BouncyCastle签名认证机制
来源:互联网 发布:unity3d 合并模型优化 编辑:程序博客网 时间:2024/06/12 22:51
BouncyCastle签名认证CA机制
package com.ideal.mdm.cert.service; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.KeyPair; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Security; import java.security.SignatureException; import java.security.cert.CertStoreException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.spec.InvalidKeySpecException; import java.security.spec.RSAPublicKeySpec; import java.util.Calendar; import java.util.Date; import java.util.GregorianCalendar; import java.util.Random; import javax.security.auth.x500.X500Principal; import org.apache.log4j.Logger; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500NameStyle; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.ExtendedKeyUsage; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.KeyPurposeId; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.crypto.params.RSAKeyParameters; import org.bouncycastle.crypto.util.PublicKeyFactory; import org.bouncycastle.openssl.PEMReader; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.jscep.client.ClientException; import org.jscep.transaction.FailInfo; import org.jscep.transaction.OperationFailureException; import org.jscep.transaction.TransactionException; import com.ideal.mdm.cert.util.WinBCStyle; import sun.misc.BASE64Decoder; public class SCEPCertService { protected static final Logger logger = Logger.getLogger(SCEPCertService.class); private static PrivateKey priKey; private static PublicKey pubKey; private static X509Certificate ca; private static X500Name issuer; private static X500Name pollName; private static BigInteger caSerial; public static X509Certificate mainSignCSRProcedure(String b64DerCsr) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, NoSuchProviderException, ClientException, OperatorCreationException, TransactionException, CertificateException, CertStoreException, IOException, InvalidKeySpecException { init(); BASE64Decoder decoder = new BASE64Decoder(); byte[] derCsr; PublicKey csrPubKey; derCsr=decoder.decodeBuffer(b64DerCsr); csrPubKey = geneneratePublicKey(derCsr); X509Certificate issued=doEnrol(csrPubKey); return issued; //PemReader pemReader = null; /*try { FileReader fileReader = new FileReader(csrPath); pemReader = new PemReader(fileReader); } catch (FileNotFoundException e1) { e1.printStackTrace(); logger.debug(e1.getMessage()); }*/ /*PKCS10CertificationRequest csr = null; try { csr = new PKCS10CertificationRequest(pemReader.readPemObject() .getContent()); } catch (IOException e) { e.printStackTrace(); logger.debug(e.getMessage()); }*/ } protected static X509Certificate doEnrol(PublicKey csrPubKey) throws OperationFailureException { try { //X500Name origin_subject = X500Name.getInstance(csr.getSubject()); /*if (subject.equals(pollName)) { return Collections.emptyList(); }*/ //logger.debug(origin_subject.toString()); //new X500Name(); // PrintableString ps=new PrintableString(""); //X500Principal X500Name new_subject=new X500Name(WinBCStyle.INSTANCE,"CN=IdealMobile01"); //new_subject instanceof PrintableString; //new_subject.getRDNs()[0]. //PublicKey pubKey = CertificationRequestUtils.getPublicKey(csr); X509Certificate issued = generateCertificate(csrPubKey, new_subject, issuer, getSerial()); return issued; } catch (Exception e) { logger.debug(e.getMessage()); throw new OperationFailureException(FailInfo.badRequest); } } private static X509Certificate generateCertificate(PublicKey pubKey, X500Name subject, X500Name issuer, BigInteger serial) throws Exception { Calendar cal = GregorianCalendar.getInstance(); cal.add(Calendar.YEAR, -1); Date notBefore = cal.getTime(); cal.add(Calendar.YEAR, 2); Date notAfter = cal.getTime(); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( issuer, serial, notBefore, notAfter, subject, pubKey); builder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); // ExtendedKeyUsage anyExtendedKeyUsage = new ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage); // X509Extension anyExtendedKeyUsageExtension = new X509Extension(false, new DEROctetString(anyExtendedKeyUsage)); // builder.addExtension(X509Extension.extendedKeyUsage, true, anyExtendedKeyUsageExtension.getParsedValue()); ASN1EncodableVector asn1ExtKeyUsage = new ASN1EncodableVector(); // asn1ExtKeyUsage.add(KeyPurposeId.anyExtendedKeyUsage); // 任何用途 // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_serverAuth); // SSL的服务器认证 asn1ExtKeyUsage.add(KeyPurposeId.id_kp_clientAuth); // SSL的客户端认证 // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_codeSigning); // 代码签名 // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_codeSigning); // 代码签名 // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_ipsecEndSystem); // // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_ipsecTunnel); // // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_ipsecUser); // // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_timeStamping); // 时间戳 认证 // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_OCSPSigning); // ocsp证书认证 // asn1ExtKeyUsage.add(KeyPurposeId.id_kp_smartcardlogon); // asn1ExtKeyUsage.add(new GeneralName(GeneralName.dNSName,"ejbca.linyiheng.cn")); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(new DERSequence(asn1ExtKeyUsage)); builder.addExtension(Extension.extendedKeyUsage, true, extendedKeyUsage); //builder.addExtension(Extension.subjectAlternativeName, true, arg2) KeyUsage keyUsage= new KeyUsage(KeyUsage.digitalSignature); X509Extension keyUsageExtension = new X509Extension(true, new DEROctetString(keyUsage)); builder.addExtension(X509Extension.keyUsage, true, keyUsageExtension.getParsedValue()); ContentSigner signer; try { signer = new JcaContentSignerBuilder("SHA1withRSA").build(priKey); } catch (OperatorCreationException e) { logger.debug(e.getMessage()); throw new Exception(e); } X509CertificateHolder holder = builder.build(signer); X509Certificate cert = new JcaX509CertificateConverter() .getCertificate(holder); //savePEMFile("/root/certificate/client.crt", cert); logger.debug("Cert's issuer DN is: "+cert); return cert; } // private static void savePEMFile(String path, Object obj) throws IOException { // FileWriter fw = new FileWriter(path); // PEMWriter writer = new PEMWriter(fw); // writer.writeObject(obj); // writer.close(); // } public static void init() { try { ca = loadLocalCertificate(); //BouncyCastleHelpers.toX500Name(ca.getSubjectX500Principal()); //new X500Name((ASN1Sequence) ca.getIssuerDN()); //new X500Name(); //new X500Name(ca.getSubjectX500Principal().RFC1779); // logger.debug("CA's issuer is :"+ ca.getSubjectX500Principal().getName()); // logger.debug("CA's issuer is :"+ ca.getSubjectX500Principal().getName(X500Principal.RFC1779)); // logger.debug("CA's issuer is :"+ ca.getSubjectX500Principal().getName(X500Principal.RFC2253)); // logger.debug("CA's issuer is :"+ ca.getSubjectX500Principal().getName(X500Principal.CANONICAL)); issuer = new X500Name(WinBCStyle.INSTANCE,"C=CN,ST=SH,L=SH,O=Ideal,OU=Ideal,CN=host.linyiheng.cn,emailAddress=linyiheng123@sina.com"); //pollName = new X500Name("CN=Poll2"); caSerial = BigInteger.TEN; BufferedReader br = new BufferedReader(new InputStreamReader( new SCEPCertService().getClass().getResourceAsStream("/ca.key"))); PEMReader localPEMReader=new PEMReader(br); // PEMReader localPEMReader = new PEMReader(br, new PasswordFinder() { // // public char[] getPassword() { // return "1111".toCharArray(); // } // // }); Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); priKey = ((KeyPair) localPEMReader.readObject()).getPrivate(); localPEMReader.close(); br.close(); pubKey = ca.getPublicKey(); } catch (IOException e) { logger.debug(e.getMessage()); e.printStackTrace(); } } public static X509Certificate loadLocalCertificate() { try { InputStream ica = new SCEPCertService().getClass().getResourceAsStream("/ca.crt"); CertificateFactory certFactory = CertificateFactory .getInstance("X.509"); ca = (X509Certificate) certFactory.generateCertificate(ica); } catch (Exception e) { logger.debug(e.getMessage()); e.printStackTrace(); } return ca; } private static BigInteger getSerial() { Random rnd = new Random(); return BigInteger.valueOf(Math.abs(rnd.nextLong()) + 1); } public static PublicKey geneneratePublicKey(byte[] key) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { PKCS10CertificationRequest pkcs10CertReq=new PKCS10CertificationRequest(key); SubjectPublicKeyInfo pkInfo = pkcs10CertReq.getSubjectPublicKeyInfo(); RSAKeyParameters rsa = (RSAKeyParameters) PublicKeyFactory.createKey(pkInfo); RSAPublicKeySpec rsaSpec = new RSAPublicKeySpec(rsa.getModulus(), rsa.getExponent()); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); return keyFactory.generatePublic(rsaSpec); } }
BC Style
通过修改默认的BCStyle可以修改subject与issuer的名称类型。具体可以通过grepcode了解其中源码。
0 0
- BouncyCastle签名认证机制
- OpenSSL 签名认证机制
- RESTful接口签名认证实现机制
- .net用BouncyCastle进行签名&加解密
- C# 引用Org.BouncyCastle.Crypto 签名&解密
- 签名认证
- bouncycastle
- bouncycastle mail api实现加密和签名邮件
- 签名与认证
- 签名与认证
- 签名与认证
- 字符串 签名认证
- app Sign(签名)认证
- 接口签名认证思路
- 签名认证算法Digest
- RSA的签名认证实现
- Java代码签名与认证
- JVM 代码签名和认证
- 车辆定位
- 今天开始点滴累计
- nyoj_31 5个数求最值
- SSH服务器拒绝了密码
- 内存解析(stack,heap,static)
- BouncyCastle签名认证机制
- Java之基于S2SH与手机数据交互(二)
- Linux 如何安装 jdk
- 使用NSOperation以及NSOperationQueue
- 智能化升级服务
- emeditor14注册码
- MarkDown语法备查
- android 子线程刷新view
- 关于JMeter的CSV Data Set Config的源码改写(包括了部分界面等代码的分析)