一:需要包含的包???
import
?java.security.
*
;
????
import
?java.io.
*
;
????
import
?java.util.
*
;
????
import
?java.security.
*
;
????
import
?java.security.cert.
*
;
????
import
?sun.security.x509.
*
????
import
?java.security.cert.Certificate;
????
import
?java.security.cert.CertificateFactory;
二:從文件中讀取證書
??? 用keytool將.keystore中的證書寫入文件中,然后從該文件中讀取證書信息???
?CertificateFactory?cf
=
CertificateFactory.getInstance(
"
X.509
"
);
????FileInputStream?in
=
new
?FileInputStream(
"
out.csr
"
);
????Certificate?c
=
cf.generateCertificate(in);
????String?s
=
c.toString();
三:從密鑰庫中直接讀取證書
???
String?pass
=
"
123456
"
;
????FileInputStream?in
=
new
?FileInputStream(
"
.keystore
"
);
????KeyStore?ks
=
KeyStore.getInstance(
"
JKS
"
);
????ks.load(in,pass.toCharArray());
????java.security.cert.Certificate?c
=
ks.getCertificate(alias);
//
alias為條目的別名
四:JAVA程序中顯示證書指定信息
???
?System.out.println(
"
輸出證書信息:\n
"
+
c.toString());
????System.out.println(
"
版本號:
"
+
t.getVersion());
????System.out.println(
"
序列號:
"
+
t.getSerialNumber().toString(
16
));
????System.out.println(
"
主體名:
"
+
t.getSubjectDN());
????System.out.println(
"
簽發者:
"
+
t.getIssuerDN());
????System.out.println(
"
有效期:
"
+
t.getNotBefore());
????System.out.println(
"
簽名算法:
"
+
t.getSigAlgName());
????
byte
?[]?sig
=
t.getSignature();
//
簽名值?
????PublicKey?pk
=
t.getPublicKey();
????
byte
?[]?pkenc
=
pk.getEncoded();??
????System.out.println(
"
公鑰
"
);
????
for
(
int
?i
=
0
;i
<
pkenc.length;i
++
)System.out.print(pkenc[i]
+
"
,
"
);
五:JAVA程序列出密鑰庫所有條目
???
String?pass
=
"
123456
"
;
????FileInputStream?in
=
new
?FileInputStream(
"
.keystore
"
);
????KeyStore?ks
=
KeyStore.getInstance(
"
JKS
"
);
????ks.load(in,pass.toCharArray());
????Enumeration?e
=
ks.aliases();
????
while
(e.hasMoreElements())
????java.security.cert.Certificate?c
=
ks.getCertificate((String)e.nextElement());
六:JAVA程序修改密鑰庫口令
???
String?oldpass
=
"
123456
"
;
????String?newpass
=
"
654321
"
;
????FileInputStream?in
=
new
?FileInputStream(
"
.keystore
"
);
????KeyStore?ks
=
KeyStore.getInstance(
"
JKS
"
);
????ks.load(in,oldpass.toCharArray());
????in.close();
????FileOutputStream?output
=
new
?FileOutputStream(
"
.keystore
"
);
????ks.store(output,newpass.toCharArray());
????output.close();
七:JAVA程序修改密鑰庫條目的口令及添加條目????
FileInputStream?in
=
new
?FileInputStream(
"
.keystore
"
);
????KeyStore?ks
=
KeyStore.getInstance(
"
JKS
"
);
????ks.load(in,storepass.toCharArray());
????Certificate?[]?cchain
=
ks.getCertificate(alias);獲取別名對應條目的證書鏈
????PrivateKey?pk
=
(PrivateKey)ks.getKey(alias,oldkeypass.toCharArray());獲取別名對應條目的私鑰
????ks.setKeyEntry(alias,pk,newkeypass.toCharArray(),cchain);向密鑰庫中添加條目
??? 第一個參數指定所添加條目的別名,假如使用已存在別名將覆蓋已存在條目,使用新別名將增加一個新條目,第二個參數為條目的私鑰,第三個為設置的新口令,第四個為該私鑰的公鑰的證書鏈
??? FileOutputStream output=new FileOutputStream("another");
??? ks.store(output,storepass.toCharArray())將keystore對象內容寫入新文件
八:JAVA程序檢驗別名和刪除條目
???
?FileInputStream?in
=
new
?FileInputStream(
"
.keystore
"
);
????KeyStore?ks
=
KeyStore.getInstance(
"
JKS
"
);
????ks.load(in,storepass.toCharArray());
????ks.containsAlias(
"
sage
"
);檢驗條目是否在密鑰庫中,存在返回true
????ks.deleteEntry(
"
sage
"
);刪除別名對應的條目
????FileOutputStream?output
=
new
?FileOutputStream(
"
.keystore
"
);
????ks.store(output,storepass.toCharArray())將keystore對象內容寫入文件,條目刪除成功
九:JAVA程序簽發數字證書
???(1)從密鑰庫中讀取CA的證書??????
