一需要包含的包

?1??import?java.security.*;???
?2????
?3??import?java.io.*;???
?4????
?5??import?java.util.*;???
?6????
?7??import?java.security.*;???
?8????
?9??import?java.security.cert.*;???
10????
11??import?sun.security.x509.*???
12????
13??import?java.security.cert.Certificate;???
14????
15??import?java.security.cert.CertificateFactory;??
?

二 從文件中讀取證書

用keytool將.keystore中的證書寫入文件中,然后從該文件中讀取證書信息

1?????CertificateFactory?cf=CertificateFactory.getInstance("X.509");???
2???????
3?????FileInputStream?in=new?FileInputStream("out.csr");???
4???????
5????Certificate?c=cf.generateCertificate(in);?String?s=c.toString();???

三 從密鑰庫中直接讀取證書

?1?????String?pass="123456";???
?2???????
?3?????FileInputStream?in=new?FileInputStream(".keystore");???
?4???????
?5?????KeyStore?ks=KeyStore.getInstance("JKS");???
?6???????
?7?????ks.load(in,pass.toCharArray());???
?8???????
?9?????java.security.cert.Certificate?c=ks.getCertificate(alias);//alias為條目的別名???
10?

四 JAVA程序中顯示證書指定信息

?1?????System.out.println("輸出證書信息:\n"+c.toString());???
?2???????
?3?????System.out.println("版本號(hào):"+t.getVersion());???
?4???????
?5?????System.out.println("序列號(hào):"+t.getSerialNumber().toString(16));???
?6???????
?7?????System.out.println("主體名:"+t.getSubjectDN());???
?8???????
?9?????System.out.println("簽發(fā)者:"+t.getIssuerDN());???
10??????
11????System.out.println("有效期:"+t.getNotBefore());???
12??????
13????System.out.println("簽名算法:"+t.getSigAlgName());???
14??????
15????byte?[]?sig=t.getSignature();//簽名值???
16??????
17????PublicKey?pk=t.getPublicKey();???
18??????
19????byte?[]?pkenc=pk.getEncoded();???
20??????
21????System.out.println("公鑰");???
22??????
23????for(int?i=0;i<pkenc.length;i++)System.out.print(pkenc+",");????
24?


五 JAVA程序列出密鑰庫所有條目

?1?????String?pass="123456";??
?2??????
?3?????FileInputStream?in=new?FileInputStream(".keystore");??
?4??????
?5?????KeyStore?ks=KeyStore.getInstance("JKS");??
?6??????
?7?????ks.load(in,pass.toCharArray());??
?8??????
?9?????Enumeration?e=ks.aliases();??
10?????
11???while(e.hasMoreElements())??
12????
13???java.security.cert.Certificate?c=ks.getCertificate((String)e.nextElement());???


六 JAVA程序修改密鑰庫口令

?1?????String?oldpass="123456";??
?2??????
?3?????String?newpass="654321";??
?4??????
?5?????FileInputStream?in=new?FileInputStream(".keystore");??
?6??????
?7?????KeyStore?ks=KeyStore.getInstance("JKS");??
?8??????
?9?????ks.load(in,oldpass.toCharArray());??
10?????
11???in.close();??
12????
13???FileOutputStream?output=new?FileOutputStream(".keystore");??
14????
15???ks.store(output,newpass.toCharArray());??
16????
17???output.close();???


七 JAVA程序修改密鑰庫條目的口令及添加條目

?1?????FileInputStream?in=new?FileInputStream(".keystore");??
?2??????
?3?????KeyStore?ks=KeyStore.getInstance("JKS");??
?4??????
?5?????ks.load(in,storepass.toCharArray());??
?6??????
?7?????Certificate?[]?cchain=ks.getCertificate(alias);//獲取別名對(duì)應(yīng)條目的證書鏈??
?8??????
?9?????PrivateKey?pk=(PrivateKey)ks.getKey(alias,oldkeypass.toCharArray());//獲取別名對(duì)應(yīng)條目的私鑰??
10?????
11???ks.setKeyEntry(alias,pk,newkeypass.toCharArray(),cchain);//向密鑰庫中添加條目???


第一個(gè)參數(shù)指定所添加條目的別名,假如使用已存在別名將覆蓋已存在條目,使用新別名將增加一個(gè)新條目,第二個(gè)參數(shù)為條目的私鑰,第三個(gè)為設(shè)置的新口令,第四個(gè)為該私鑰的公鑰的證書鏈
1?FileOutputStream?output=new?FileOutputStream("another");??
2??????
3?????ks.store(output,storepass.toCharArray())//將keystore對(duì)象內(nèi)容寫入新文件???

八 JAVA程序檢驗(yàn)別名和刪除條目

?1?????FileInputStream?in=new?FileInputStream(".keystore");??
?2??????
?3?????KeyStore?ks=KeyStore.getInstance("JKS");??
?4??????
?5?????ks.load(in,storepass.toCharArray());??
?6??????
?7?????ks.containsAlias("sage");//檢驗(yàn)條目是否在密鑰庫中,存在返回true??
?8??????
?9?????ks.deleteEntry("sage");//刪除別名對(duì)應(yīng)的條目??
10?????
11???FileOutputStream?output=new?FileOutputStream(".keystore");??
12????
13???ks.store(output,storepass.toCharArray())//將keystore對(duì)象內(nèi)容寫入文件,條目刪除成功???


九 JAVA程序簽發(fā)數(shù)字證書

(1)從密鑰庫中讀取CA的證書

1?????FileInputStream?in=new?FileInputStream(".keystore");??
2??????
3?????KeyStore?ks=KeyStore.getInstance("JKS");??
4??????
5?????ks.load(in,storepass.toCharArray());??
6??????
7?????java.security.cert.Certificate?c1=ks.getCertificate("caroot");??

(2)從密鑰庫中讀取CA的私鑰
???
1?PrivateKey?caprk=(PrivateKey)ks.getKey(alias,cakeypass.toCharArray());??

(3)從CA的證書中提取簽發(fā)者的信息

1?????byte[]?encod1=cgetEncoded();?//提取CA證書的編碼??
2??????
3?????X509CertImpl?cimp1=new?X509CertImpl(encod1);?//用該編碼創(chuàng)建X509CertImpl類型對(duì)象??
4??????
5?????X509CertInfo?cinfo1=(X509CertInfo)cimpget(X509CertImpl.NAME+"."+X509CertImpl.INFO);?//獲取X509CertInfo對(duì)象??
6??????
7?????X500Name?issuer=(X500Name)cinfoget(X509CertInfo.SUBJECT+"."+CertificateIssuerName.DN_NAME);?//獲取X509Name類型的簽發(fā)者信息??

(4)獲取待簽發(fā)的證書

1?????CertificateFactory?cf=CertificateFactory.getInstance("X.509");??
2??????
3?????FileInputStream?in2=new?FileInputStream("user.csr");??
4??????
5?????java.security.cert.Certificate?c2=cf.generateCertificate(in);??

(5)從待簽發(fā)的證書中提取證書信息

1?????byte?[]?encod2=cgetEncoded();??
2??????
3?????X509CertImpl?cimp2=new?X509CertImpl(encod2);?//用該編碼創(chuàng)建X509CertImpl類型對(duì)象??
4??????
5?????X509CertInfo?cinfo2=(X509CertInfo)cimpget(X509CertImpl.NAME+"."+X509CertImpl.INFO);?//獲取X509CertInfo對(duì)象??

(6)設(shè)置新證書有效期

1?????Date?begindate=new?Date();?//獲取當(dāng)前時(shí)間??
2??????
3?????Date?enddate=new?Date(begindate.getTime()+3000*24*60*60*1000L);?//有效期為3000天??
4??????
5?????CertificateValidity?cv=new?CertificateValidity(begindate,enddate);?//創(chuàng)建對(duì)象??
6??????
7?????cinfoset(X509CertInfo.VALIDITY,cv);?//設(shè)置有效期??

(7)設(shè)置新證書序列號(hào)

1?????int?sn=(int)(begindate.getTime()/1000);?//以當(dāng)前時(shí)間為序列號(hào)??
2??????
3?????CertificateSerialNumber?csn=new?CertificateSerialNumber(sn);??
4??????
5?????cinfoset(X509CertInfo.SERIAL_NUMBER,csn);???

(8)設(shè)置新證書簽發(fā)者

1?????cinfoset(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer);//應(yīng)用第三步的結(jié)果?

(9)設(shè)置新證書簽名算法信息

1?????AlgorithmId?algorithm=new?AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);??
2??????
3?????cinfoset(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM,algorithm);???

(10)創(chuàng)建證書并使用CA的私鑰對(duì)其簽名

1?????X509CertImpl?newcert=new?X509CertImpl(cinfo2);??
2??????
3?????newcert.sign(caprk,"MD5WithRSA");?//使用CA私鑰對(duì)其簽名???

(11)將新證書寫入密鑰庫
1?
2?????ks.setCertificateEntry("lf_signed",newcert);??
3??????
4?????FileOutputStream?out=new?FileOutputStream("newstore");??
5??????
6?????ks.store(out,"newpass".toCharArray());?//這里是寫入了新的密鑰庫,也可以使用第七條來增加條目???
????
十 數(shù)字證書的檢驗(yàn)

(1)驗(yàn)證證書的有效期

(a)獲取X509Certificate類型對(duì)象

1?????CertificateFactory?cf=CertificateFactory.getInstance("X.509");??
2??????
3?????FileInputStream?in1=new?FileInputStream("aa.crt");??
4??????
5?????java.security.cert.Certificate?c1=cf.generateCertificate(in1);??
6??????
7?????X509Certificate?t=(X509Certificate)c1;??
8??????
9?????inclose();??

(b)獲取日期

1?????Date?TimeNow=new?Date();?

(c)檢驗(yàn)有效性

?1?????try{??
?2??????
?3?????t.checkValidity(TimeNow);??
?4??????
?5?????System.out.println("OK");??
?6??????
?7?????}catch(CertificateExpiredException?e){?//過期??
?8??????
?9?????System.out.println("Expired");??
10?????
11???System.out.println(e.getMessage());??
12????
13???}catch((CertificateNotYetValidException?e){?//尚未生效??
14????
15???System.out.println("Too?early");??
16????
17???System.out.println(e.getMessage());}??

(2)驗(yàn)證證書簽名的有效性

(a)獲取CA證書

1?????CertificateFactory?cf=CertificateFactory.getInstance("X.509");??
2??????
3?????FileInputStream?in2=new?FileInputStream("caroot.crt");??
4??????
5?????java.security.cert.Certificate?cac=cf.generateCertificate(in2);??
6??????
7?????inclose();??

(c)獲取CA的公鑰

1?????PublicKey?pbk=cac.getPublicKey();?

(b)獲取待檢驗(yàn)的證書(上步已經(jīng)獲取了,就是C1)

(c)檢驗(yàn)證書

?1?????boolean?pass=false;??
?2??????
?3?????try{??
?4??????
?5?????cverify(pbk);??
?6??????
?7?????pass=true;??
?8??????
?9?????}catch(Exception?e){??
10?????
11???pass=false;??
12????
13???System.out.println(e);??
14????
15???}??
16?