Java bouncycastle API 创建 CSR 和签发证书

引入 API

		
            org.bouncycastle
            bcprov-jdk15on
            1.64
        

创建 CSR

CSR,即证书请求文件(Certificate Signing Request)。生成 X509 数字证书前,一般先由用户提交证书申请文件,然后由 CA 来签发证书。

        // 创建密钥对
        KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
        gen.initialize(2048);
        KeyPair pair = gen.generateKeyPair();
        PrivateKey privateKey = pair.getPrivate();
        PublicKey publicKey = pair.getPublic();

        // 创建 CSR 对象
        X500Principal subject = new X500Principal("C=CName, ST=STName, L=LName, O=OName, OU=OUName, CN=CNName, [email protected]");
        ContentSigner signGen = new JcaContentSignerBuilder("SHA256withRSA").build(privateKey);
        PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject, publicKey);
        // 添加 SAN 扩展
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        GeneralNames generalNames = new GeneralNames(new GeneralName[]{new GeneralName(GeneralName.rfc822Name, "ip=6.6.6.6"), new GeneralName(GeneralName.rfc822Name, "[email protected]")});
        extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, generalNames);
        builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
        // build csr
        PKCS10CertificationRequest csr = builder.build(signGen);
        // 输出 PEM 格式的 CSR
        OutputStreamWriter output = new OutputStreamWriter(System.out);
        JcaPEMWriter pem = new JcaPEMWriter(output);
        pem.writeObject(csr);
        pem.close();

PEM 格式 CSR 示例如下:(PER 是对 DER 的简单包装)

-----BEGIN CERTIFICATE REQUEST-----
MIIC5DCCAcwCAQAwgZ4xIjAgBgkqhkiG9w0BCQEWE3NlbnRoYWRldkBnbWFpbC5j
b20xGjAYBgNVBAMTEXd3dy5zZW50aGFkZXYuY29tMRMwEQYDVQQLEwpJbm5vdmF0
aW9uMRIwEAYDVQQKEwlTZW50aGFkZXYxEjAQBgNVBAcTCVRyb25kaGVpbTESMBAG
A1UECBMJVHJvbmRoZWltMQswCQYDVQQGEwJOTzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMkKvsCUp52lcmM//iJEV62yHzDS/ASwm0wmlbUR+OnxESA5
vsYYzqdxX/Ie+K4LqY/FKsnHwcj+l7PqIHPqgiDryMcfYFpmln31jJG6XPFmjBib
m0kl63G9T62EyoRYo7SFZq/wcdgEE0FTw4bnTyT5OED2cYRlozBXdnI0L9jZYv6b
R6ww4LD4cAkqq1TeKNt0lH5G7S8QqTIeobs7hYUgVXkKWhfrYrW0l4lYUuXC12sN
e/zGYClHoaFoasD9pzoFrVjDS9+a3JoInp22OxpQbBVchnOJ3yJr8PRS5Hzx5QYJ
TAYqUd8dsw372FhvnNlZJnSkAsxca7cfpCiL4ZECAwEAAaAAMA0GCSqGSIb3DQEB
BQUAA4IBAQDDTj7ZJaeRftrod5TuEPoDhH8SwCx/wX8aIYG3mjR+q8tJ6rYgPwqR
Du8ODOAgIRFC8Dk43taPhbL94+T+iyw+UJH1KGlf0cdfHvaPoTh6QqfIQHRXuq5H
hkb9g+DgG/uzIS0yQsviKCTwFOZkvaWMZQSlBkAzFf61NQ9ymjLRFnzUN3IBmxMU
VBBEVVchta79XtkQaOsHWaZPpuwvDEtrvvwjk6kIEsc7IU927nN1Vws9oDFsqrKl
ycNVfwjd0cgf5WsTbPnBjQdVSSdAWvJo1wLrv3GxGVUwi44TzVU0xvREYAmZknCW
kpMkr5KBOO3Prex5d0doD5MJhMvxHcSL
-----END CERTIFICATE REQUEST-----

利用 CSR 创建证书

首先,读取、解析 CSR 文件:

        Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
        // 解析 PEM 格式的 CSR
        PKCS10CertificationRequest csr = null;
        ByteArrayInputStream pemStream = new ByteArrayInputStream(pem.getBytes(Charsets.UTF_8));
        Reader pemReader = new BufferedReader(new InputStreamReader(pemStream));
        PEMParser pemParser = new PEMParser(pemReader);

        Object parsedObj = pemParser.readObject();
        System.out.println("PemParser returned: " + parsedObj);
        if (parsedObj instanceof PKCS10CertificationRequest) {
            csr = (PKCS10CertificationRequest) parsedObj;
        }

利用 PKCS10CertificationRequest 枪法证书

		KeyPair rootPair = KeyUtil.generateKeyPair("RSA", 4096);
		// 私钥用来前面
        PrivateKey issuePriveteKey = rootPair.getPrivate();
        X509Certificate rootCert = // 利用公钥创建根证书,来签发用户证书

        X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(
                new X500Name(rootCert.getSubjectDN().getName()),
                BigInteger.valueOf(666666666L),
                new Date(),
                new Date(System.currentTimeMillis() + 1000 * 86400 * 365L),
                pkcs10CertificationRequest.getSubject(),
                pkcs10CertificationRequest.getSubjectPublicKeyInfo()
        );

		// 读取扩展信息
        Extensions extensions = null;
        for (Attribute attr : pkcs10CertificationRequest.getAttributes()) {
            if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
                extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
                break;
            }
        }
        if (extensions != null) {
        // 添加 SAN 扩展
         certificateBuilder.addExtension(extensions.getExtension(Extension.subjectAlternativeName));
        }

        //添加crl扩展
        GeneralName[] names = new GeneralName[1];
        names[0] = new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.ca.com/crl");
        GeneralNames gns = new GeneralNames(names);
        DistributionPointName pointName = new DistributionPointName(gns);
        GeneralNames crlIssuer = new GeneralNames(new GeneralName(new X500Name(rootCert.getSubjectDN().getName())));
        DistributionPoint[] points = new DistributionPoint[1];
        points[0] = new DistributionPoint(pointName, null, crlIssuer);
        certificateBuilder.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points));

        //添加aia扩展
        AccessDescription[] accessDescriptions = new AccessDescription[2];
        accessDescriptions[0] = new AccessDescription(AccessDescription.id_ad_caIssuers, new GeneralName(GeneralName.uniformResourceIdentifier, "http://www.ca.com/root.crt"));
        accessDescriptions[1] = new AccessDescription(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.com/"));
        certificateBuilder.addExtension(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(accessDescriptions));

        ContentSigner signer = new JcaContentSignerBuilder(HostCertificateConf.CERTIFICATE_SIGNATURE_ALGORITHM)
                .setProvider(Security.getProvider("BC")).build(issuePriveteKey);
        X509CertificateHolder holder = certificateBuilder.build(signer);
        X509Certificate cert = new JcaX509CertificateConverter()
                .setProvider(Security.getProvider( "BC")).getCertificate(holder);

你可能感兴趣的:(Java,安全)