Recently studied digital signatures and related certificates. Certificate must be issued through the CA authority, but there are a variety of ways to implement a certificate for testing during development: 1) Go to the relevant CA to obtain test certificates, generally valid for 15-30 days 2) Use keytool tool to generate a certificate, but cannot Implementation .3) Implement with OpenSSL, but it is more troublesome to use C or C not familiar 4) Use the CertGen implementation provided by WebLogic.
Comprehensive the above approach (these mid methods should be achieved with keytool implementation), the first is the simplest, but in order to understand the certificate issuance process, I wrote a tool to issue a certificate issued a certificate. Below is the code of the tool, after compiling, running directly, for your study reference:
Package com.app; import java.io. *; import java.security. *; import java.security.cert. *; import sun.security.x509. *; import java.util. *; / **? *
Title: Tag certificate
? *
Description: Used for root certificate issuance
? *
Copyright: CopyRight (C) 2004.8.12
? *
Company: SmartComm
? * @author's big face cat (BILDENGYJ)
? * @version 1.0
? * /
Public Class Signcertificate
{
? private string mkeystore = ""; // The lock path
? private char [] mkeystorepass = null; // lock library password
? private char [] msignprivateKeypass = null; // get the password required for the transfer of the issuer private lock
? private string msigncertalias = ""; // Timer alias
? private string msignedcert = ""; // Visa
? private string mnewcert = ""; // The new certificate after issuance
? private int mvalidityday = 3; // The new certificate after issuance is valid (day)
? private privatekey msignprivatekey = null; // Timer's private lock? private x509certinfo msigncertinfo = null; // issued certificate information? Private x509certinfo msignedcertinfo = null; // Visa Information
PUBLIC Static void main (string args [])? {??? / ** ???? * parameter check ????? * / ??? String vargs0 = null; ??? if (args.length == 0 || (args.length! = 7 &&! Args [0] .Equals ("/?"))) ??? {????? system.out.println ("parameter error, can add parameters' / ? 'Query usage "); ????? system.exit (1); ???} ??? vargs0 = args [0]; ??? IF (vargs0.equals (" /? "))?? ? {????? system.out.println (????????? "grammar: *********************** ********************************* "); ???? ? System.out.println ("java com.app.signcertificate keystore keystorepass" ???????????????? "SIGNCERTALIS SIGNPRIVATEKEYPASS SIGNED") ; ????? system.out.println (????????? "Description: ************************ ********************************* "); ????? System.out.println ("KeyStore: Secret Address"); ????? system.out.println ("KeyStorePass: Turn on the password of the lock library"); ????? system.out.println ("Signcertalias: Certificate alias for signatures"); ????? system.out.println ("SignPrivateKeypass: Use private lock password to obtain signature to be visa"); ????? system.out.println ("SIGNEDCERT: The full path to the signature certificate"); ????? system.out.println ("Newcert: new certificate saved after being signed"); ????? system.o Ut.println ("Validity: The new certificate after being signed (Day)"); ????? system.out.println (????????? "========= ============================================================================================================================================================================================================= ============= "); ????? System.out.println (" must provide the signature certificate saved by the signature certificate, the certificate, etc., the last signature certificate (. CER) is saved to a new file "); ????? system.exit (1); ???} ??? ??? Signcertificate vsigncert =
new SignCertificate (); ??? vSignCert.mKeystore = vArgs0; ??? vSignCert.mKeystorePass = args [1] .toCharArray (); ??? vSignCert.mSignCertAlias = args [2]; ??? vSignCert.mSignPrivateKeyPass = args [3] .tochararray (); ??? vsigncert.msignedcert = args [4]; ??? vsigncert.mnewcert = args [5]; ??? vsigncert.mvalidityday = integer.parseint (args [6]);? ?? Try ??? {????? / ** ?????? * certificate sign ?????? * / ????? vsigncert.getsigncertinfo (); // Get signage certificate information? ???? vsigncert.signcertificate (); // use the signing certificate information to issue a certificate certificate ???? vsigncert.createNewcertificate (); // Create and save the new certificate after the signature ???} catch (Exception E) ??? {????? system.out.println ("error:" E.GetMessage ()); ???}?}? / ** ?? * get the signing certificate information ?? * @throws exception ?? ?? * / private void getSignCertInfo () throws Exception {??? FileInputStream vFin = null; ??? KeyStore vKeyStore = null; ??? java.security.cert.Certificate vCert = null; ??? X509CertImpl vCertImpl = Null; ??? byte [] vcertdata = null;
