- } catch (IOException ie) {
- }
- }
- }
- }
-
-
- private PrivateKey loadRootPrivateKeyByKeyFile() {
- BufferedInputStream privateIn = null;
- ByteArrayOutputStream privateByteOut = null;
- try {
-
- privateIn = (BufferedInputStream) rootKeyFilePath.getInputStream();
- privateByteOut = new ByteArrayOutputStream();
- int len = 0;
- while ((len = privateIn.read()) != -1) {
- privateByteOut.write(len);
- }
- byte[] privateBytes = privateByteOut.toByteArray();
-
- PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateBytes);
- KeyFactory keyFactory = KeyFactory.getInstance("RSA");
- PrivateKey rootPrivateKey = keyFactory.generatePrivate(keySpec);
-
- return rootPrivateKey;
- } catch (Exception e) {
- throw new RuntimeException(e.getMessage(), e);
- } finally {
- if (privateIn != null) {
- try {
- privateIn.close();
- } catch (IOException ie) {
- }
- }
- if (privateByteOut != null) {
- try {
- privateByteOut.close();
- } catch (IOException ie) {
- }
- }
- }
- }
-
-
- private KeyPair genClientKeyPair() {
- try {
-
- KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
- generator.initialize(2048);
-
- return generator.generateKeyPair();
- } catch (Exception e) {
- throw new RuntimeException(e.getMessage(), e);
- }
- }
-
-
- @SuppressWarnings("unchecked")
- private X509Certificate signCert(PublicKey rootPublicKey, PrivateKey rootPrivateKey, X509Certificate certificate,
- KeyPair clientKeyPair, ClientCert clientCert) throws Exception {
-
- Security.addProvider(new BouncyCastleProvider());
-
-
- Hashtable attrs = new Hashtable();
- Vector order = new Vector();
-
- attrs.put(X509Principal.C, clientCert.getCountryCode());
- attrs.put(X509Principal.O, clientCert.getOrganizationCode());
- attrs.put(X509Principal.OU, clientCert.getOrganizationalName());
- attrs.put(X509Principal.CN, clientCert.getCommonName());
- attrs.put(X509Principal.L, clientCert.getCityName());
- attrs.put(X509Principal.ST, clientCert.getProvinceName());
-
- order.addElement(X509Principal.CN);
- order.addElement(X509Principal.OU);
- order.addElement(X509Principal.O);
- order.addElement(X509Principal.L);
- order.addElement(X509Principal.ST);
- order.addElement(X509Principal.C);
-
- X509V3CertificateGenerator _v3CertGenerator = new X509V3CertificateGenerator();
-
- _v3CertGenerator.reset();
-
- Date beginDate = new Date();
-
- _v3CertGenerator.setSerialNumber(BigInteger.valueOf(serialNumber));
-
- _v3CertGenerator.setIssuerDN(certificate.getIssuerX500Principal());
-
- _v3CertGenerator.setNotBefore(new Date());
-
- _v3CertGenerator.setNotAfter(new Date(beginDate.getTime() + 730 * 24 * 60 * 60 * 1000L));
-
- _v3CertGenerator.setSubjectDN(new X509Principal(order, attrs));
- _v3CertGenerator.setPublicKey(clientKeyPair.getPublic());
- _v3CertGenerator.setSignatureAlgorithm("SHA1withRSA");
-
-
- _v3CertGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false,
- createSubjectKeyIdentifier(clientKeyPair.getPublic()));
-
- _v3CertGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
- createAuthorityKeyIdentifier(rootPublicKey));
- _v3CertGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false));
-
-
- X509Certificate cert = _v3CertGenerator.generate(rootPrivateKey, "BC");
-
-
- cert.checkValidity(new Date());
- cert.verify(rootPublicKey);
-
- return cert;
- }
-
-
- @SuppressWarnings("deprecation")
- public AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey rootPublicKey) {
- try {
- ByteArrayInputStream bIn = new ByteArrayInputStream(rootPublicKey.getEncoded());
- SubjectPublicKeyInfo info = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream(bIn).readObject());
- return new AuthorityKeyIdentifier(info);
- } catch (Exception e) {
- throw new RuntimeException(e.getMessage(), e);
- }
- }
-
-
- @SuppressWarnings("deprecation")
- public SubjectKeyIdentifier createSubjectKeyIdentifier(PublicKey clientPublicKey) {
- try {
- ByteArrayInputStream bIn = new ByteArrayInputStream(clientPublicKey.getEncoded());
- SubjectPublicKeyInfo info = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream(bIn).readObject());
- return new SubjectKeyIdentifier(info);
- } catch (Exception e) {
- throw new RuntimeException(e.getMessage(), e);
- }
- }
-
- public Resource getRootCertFilePath() {
- return rootCertFilePath;
- }
-
- public void setRootCertFilePath(Resource rootCertFilePath) {
- this.rootCertFilePath = rootCertFilePath;
- }
-
- public Resource getRootKeyFilePath() {
- return rootKeyFilePath;
- }
-
- public void setRootKeyFilePath(Resource rootKeyFilePath) {
- this.rootKeyFilePath = rootKeyFilePath;
- }
-
- public int getSerialNumber() {
- return serialNumber;
- }
-
- public void setSerialNumber(int serialNumber) {
- this.serialNumber = serialNumber;
- }
-
- }