在没有BouncyCastle的情况下用Java创建X509证书？

Question

在没有BouncyCastle的情况下用Java创建X509证书？

是否可以在不使用Bouncy Castle X509V*CertificateGenerator类的情况下巧妙地创建Java代码的X509证书？

Answer 1

是的,但没有公开记录的课程.我在本文中记录了这个过程.

import sun.security.x509.*;
import java.security.cert.*;
import java.security.*;
import java.math.BigInteger;
import java.util.Date;
import java.io.IOException

/** 
 * Create a self-signed X.509 Certificate
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 */ 
X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
  throws GeneralSecurityException, IOException
{
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);
 
  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
 
  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
 
  // Update the algorith, and resign.
  algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
  info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}

Run Code Online (Sandbox Code Playgroud)

使用JDK 8,这应该是:info.set(X509CertInfo.SUBJECT,owner); info.set(X509CertInfo.ISSUER,所有者); (18认同)
有没有办法做到这一点,不涉及呼吁sun.security.x509.*？事实上,它不是你应该使用的东西. (14认同)
一个非常好的提示.保存我从导入可怕的(和心爱的)Bouncycastle lib.膨胀的人! (7认同)
提到的变更@AxelFontaine在这里描述https://bugs.openjdk.java.net/browse/JDK-7198416 (2认同)

Answer 2

eri*_*son 18

签署证书的能力不是标准Java库或扩展的一部分.

自己做的许多代码都是核心的一部分.有类编码和解码X.500名,X.509证书扩展,各种算法的公共密钥,当然,实际进行数字签名.

自己实现这个并不是微不足道的,但它绝对可行 - 我可能花了4到5天,这是我第一次为证书签名制作工作原型.这对我来说是一次非常棒的学习练习,但是当有免费的可用库时,很难证明这笔费用是合理的.

这是否仍然准确到2017年？ (3认同)
@DanielGartmann 评论者问我的答案在 2017 年是否仍然正确。我认为是；你不能开箱即用地签署证书，你必须自己构建它。所以，如果你说这是错误的，你能解释一下原因吗？但是您的第二条评论听起来更像是您在说其他答案在应用所提供的 API 的方式上是错误的（并且，我同意）。 (2认同)

Answer 3

小智 7

import sun.security.x509.*;

import java.security.cert.*;
import java.security.*;
import java.math.BigInteger;
import java.security.cert.Certificate;
import java.util.Date;
import java.io.IOException;

public class Example {
    /**
     * Create a self-signed X.509 Example
     *
     * @param dn        the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
     * @param pair      the KeyPair
     * @param days      how many days from now the Example is valid for
     * @param algorithm the signing algorithm, eg "SHA1withRSA"
     */
    public X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
            throws GeneralSecurityException, IOException {
        PrivateKey privkey = pair.getPrivate();
        X509CertInfo info = new X509CertInfo();
        Date from = new Date();
        Date to = new Date(from.getTime() + days * 86400000l);
        CertificateValidity interval = new CertificateValidity(from, to);
        BigInteger sn = new BigInteger(64, new SecureRandom());
        X500Name owner = new X500Name(dn);

        info.set(X509CertInfo.VALIDITY, interval);
        info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
        info.set(X509CertInfo.SUBJECT, owner);
        info.set(X509CertInfo.ISSUER, owner);
        info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
        info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
        AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
        info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

        // Sign the cert to identify the algorithm that's used.
        X509CertImpl cert = new X509CertImpl(info);
        cert.sign(privkey, algorithm);

        // Update the algorith, and resign.
        algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
        info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
        cert = new X509CertImpl(info);
        cert.sign(privkey, algorithm);
        return cert;
    }

    public static void main (String[] argv) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        KeyPair keyPair = keyPairGenerator.generateKeyPair();
        Example example = new Example();
        String distinguishedName = "CN=Test, L=London, C=GB";
        Certificate certificate = example.generateCertificateOriginal(distinguishedName, keyPair, 365, "SHA256withRSA");
        System.out.println("it worked!");
    }
}

Run Code Online (Sandbox Code Playgroud)

我喜欢vbence的回答,但我一直得到以下异常:

java.security.cert.CertificateException:主题类类型无效.

许多试图找出后是一个有效的主题类我发现X509CerInfo想X500Name的一个实例.

1 info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
2 info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
3 info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
4 info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));

Run Code Online (Sandbox Code Playgroud)

所以第2和第3行需要改为

2 info.set(X509CertInfo.SUBJECT, owner);
3 info.set(X509CertInfo.ISSUER, owner);

Run Code Online (Sandbox Code Playgroud)

归档时间：	16 年前
查看次数：	45263 次
最近记录：	6 年，9 月前