??? // Get the signature certificate lock library ???? vfin = new fileinputstream (mkeystore); ??? ??? vkeystore = keystore.getInstance ("jks"); ??? vkeystore.load (vfin, mkeystorepass) ); ??? // Get the signature certificate ??? vcert = vkeystore.getcertificate (msigncertalias); ??? vcertdata = vcert.getencoded (); ??? vcertimpl = new x509certimpl (vcertdata); ??? // Get signed certificate information ??? mSignCertInfo = (X509CertInfo) vCertImpl.get (X509CertImpl.NAME X509CertImpl.INFO "."); ??? mSignPrivateKey = (PrivateKey) vKeyStore.getKey (mSignCertAlias, mSignPrivateKeyPass); ??? vFin.close ();?}? / ** ?? * Take the information to be visa, and sign the visa to be visa ?? * @throws exception ?? * /? Private void sign {??? fileInputstream vfin = null ; ??? java.security.cert.certificate vcert = null; ??? certificate = null; ??? Byte [] vcertdata = null; ??? x509certimpl vcertimpl = null; ??? ??? // Get Waiting for the signing certificate ??? vfin = new fileinputstream (msignedcert); ??? vcertfactory = certificateFactory.getInstance ("X.509"); ??? vcert = vcertfactory.generateCertificate (vfin); ??? vfin.close () ; ??? vcertdata = vcert.getencoded (); ??? // Setting the signature certificate: valid date , The serial number, the signer, the digital signature operator hair ??? vCertImpl = new X509CertImpl (vCertData); ??? mSignedCertInfo = (X509CertInfo) vCertImpl.get (X509CertImpl.NAME X509CertImpl.INFO "."); ??? mSignedCertInfo .set (X509CertInfo.VALIDITY, getCertValidity ()); ??? mSignedCertInfo.set (X509CertInfo.SERIAL_NUMBER, getCertSerualNumber ()); "." ??? mSignedCertInfo.set (X509CertInfo.ISSUER CertificateIssuerName.DN_NAME, ???? ????????????? mSignCertInfo.get (X509CertInfo.SUBJECT CertificateIssuerName.DN_NAME ".")); "." ??? mSignedCertInfo.set (CertificateAlgorithmId.NAME CertificateAlgorithmId.ALGORITHM, getAlgorithm ( ));
?}? / ** ?? * After signing the certificate, save the new certificate? * @Throws exception ?? * /? Private void createNewcertificate () throws exception? {? ??? fileoutputstream Vout = null;? ?? x509certimpl vcertimpl = null; ???? // seal the new certificate information into a new X.509 certificate ??? vcertimpl = new x509certimpl (msignedcertinfo); ??? // Generate a new authentication code??? Vcertimpl.sign (MsignPrivateKey, "MD5withRSA"); ??? Vout = new fileoutputStream (mnewcert ". CER"); ??? // Save as DER Code Binary X.509 format certificate ??? vcertimpl.deeeNCode (Vout) ; ??? Vout.close ();???}? // auxiliary method =============================== ====================================================?? / **? ? * get a new certificate expiration date ?? * @throws Exception ?? * @return CertificateValidity ?? * /? private CertificateValidity getCertValidity () throws Exception? {??? long vValidity = (60 * 60 * 24 * 1000L) * mValidityDay ??? calendar vcal = null; ??? Date vbegindate = null, venddate = null; ??? vcal = calendar.getInstance (); ??? vbegindate = vcal.gettime (); ??? venddate = vcal. GetTime (); ??? venddate.settime (vbegindate.gettime () vValidity); ??? Return New Certificate (VBEGINDATE, VENDDATE);?}? / ** ?? * Get a new certificate Serial number ?? * @RETURN CERTIFICATERIALNUMBER ?? * /? Private deskterNumber ()? {???? calendar vcal = null; ???? vcal = calendar.GetInstance (); ???? Int vSerialnum = 0 ???? vSerialnum = (int) (vcal.gettimeinmillis () / 1000); ???? Return New CertificateSerialNumber (vSerialnum);?}? / ** ?? * Get the signature algorithm of the new certificate? * @
Return algorithmid ?? * /? private algorithmid getalgorithm ()? {??? algorithmid valgorithm = new algorithmid (algorithmid.md5withrsaencryption_oid); ??? Return Valgorithm ;?}} ************ *********************************************************** ******************************************* How to use: This tool is used to do sign, so use There must be several preparations before: 1) Generate the root certificate for signatures with the KeyTool tool, the lock library is ServerStore: C: / keytore -alias root -Keyalg RSA-Keysize 1024 --- There will be relevant questions during the period. Special attention to the KEYSTORE password and privatekey password! ! ! ! ! !
2) Use the keytool tool to generate certificate to sign, the lock library is ServerStore: C: / keytore -genkey-readystore ./serverstore -alias daniel -keyalg RSA -KEYSIZE 1024 --- During the period, there will be relevant questions. Special attention to the KEYSTORE password and privatekey password! ! ! ! ! !
3) Export to be signature certificate: c: / keytore-loading-readystore ./serverstore -alias daniel -files ./daniel.cer4) Use the compiled tool, sign the Daniel certificate with root (see (2)) Java com.app.signcertificate KeyStore KeyStorePass Signcertalias SignPrivateKeyPass SignedCert Newcert Validity - Use syntax to use the "java com.App.signcertificate /?" query. KeyStore: KeyStorePass: KeyStorePass: Turn on the lock library SIGNCERTALIAS: Certificate alias for signatures SignPrivateKeyPass: Extract the signing certificate private lock password SIGNEDCERT: Signature certificate full path newcert: The new certificate saved after being signed Name Validity: The new certificate after being signed (Day)
5) After the fourth step is completed, you will generate the Newcert certificate you specify, this certificate is signed by the root.
6) Verify that the certificate is valid: You can export the root certificate before Windows: c: / keytool -import-readystore ./serverstore -alias root -files ./root.cer Double-click root.cer installation, installation Daniel.cer, You will find Daniel.cer is effective.
The certificate used after the specific signature can be referred to the relevant information, and there is not much to say. The above code passes in JDK1.4.2.05.
*********************************************************** *********************** The key to SUN.Security.x509.x509certImpl and Sun.security are used in the key. .x509.x509certinfo class x509certimpl inherits java.security.cert.certificate, mainly implemented the setting of X509 certificate information, and the standard java.security.cert.x509certificate is implemented; X509Certinfo implements X509 certificate information package, in standard Java There is no security library. *********************************************************** ***************************************** Reviews: Java Security Manual / Tomcat Two-way SSL Configuration / WebLogic Server Configuration Policy / JDK API