使用Bouncy Castle Java生成X509证书

时间:2013-02-18 06:03:34

标签: java cryptography x509certificate bouncycastle

我正在寻找一个示例或教程来使用Java中的BC生成X509证书。

很多例子都使用/使用过时的API。我看了BC,但它没有显示哪个类做了什么或没有适当的文档/示例。

如果您对此有任何想法,请指出我可以使用BC生成X509证书的教程。 [生成和写入文件的公钥和私钥]

2 个答案:

答案 0 :(得分:9)

创建KeyPairGenerator:

private KeyPairGenerator createKeyPairGenerator(String algorithmIdentifier,
        int bitCount) throws NoSuchProviderException,
        NoSuchAlgorithmException {
    KeyPairGenerator kpg = KeyPairGenerator.getInstance(
            algorithmIdentifier, BouncyCastleProvider.PROVIDER_NAME);
    kpg.initialize(bitCount);
    return kpg;
}

创建keyPair:

private KeyPair createKeyPair(String encryptionType, int byteCount)
    throws NoSuchProviderException, NoSuchAlgorithmException
{
    KeyPairGenerator keyPairGenerator = createKeyPairGenerator(encryptionType, byteCount);
    KeyPair keyPair = keyPairGenerator.genKeyPair();
    return keyPair;
}

KeyPair keyPair = createKeyPair("RSA", 4096);

将东西转换为PEM(可以写入文件):

  private String convertCertificateToPEM(X509Certificate signedCertificate) throws IOException {
    StringWriter signedCertificatePEMDataStringWriter = new StringWriter();
    JcaPEMWriter pemWriter = new JcaPEMWriter(signedCertificatePEMDataStringWriter);
    pemWriter.writeObject(signedCertificate);
    pemWriter.close();
    return signedCertificatePEMDataStringWriter.toString();
  }

创建X509Certificate:

X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(
    serverCertificate, new BigInteger("1"),
    new Date(System.currentTimeMillis()),
    new Date(System.currentTimeMillis() + 30L * 365L * 24L * 60L * 60L * 1000L),
    jcaPKCS10CertificationRequest.getSubject(),
    jcaPKCS10CertificationRequest.getPublicKey()
/*).addExtension(
    new ASN1ObjectIdentifier("2.5.29.35"),
    false,
    new AuthorityKeyIdentifier(keyPair.getPublic().getEncoded())*/
).addExtension(
        new ASN1ObjectIdentifier("2.5.29.19"),
        false,
        new BasicConstraints(false) // true if it is allowed to sign other certs
).addExtension(
        new ASN1ObjectIdentifier("2.5.29.15"),
        true,
        new X509KeyUsage(
            X509KeyUsage.digitalSignature |
                X509KeyUsage.nonRepudiation   |
                X509KeyUsage.keyEncipherment  |
                X509KeyUsage.dataEncipherment));

签名:

    ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").build(signingKeyPair.getPrivate());


    X509CertificateHolder x509CertificateHolder = certificateBuilder.build(sigGen);
    org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure =
      x509CertificateHolder.toASN1Structure();
    return eeX509CertificateStructure;
  }

  private X509Certificate readCertificateFromASN1Certificate(
    org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure,
    CertificateFactory certificateFactory)
    throws IOException, CertificateException { //
    // Read Certificate
    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate signedCertificate =
      (X509Certificate) certificateFactory.generateCertificate(is1);
    return signedCertificate;
  }

CertificateFactory:

    certificateFactory = CertificateFactory.getInstance("X.509",
        BouncyCastleProvider.PROVIDER_NAME);

答案 1 :(得分:7)

X509v3CertificateBuilder似乎是要使用的类。有一些在bouncycastle wiki上使用新API的示例。