?FileInputStream?in
=
new
?FileInputStream(
"
.keystore
"
);
????KeyStore?ks
=
KeyStore.getInstance(
"
JKS
"
);
????ks.load(in,storepass.toCharArray());
????java.security.cert.Certificate?c1
=
ks.getCertificate(
"
caroot
"
);
(2)從密鑰庫中讀取CA的私鑰
????
PrivateKey?caprk
=
(PrivateKey)ks.getKey(alias,cakeypass.toCharArray());
?(3)從CA的證書中提取簽發者的信息???
?
byte
[]?encod1
=
c1.getEncoded();????提取CA證書的編碼
????X509CertImpl?cimp1
=
new
?X509CertImpl(encod1);??用該編碼創建X509CertImpl類型對象
????X509CertInfo?cinfo1
=
(X509CertInfo)cimp1.get(X509CertImpl.NAME
+
"
.
"
+
X509CertImpl.INFO);??獲取X509CertInfo對象
????X500Name?issuer
=
(X500Name)cinfo1.get(X509CertInfo.SUBJECT
+
"
.
"
+
CertificateIssuerName.DN_NAME);?獲取X509Name類型的簽發者信息
??? (4)獲取待簽發的證書
???
?CertificateFactory?cf
=
CertificateFactory.getInstance(
"
X.509
"
);
????FileInputStream?in2
=
new
?FileInputStream(
"
user.csr
"
);
????java.security.cert.Certificate?c2
=
cf.generateCertificate(in);
??? (5)從待簽發的證書中提取證書信息
??
??
byte
?[]?encod2
=
c2.getEncoded();
????X509CertImpl?cimp2
=
new
?X509CertImpl(encod2);??用該編碼創建X509CertImpl類型對象
????X509CertInfo?cinfo2
=
(X509CertInfo)cimp2.get(X509CertImpl.NAME
+
"
.
"
+
X509CertImpl.INFO);??獲取X509CertInfo對象
??? (6)設置新證書有效期
???
?Date?begindate
=
new
?Date();?獲取當前時間
????Date?enddate
=
new
?Date(begindate.getTime()
+
3000
*
24
*
60
*
60
*
1000L
);?有效期為3000天
????CertificateValidity?cv
=
new
?CertificateValidity(begindate,enddate);?創建對象
????cinfo2.set(X509CertInfo.VALIDITY,cv);??設置有效期
??? (7)設置新證書序列號
??
??
int
?sn
=
(
int
)(begindate.getTime()
/
1000
);????以當前時間為序列號
????CertificateSerialNumber?csn
=
new
?CertificateSerialNumber(sn);
????cinfo2.set(X509CertInfo.SERIAL_NUMBER,csn);
??? (8)設置新證書簽發者
??? cinfo2.set(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer);應用第三步的結果
??? (9)設置新證書簽名算法信息
??? AlgorithmId algorithm=new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
??? cinfo2.set(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM,algorithm);
??? (10)創建證書并使用CA的私鑰對其簽名
??? X509CertImpl newcert=new X509CertImpl(cinfo2);
??? newcert.sign(caprk,"MD5WithRSA"); 使用CA私鑰對其簽名
??? (11)將新證書寫入密鑰庫?
???ks.setCertificateEntry(
"
lf_signed
"
,newcert);
????FileOutputStream?out
=
new
?FileOutputStream(
"
newstore
"
);
????ks.store(out,
"
newpass
"
.toCharArray());??這里是寫入了新的密鑰庫,也可以使用第七條來增加條目
十:數字證書的檢驗
??? (1)驗證證書的有效期
?(a)獲取X509Certificate類型對象
?
CertificateFactory?cf
=
CertificateFactory.getInstance(
"
X.509
"
);
????FileInputStream?in1
=
new
?FileInputStream(
"
aa.crt
"
);
??java.security.cert.Certificate??c1
=
cf.generateCertificate(in1);
?X509Certificate?t
=
(X509Certificate)c1;
??in2.close();
??????? (b)獲取日期
?Date TimeNow=new Date();
?(c)檢驗有效性
?
try
{
????t.checkValidity(TimeNow);
???????????System.out.println(
"
OK
"
);
?}
catch
(CertificateExpiredException?e)
{??
//
過期
????System.out.println(
"
Expired
"
);
????System.out.println(e.getMessage());
?}
catch
((CertificateNotYetValidException?e)
{?
//
尚未生效
????System.out.println(
"
Too?early
"
);
????System.out.println(e.getMessage());}
???? (2)驗證證書簽名的有效性
?(a)獲取CA證書
???????
??CertificateFactory?cf
=
CertificateFactory.getInstance(
"
X.509
"
);
?????FileInputStream?in2
=
new
?FileInputStream(
"
caroot.crt
"
);
???java.security.cert.Certificate??cac
=
cf.generateCertificate(in2);
??in2.close();
?(c)獲取CA的公鑰
? PublicKey pbk=cac.getPublicKey();
?(b)獲取待檢驗的證書(上步已經獲取了,就是C1)
?(c)檢驗證書
????????
?
boolean
?pass
=
false
;
?????????
try
{
??????c1.verify(pbk);
?????????????pass
=
true
;
?????????}
catch
(Exception?e)
{
?????????????pass
=
false
;
?????????????System.out.println(e);
??}
?