如何用CA验证证书替换自签名证书

时间:2020-09-23 08:32:20

标签: android certificate keystore

我用自签名证书创建了两个密钥库(一个用于TLS通信,一个用于加密)。 我创建了两个CSR,并将经过验证的证书发送到服务器。 如何用服务器验证的方式替换此自签名证书?

KeyStore keyTLS;
        byte[] CSRTLSder = new byte[0];
        try {
            keyTLS = KeyStore.getInstance(Constants.AndroidKeyStore);
            keyTLS.load(null);
            Log.d(TAG, String.valueOf("onCreate: check if key is in mobile: " + keyTLS.getKey(KEY_ALIAS_TLS, null)));
            if (keyTLS.getKey(KEY_ALIAS_TLS, null) == null) {
                Calendar notBefore = Calendar.getInstance();
                Calendar notAfter = Calendar.getInstance();
                notAfter.add(Calendar.YEAR, 2);

                KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getApplicationContext())
                        .setAlias(KEY_ALIAS_TLS)
                        .setKeySize(2048)
                        .setSubject(new X500Principal(
                                "CN=Your Company ," +
                                        " O=Your Organization" +
                                        " C=Your Coountry"))
                        .setSerialNumber(BigInteger.ONE)
                        .setStartDate(notBefore.getTime())
                        .setEndDate(notAfter.getTime())
                        .build();


                KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
                generator.initialize(spec);
                generator.generateKeyPair();
            }

            PKCS10CertificationRequest csrTLS = CsrHelper.generateCSRTLS(keyTLS, "AclaasTLS");
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException | OperatorCreationException e) {
            e.printStackTrace();
        }

        KeyStore keyEncrypt;
        byte[] CSREncryptder = new byte[0];
        try {
            keyEncrypt = KeyStore.getInstance(Constants.AndroidKeyStore);
            keyEncrypt.load(null);
            Log.d(TAG, String.valueOf("onCreate: check if key is in mobile: " + keyEncrypt.getKey(KEY_ALIAS_ENCRYPT, null)));
            if (keyEncrypt.getKey(KEY_ALIAS_ENCRYPT, null) == null) {
                Calendar notBefore = Calendar.getInstance();
                Calendar notAfter = Calendar.getInstance();
                notAfter.add(Calendar.YEAR, 2);

                KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(getApplicationContext())
                        .setAlias(KEY_ALIAS_ENCRYPT)
                        .setKeySize(2048)
                        .setSubject(new X500Principal(
                                "CN=Your Company ," +
                                        " O=Your Organization" +
                                        " C=Your Coountry"))
                        .setSerialNumber(BigInteger.ONE)
                        .setStartDate(notBefore.getTime())
                        .setEndDate(notAfter.getTime())
                        .build();

                KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
                generator.initialize(spec);
                generator.generateKeyPair();
            }

            //Generate CSR in PKCS#10 format encoded in DER
            PKCS10CertificationRequest csrEncrypt = CsrHelper.generateCSREncrypt(keyEncrypt, "AclaasEncrypt");

        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException | OperatorCreationException e) {
            e.printStackTrace();
        }

当我尝试使用时:

 private void addSignCertificate(byte[] signCertificate, String keyAlias) {
    try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream in = new ByteArrayInputStream(signCertificate);

        KeyStore keyStore;
        keyStore = KeyStore.getInstance(Constants.AndroidKeyStore);
        keyStore.load( null);

        Certificate signedCertificate;
        signedCertificate = cf.generateCertificate(in);
        Log.d(TAG, keyAlias + " sign certificate: ca= " + ((X509Certificate) signedCertificate).getSubjectDN());
        keyStore.setCertificateEntry(keyAlias, signedCertificate);
    } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
        e.printStackTrace();
    }
}

它表示: java.security.KeyStoreException:条目存在并且不是受信任的证书

1 个答案:

答案 0 :(得分:0)

已解决

private void addSignCertificate(byte[] signCertificate, String keyAlias) {
        try {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            InputStream in = new ByteArrayInputStream(signCertificate);
    
            KeyStore keyStore;
            keyStore = KeyStore.getInstance(Constants.AndroidKeyStore);
        keyStore.load( null);

        Certificate signedCertificate;
        signedCertificate = cf.generateCertificate(in);
        Log.d(TAG, keyAlias + " sign certificate: ca= " + ((X509Certificate) signedCertificate).getSubjectDN());
        if (keyStore.isKeyEntry(keyAlias )) {
           keyStore.setKeyEntry(
                ((KeyStore.PrivateKeyEntry) keyStore.getEntry(keyAlias , null)).getPrivateKey(),
                                                    new char[0],
                                                    new Certificate[]{ca})
        } else {
        keyStore.setCertificateEntry(keyAlias, signedCertificate);
        }
    } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
        e.printStackTrace();
    }
}
相关问题
最新问题