📄 x509cert.java
字号:
/*
Name: X509Cert.java
Licensing: LGPL
API: Sun (http://java.sun.com) JCE 1.2.2 API (cleanroom implementation by Bouncy Castle)
Provider: Bouncy Castle (http://www.bouncycastle.org)
Disclaimer:
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE
IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE
RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH YOU. SHOULD ANY COVERED CODE
PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR)
ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY
CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED
HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
(C) Copyright 2003 Gert Van Ham
*/
package net.sourceforge.jcetaglib.lib;
import net.sourceforge.jcetaglib.exceptions.CryptoException;
import net.sourceforge.jcetaglib.tools.FileTools;
import net.sourceforge.jcetaglib.tools.KeyTools;
import org.bouncycastle.asn1.*;
import org.bouncycastle.asn1.misc.MiscObjectIdentifiers;
import org.bouncycastle.asn1.misc.NetscapeCertType;
import org.bouncycastle.asn1.x509.*;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.X509V2CRLGenerator;
import org.bouncycastle.jce.X509V3CertificateGenerator;
import org.bouncycastle.jce.netscape.NetscapeCertRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Base64;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.*;
import java.util.Date;
/**
* Create/Read/Manipulate X.509 certificates
*
* @author Gert Van Ham
* @author hamgert@users.sourceforge.net
* @author http://jcetaglib.sourceforge.net
* @version $Id: X509Cert.java,v 1.3 2004/04/15 07:28:25 hamgert Exp $
*/
public class X509Cert {
private static final String NS_CA = "ca";
private static final String NS_SERVER = "server";
private static final String NS_CLIENT = "client";
private static final String NS_ALL = "all";
/**
* Generate key pair (public & private key)
*
* @param keypairalgorithm keypair algorithm (e.g. "RSA")
* @param keylength key length (e.g. 1024)
* @param seed seed for SecureRandom (optional)
* @return generated keypair
* @throws NoSuchAlgorithmException unknown algorithm
* @throws NoSuchProviderException unknown provider
* @throws CryptoException cryptographic errors
*/
public static KeyPair generateKeyPair(String keypairalgorithm
, int keylength
, byte[] seed) throws NoSuchAlgorithmException, NoSuchProviderException, CryptoException {
Security.addProvider(new BouncyCastleProvider());
KeyPairGenerator g = KeyPairGenerator.getInstance(keypairalgorithm, "BC");
SecureRandom sr = Seed.getSecureRandom(seed);
g.initialize(keylength, sr);
return g.generateKeyPair();
}
/**
* Creates a self-signed certificate
*
* @param privatekey the private key
* @param publickey the public key
* @param signaturealgorithm signature algorithm (e.g. "MD5WithRSAEncryption")
* @param validity defines how long this certificate is valid (in days)
* @param subjectdn the subject's distinguised name
* @param isca true if this certificate can be used for a Certificate Authority, false if not
* @param netscapeextensions adds netscape certificate extensions ("ca", "server", "client", "all")
* @return X.509 certificate
* @throws CertificateException certificate errors
*/
public static X509Certificate selfsign(PrivateKey privatekey
, PublicKey publickey
, String signaturealgorithm
, long validity
, String subjectdn
, boolean isca
, String netscapeextensions) throws CertificateException {
try {
// Add Bouncy Castle provider
Security.addProvider(new BouncyCastleProvider());
Date firstDate = new Date();
// Set back startdate ten minutes to avoid some problems with wrongly set clocks.
firstDate.setTime(firstDate.getTime() - 10 * 60 * 1000);
Date lastDate = new Date();
// validity in days = validity*24*60*60*1000 milliseconds
lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000)));
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
// Serialnumber is random bits, where random generator is initialized with Date.getTime()
byte[] serno = new byte[8];
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.setSeed((new Date().getTime()));
random.nextBytes(serno);
BigInteger sn = new java.math.BigInteger(serno).abs();
// Add certificate basic elements
v3CertGen.setSerialNumber(sn);
v3CertGen.setIssuerDN(new X509Principal(subjectdn));
v3CertGen.setNotBefore(firstDate);
v3CertGen.setNotAfter(lastDate);
v3CertGen.setSubjectDN(new X509Principal(subjectdn));
v3CertGen.setPublicKey(publickey);
v3CertGen.setSignatureAlgorithm(signaturealgorithm);
// Add certificate extensions
v3CertGen.addExtension(X509Extensions.SubjectKeyIdentifier,
false,
CertTools.createSubjectKeyId(publickey));
v3CertGen.addExtension(X509Extensions.BasicConstraints,
false,
new BasicConstraints(isca));
// Add Netscape extensions
if (NS_CA.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslCA | NetscapeCertType.smimeCA | NetscapeCertType.objectSigningCA));
} else if (NS_SERVER.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslServer));
} else if (NS_CLIENT.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime | NetscapeCertType.objectSigning));
} else if (NS_ALL.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.sslServer | NetscapeCertType.smime | NetscapeCertType.objectSigning | NetscapeCertType.sslCA | NetscapeCertType.smimeCA | NetscapeCertType.objectSigningCA));
}
// generate the certificate
X509Certificate cert = v3CertGen.generateX509Certificate(privatekey);
// check if certificate is valid
cert.checkValidity(new Date());
// verify certificate with public key
cert.verify(publickey);
return cert;
} catch (Exception e) {
e.printStackTrace();
throw new CertificateException(e.getMessage());
}
}
/**
* Create a signed certificate
*
* @param publickey the public key
* @param issuerprivatekey the private key of the CA (issuer)
* @param issuercertificate the certificate of the CA (issuer)
* @param signaturealgorithm signature algorithm (e.g. "MD5WithRSAEncryption")
* @param validity defines how long this certificate is valid (in days)
* @param subjectdn the subject's distinguised name
* @param isca true if this certificate can be used for a Certificate Authority, false if not
* @param crldisturi the CRL distribution URI
* @param netscapeextensions adds netscape certificate extensions ("ca", "server", "client", "all")
* @return X.509 certificate
* @throws CertificateException
*/
public static X509Certificate sign(PublicKey publickey
, PrivateKey issuerprivatekey
, X509Certificate issuercertificate
, String signaturealgorithm
, long validity
, String subjectdn
, boolean isca
, String crldisturi
, String netscapeextensions) throws CertificateException {
try {
// Add Bouncy Castle provider
Security.addProvider(new BouncyCastleProvider());
Date firstDate = new Date();
// Set back startdate ten minutes to avoid some problems with wrongly set clocks.
