1Java程序从证书文件读取证书import java.io.*;import java.security.cert.*;public class PrintCert{public static void main(String args[ ]) throws Exception{CertificateFactory cf=CertificateFactory.getInstance("X.509");FileInputStream in=new FileInputStream("my.cer");Certificate c=cf.generateCertificate(in);in.close();String s=c.toString( );// 显示证书 FileOutputStream fout=new FileOutputStream("tmp.txt");BufferedWriter out= new BufferedWriter(new OutputStreamWriter(fout));out.write(s,0,s.length( ));out.close();}} 2Java程序从密钥库直接读取证书import java.io.*;import java.security.*;import java.security.cert.Certificate;public class PrintCert2{public static void main(String args[ ]) throws Exception{String pass="080302";String alias="mykey";String name=".keystore";FileInputStream in=new FileInputStream(name);KeyStore ks=KeyStore.getInstance("JKS");ks.load(in,pass.toCharArray());Certificate c=ks.getCertificate(alias);in.close();System.out.println(c.toString( ));}} 3Java程序显示证书指定信息(全名/公钥/签名等)import java.io.*;import java.security.*;import java.security.cert.*;import java.math.*;public class ShowCertInfo{public static void main(String args[ ]) throws Exception{CertificateFactory cf=CertificateFactory.getInstance("X.509");FileInputStream in=new FileInputStream("my.cer");java.security.cert.Certificate c=cf.generateCertificate(in);in.close();X509Certificate t=(X509Certificate) c;System.out.println("版本号 "+t.getVersion());System.out.println("序列号 "+t.getSerialNumber().toString(16));System.out.println("全名 "+t.getSubjectDN());System.out.println("签发者全名n"+t.getIssuerDN());System.out.println("有效期起始日 "+t.getNotBefore());System.out.println("有效期截至日 "+t.getNotAfter());System.out.println("签名算法 "+t.getSigAlgName());byte[] sig=t.getSignature();System.out.println("签名n"+new BigInteger(sig).toString(16));PublicKey pk=t.getPublicKey();byte[ ] pkenc=pk.getEncoded();System.out.println("公钥");for(int i=0;i< div="">System.out.print(pkenc[i]+",");}}}4 数字签名-对数字证书的数字签名import java.io.*;import java.security.*;import java.security.cert.*;import java.util.*;import sun.security.x509.*;/* * CA密钥库和其密码、CA中要使用的条目和其密码,新密钥库和其密码、新的条目名称 * 特别注意:java中有些类得到特别保护(比如X509CertImpl),必须设置规则才能访问【项目属性-Java Build Path-JRE* System Library-Access Rules-Edit-"sun/**"(Accessible)】 */public class SignCert{ public static void main(String args[ ]) throws Exception{ String signerName = "keystore/ibe"; String signerAlias = "he"; char[] signerStorePass = "080302".toCharArray( ); char[] signerKeyPass = "080302".toCharArray( ); String CertName = "cert/ibe-mao.cer"; String newStore = "keystore/newstore"; String newStoreAlias = "mao"; char[] newStorePass = "080302".toCharArray(); // CA证书 FileInputStream in=new FileInputStream(signerName); KeyStore ks=KeyStore.getInstance("JKS"); ks.load(in,signerStorePass); java.security.cert.Certificate c1=ks.getCertificate(signerAlias); PrivateKey caprk=(PrivateKey)ks.getKey(signerAlias,signerKeyPass); in.close(); //得到签发者 byte[] encod1=c1.getEncoded(); X509CertImpl cimp1=new X509CertImpl(encod1); X509CertInfo cinfo1=(X509CertInfo)cimp1.get(X509CertImpl.NAME+"."+X509CertImpl.INFO); X500Name issuer=(X500Name)cinfo1.get(X509CertInfo.SUBJECT+"."+CertificateIssuerName.DN_NAME); //要签名的证书 CertificateFactory cf=CertificateFactory.getInstance("X.509"); FileInputStream in2=new FileInputStream(CertName); java.security.cert.Certificate c2=cf.generateCertificate(in2); in2.close(); byte[] encod2=c2.getEncoded(); X509CertImpl cimp2=new X509CertImpl(encod2); X509CertInfo cinfo2=(X509CertInfo)cimp2.get( X509CertImpl.NAME+"."+X509CertImpl.INFO); //设置新证书有效期 Date begindate =new Date(); //60 day Date enddate =new Date(begindate.getTime()+3000*24*60*60*1000L); CertificateValidity cv=new CertificateValidity(begindate,enddate); cinfo2.set(X509CertInfo.VALIDITY,cv); //设置新证书序列号 int sn=(int)(begindate.getTime()/1000); CertificateSerialNumber csn=new CertificateSerialNumber(sn); cinfo2.set(X509CertInfo.SERIAL_NUMBER,csn); //设置新证书签发者 cinfo2.set(X509CertInfo.ISSUER+"."+CertificateIssuerName.DN_NAME,issuer); //设置新证书算法 AlgorithmId algorithm = new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid); cinfo2.set(CertificateAlgorithmId.NAME+"."+CertificateAlgorithmId.ALGORITHM, algorithm); // 创建证书 X509CertImpl newcert=new X509CertImpl(cinfo2); // 签名 newcert.sign(caprk,"sha1WithRSA"); //打印到控制台,验证一下信息 System.out.println(newcert); // 存入密钥库ks.setCertificateEntry(newStoreAlias, newcert);FileOutputStream out=new FileOutputStream(newStore);ks.store(out,newStorePass);out.close(); }} 注意:然后重启就可以了。5验证CertPath证书链验证CertPathValidator类中的validate()方法可以使用现成的PKIXcertificationpath验证算法直接验证CertPath类型的对象。方法的第一个参数传入要验证的CertPath对象,第二个参数传入PKIXParameters类型的对象,它提供了验证时所使用的参数。为了得到PKIXParameters类型的对象,,必须指定最信任哪些CA。ValidateCP.javapackage cert;import java.io.*;import java.security.cert.*;import java.security.cert.Certificate;import java.util.*;public class ValidateCP{ public static void main(String args[ ]) throws Exception{ String[] arg=new String[]{"cert/ibe-mao-signed.cer","cert/ibe-he.cer"}; String trustAnchor = "cert/ibe-he.cer"; CertificateFactory cf = CertificateFactory.getInstance("X.509"); int i;Listmylist = new ArrayList();for (i=0;i<arg.length;i++){ FileInputStream in=new FileInputStream(arg[i]);Certificate c=cf.generateCertificate(in);mylist.add(c);}CertPath cp = cf.generateCertPath(mylist);//以上将证书列表转换成证书链//设置锚点FileInputStream in=new FileInputStream(trustAnchor);Certificate trust=cf.generateCertificate(in);// Create TrustAnchorTrustAnchor anchor = new TrustAnchor( (X509Certificate)trust,null);// Set the PKIX parametersPKIXParameters params = new PKIXParameters(Collections.singleton(anchor));params.setRevocationEnabled(false);CertPathValidator cpv = CertPathValidator.getInstance("PKIX");try {PKIXCertPathValidatorResult result =(PKIXCertPathValidatorResult) cpv.validate(cp, params);System.out.println(result);System.out.println(result.getTrustAnchor());} catch (CertPathValidatorException cpve) {System.out.println("Validation failure, cert[" + cpve.getIndex() + "] :" + cpve.getMessage());} }}
那风再温柔。太深的流连便成了一种羁绊,
