我正在尝试创建自签名证书。 我想这样做是为了将Spongey Castle KeyPair存储到" AndroidKeyStore"。 签名需要是带有SHA-256摘要的P-256的ECDSA。
<form action="/users" ... >
当我使用上面的方法genSelfSignedCert()(取自ProgramCreek.com)
// see http://www.programcreek.com/java-api-examples/index.php?class=org.spongycastle.cert.X509v3CertificateBuilder&method=addExtension
X509Certificate genSelfSignedCert(KeyPair kp, String CN){
X509Certificate certificate;
try{
X500Name x500Name = new X500NameBuilder(BCStyle.INSTANCE)
.addRDN(BCStyle.CN, CN)
.build();
SecureRandom rand = new SecureRandom();
PrivateKey privKey = kp.getPrivate();
PublicKey pubKey = kp.getPublic();
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(pubKey.getEncoded()));
Date startDate = new Date(); // now
Calendar c = Calendar.getInstance();
c.setTime(startDate);
c.add(Calendar.YEAR, 1);
Date endDate = c.getTime();
X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(
x500Name,
BigInteger.valueOf(rand.nextLong()),
startDate, endDate,
x500Name,
subPubKeyInfo);
ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withECDSA").build(privKey);
X509CertificateHolder certHolder = v3CertGen.build(sigGen);
certificate = new JcaX509CertificateConverter().getCertificate(certHolder);
}//try
catch( OperatorCreationException| CertificateException X ) {;}
mLog.debug( "kp.getPublic().getAlgorithm(): \t" + kp.getPublic().getAlgorithm() );
mLog.debug("certificate.getPublicKey().getAlgorithm():\t" + certificate.getPublicKey().getAlgorithm());
return certificate;
}//genSelfSignedCert()
我明白了:
X509Certificate[] selfSignedCert = new X509Certificate[1];
selfSignedCert[0] = genSelfSignedCert(keyPair, "MyAwesomeAlias");
KeyStore.Entry privateKey = new PrivateKeyEntry(keyPair.getPrivate(), selfSignedCert );
为什么这个方法会创建一个其算法与其密钥对不匹配的证书?