我有问题。 我从Windows-My密钥库中加载了所有密钥,其中一些来自计算机,另一些来自智能卡。存在包含具有不同功能的密钥的证书(别名)。有些人只能加密数据或加密密钥,但我有兴趣只过滤那些可以创建数字签名并验证数字签名以进行不可否认性的密钥。 某个证书的证书链中的哪个字段会告诉我,或者获取该信息的方式是什么,只获得具有我正在寻找的属性的证书?
感谢
答案 0 :(得分:0)
每个证书都有一个KeyUsage和ExtendedKeyUsage值。加密,签名等,Web服务器认证等都有特殊的关键用途。
答案 1 :(得分:0)
正如@Nadir所说,证书结构中有KeyUsage和可选的ExtendedKeyUsage,你可以在RFC 5280检查这一点,其中KeyUsage ASN1格式的定义如下:
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
和ExtendedKeyUsage定义为Object identifiers OIDs的SEQUENCE:
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId ::= OBJECT IDENTIFIER
可能的OID是:
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
当您要求检查与此证书相关的私钥是否通过java执行数字签名时,您可以使用班级java.security.cert.X509Certificate:
import java.security.KeyStore;
import java.security.cert.X509Certificate;
KeyStore ks = ...;
X509Certificate certificate = (X509Certificate) ks.getCertificate(alias);
boolean[] keyUsage = certificate.getKeyUsage();
// keyUsage[0] --> digitalSignature
// keyUsage[1] --> non repudiation
if(keyUsage[0] || keyUsage[1]){
// certificate is issued to perform signature
}
如果您需要,您也可以选择使用相同类别访问ExtendedKeyUsage:
X509Certificate certificate =...;
certificate .getExtendedKeyUsage();
希望这有帮助,