firstDate.setTime(firstDate.getTime() - 10 * 60 * 1000);
Date lastDate = new Date();
// validity in days = validity*24*60*60*1000 milliseconds
lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000)));
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
// Serialnumber is random bits, where random generator is initialized with Date.getTime()
byte[] serno = new byte[8];
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.setSeed((new Date().getTime()));
random.nextBytes(serno);
BigInteger sn = new java.math.BigInteger(serno).abs();
String issuerDN = issuercertificate.getSubjectDN().toString();
// Add certificate basic elements
v3CertGen.setSerialNumber(sn);
v3CertGen.setIssuerDN(new X509Principal(issuerDN));
v3CertGen.setNotBefore(firstDate);
v3CertGen.setNotAfter(lastDate);
v3CertGen.setSubjectDN(new X509Principal(subjectdn));
v3CertGen.setPublicKey(publickey);
v3CertGen.setSignatureAlgorithm(signaturealgorithm);
// Add certificate extensions
v3CertGen.addExtension(X509Extensions.SubjectKeyIdentifier,
false,
CertTools.createSubjectKeyId(publickey));
v3CertGen.addExtension(X509Extensions.AuthorityKeyIdentifier,
false,
CertTools.createAuthorityKeyId(issuercertificate.getPublicKey()));
v3CertGen.addExtension(X509Extensions.BasicConstraints,
false,
new BasicConstraints(isca));
// Add CRL distribution URI
if (crldisturi != null && !crldisturi.equalsIgnoreCase("")) {
GeneralName gn = new GeneralName(new DERIA5String(crldisturi), 6);
DERSequence seq = new DERSequence(gn);
GeneralNames gns = new GeneralNames(seq);
DistributionPointName dpn = new DistributionPointName(0, gns);
DistributionPoint distp = new DistributionPoint(dpn, null, null);
v3CertGen.addExtension(X509Extensions.CRLDistributionPoints.getId(), false, distp);
}
// Add Netscape extensions
if (NS_CA.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslCA | NetscapeCertType.smimeCA | NetscapeCertType.objectSigningCA));
} else if (NS_SERVER.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslServer));
} else if (NS_CLIENT.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime | NetscapeCertType.objectSigning));
} else if (NS_ALL.equalsIgnoreCase(netscapeextensions)) {
v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType,
false,
new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.sslServer | NetscapeCertType.smime | NetscapeCertType.objectSigning | NetscapeCertType.sslCA | NetscapeCertType.smimeCA | NetscapeCertType.objectSigningCA));
}
// generate the certificate
X509Certificate cert = v3CertGen.generateX509Certificate(issuerprivatekey);
// check if certificate is valid
cert.checkValidity(new Date());
// verify certificate with public key
cert.verify(issuercertificate.getPublicKey());
return cert;
} catch (Exception e) {
e.printStackTrace();
throw new CertificateException(e.getMessage());
}
}
/**
* Create a CRL (Certification Revokation List)
*
* @param certserialnumbers array of certificate serial numbers that are revoked
* @param crlnumber the CRL number
* @param crlperiod how long this CRL is valid (in hours)
* @param signaturealgorithm signature algorithm (e.g. "MD5WithRSAEncryption")
* @param cacert the CA's certificate
* @param caprivkey the CA's private key (to sign the CRL)
* @return CRL
* @throws CertificateException
*/
public static X509CRL CreateCRL(BigInteger[] certserialnumbers
, int crlnumber
, long crlperiod
, String signaturealgorithm
, X509Certificate cacert
, PrivateKey caprivkey) throws CertificateException {
X509CRL crl = null;
try {
// Add Bouncy Castle provider
Security.addProvider(new BouncyCastleProvider());
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -