我有一个类,它从私有RSA密钥字符串加载一个PrivateKey对象:
X509EncodedKeySpec spec = new X509EncodedKeySpec(privKeyString.getBytes());
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey privateKey = kf.generatePrivate(spec);
我认为以上方法可以获得一个PrivateKey对象。但是,一旦我有一个私钥,我也想从它生成一个X509Certificate对象。这是我的一次尝试,但方法generateCertificate需要一个输入流(包含文件中的证书,我相信。),所以这不会起作用:
CertificateFactory f = CertificateFactory.getInstance("X.509");
X509Certificate cert = f.generateCertificate(privateKey); // this doesn't work.
是否有办法从PrivateKey对象或最初的私钥字符串(privKeyString变量)创建证书(理想情况下不会过期)?
谢谢,
答案 0 :(得分:5)
典型的事件流如下所示:生成密钥对,即私钥和匹配的公钥。私钥是你的,你永远不会分享它;这就是为什么它被称为私人。公钥是你给别人的。发布公钥的一种常见格式是X.509证书。此证书包含公钥和一些标识信息。此证书可以是自签名的,也可以由其他机构签名。
不幸的是,标准Oracle Java库不包含任何类来帮助您从公钥生成X.509证书。您可以使用名为keytool的Oracle JDK附带的命令行工具来完成此任务。如果必须以编程方式执行此操作,则Bouncycastle Java libraries包含一些类来完成此操作。例如,JcaX509v3CertificateBuilder可能是与JcaContentSignerBuilder类一起完成此任务的最简单方法。
以下是使用Java 7和Bouncycastle 1.50版提供程序和PKIX库的示例。
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
public class CertBuilder {
public static void main(String[] args) throws Exception {
// Generate a keypair
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024);
KeyPair kp = kpg.generateKeyPair();
// Start creating a self-signed X.509 certificate with the public key
X500Name subjName = new X500Name("C=US, ST=NY, O=Certs_R_Us, CN=notreal@example.com");
BigInteger serialNumber = new BigInteger("900");
Calendar cal = Calendar.getInstance();
cal.set(2014, 6, 7, 11, 59, 59);
Date notBefore = cal.getTime();
cal.add(Calendar.YEAR, 10); // Expires in 10 years
Date notAfter = cal.getTime();
JcaX509v3CertificateBuilder x509Builder = new JcaX509v3CertificateBuilder(subjName, serialNumber,
notBefore, notAfter, subjName, kp.getPublic());
// Create a signer to sign (self-sign) the certificate.
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WITHRSA");
ContentSigner signer = signerBuilder.build(kp.getPrivate());
// Now finish the creation of the self-signed certificate.
JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
X509Certificate mySelfSignedCert = converter.getCertificate(x509Builder.build(signer));
// Now create a KeyStore and store the private key and associated cert.
final char[] password = "password99".toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, password);
KeyStore.PrivateKeyEntry privKeyEntry = new KeyStore.PrivateKeyEntry(kp.getPrivate(),
new Certificate[] {mySelfSignedCert});
ks.setEntry("myRSAkey", privKeyEntry, new KeyStore.PasswordProtection(password));
// Now save off the KeyStore to a file.
FileOutputStream fos = null;
try {
fos = new FileOutputStream("MyKeys.jks");
ks.store(fos, password);
} finally {
if (fos != null) {
fos.close();
}
}
}
}