Common JAVA operations on digital certificates

Source: Internet
Author: User
Common JAVA operations on digital certificates-general Linux technology-Linux programming and kernel information. For more information, see the following. 1. packages to be included
Import java. security .*;
Import java. io .*;
Import java. util .*;
Import java. security .*;
Import java. security. cert .*;
Import sun. security. x509 .*
Import java. security. cert. Certificate;
Import java. security. cert. CertificateFactory;

Ii. Read the certificate from the file
Use keytool to write certificates in. keystore to a file, and then read certificate information from the file.
CertificateFactory cf = CertificateFactory. getInstance ("X.509 ");
FileInputStream in = new FileInputStream ("out. csr ");
Certificate c = cf. generateCertificate (in );

String s = c. toString ();
3. Directly read the certificate from the keystore
String pass = "123456 ";
FileInputStream in = new FileInputStream (". keystore ");
KeyStore ks = KeyStore. getInstance ("JKS ");
Ks. load (in, pass. toCharArray ());
Java. security. cert. Certificate c = ks. getCertificate (alias); // alias is the alias of the Entry

4. The specified certificate information is displayed in the JAVA program.
System. out. println ("output Certificate Information: \ n" + c. toString ());
System. out. println ("version:" + t. getVersion ());
System. out. println ("serial number:" + t. getSerialNumber (). toString (16 ));
System. out. println ("Subject name:" + t. getSubjectDN ());
System. out. println ("issuer:" + t. getIssuerDN ());
System. out. println ("validity period:" + t. getNotBefore ());
System. out. println ("signature algorithm:" + t. getSigAlgName ());
Byte [] sig = t. getSignature (); // signature Value
PublicKey pk = t. getPublicKey ();
Byte [] pkenc = pk. getEncoded ();
System. out. println ("Public Key ");
For (int I = 0; I + ",");

V. JAVA program listing all entries in the keystore
String pass = "123456 ";
FileInputStream in = new FileInputStream (". keystore ");
KeyStore ks = KeyStore. getInstance ("JKS ");
Ks. load (in, pass. toCharArray ());
Enumeration e = ks. aliases ();
While (e. hasMoreElements ())
Java. security. cert. Certificate c = ks. getCertificate (String) e. nextElement ());

6. the JAVA program modifies the keystore password.
String oldpass = "123456 ";
String newpass = "654321 ";
FileInputStream in = new FileInputStream (". keystore ");
KeyStore ks = KeyStore. getInstance ("JKS ");
Ks. load (in, oldpass. toCharArray ());
In. close ();
FileOutputStream output = new FileOutputStream (". keystore ");
Ks. store (output, newpass. toCharArray ());
Output. close ();

7. the JAVA program modifies the password of the keystore entry and adds the entry.
FileInputStream in = new FileInputStream (". keystore ");
KeyStore ks = KeyStore. getInstance ("JKS ");
Ks. load (in, storepass. toCharArray ());
Certificate [] cchain = ks. getCertificate (alias); obtain the Certificate chain of the corresponding alias
PrivateKey pk = (PrivateKey) ks. getKey (alias, oldkeypass. toCharArray (); obtain the private key of the corresponding entry of the alias
Ks. setKeyEntry (alias, pk, newkeypass. toCharArray (), cchain); add entries to the keystore
The first parameter specifies the alias of the added entry. If an existing alias is used, it overwrites the existing one. If a new alias is used, a new entry is added. The second parameter is the private key of the entry, the third is the set new password, and the fourth is the certificate chain of the public key of the private key.
FileOutputStream output = new FileOutputStream ("another ");
Ks. store (output, storepass. toCharArray () writes the content of the keystore object to a new file.

8. JAVA program checks aliases and deletes entries.
FileInputStream in = new FileInputStream (". keystore ");
KeyStore ks = KeyStore. getInstance ("JKS ");
Ks. load (in, storepass. toCharArray ());
Ks. containsAlias ("sage"); checks whether entries exist in the keystore and returns true
Ks. deleteEntry ("sage"); Delete the entry corresponding to the alias
FileOutputStream output = new FileOutputStream (". keystore ");
Ks. store (output, storepass. toCharArray () writes the content of the keystore object to the file. The entry is deleted successfully.

9: the JAVA program issues a digital certificate
(1) read the CA certificate from the keystore
FileInputStream in = new FileInputStream (". keystore ");
KeyStore ks = KeyStore. getInstance ("JKS ");
Ks. load (in, storepass. toCharArray ());
Java. security. cert. Certificate c1 = ks. getCertificate ("caroot ");
(2) read the private key of the CA from the keystore
PrivateKey caprk = (PrivateKey) ks. getKey (alias, cakeypass. toCharArray ());
(3) extract issuer information from CA certificates
Byte [] encod1 = c1.getEncoded (); extract the encoding of the CA certificate
X509CertImpl cimp1 = new X509CertImpl (encod1); Use this encoding to create an X509CertImpl object
X509CertInfo cinfo1 = (X509CertInfo) cimp1.get (X509CertImpl. NAME + "." + X509CertImpl. INFO); get the X509CertInfo object
X500Name issuer = (X500Name) cinfo1.get (X509CertInfo. SUBJECT + "." + CertificateIssuerName. DN_NAME); get issuer information of X509Name type
(4) obtain the certificate to be issued
CertificateFactory cf = CertificateFactory. getInstance ("X.509 ");
FileInputStream in2 = new FileInputStream ("user. csr ");
Java. security. cert. Certificate c2 = cf. generateCertificate (in );
(5) extract certificate information from the certificate to be issued
Byte [] encod2 = c2.getEncoded ();
X509CertImpl cimp2 = new X509CertImpl (encod2); Use this encoding to create an X509CertImpl object
X509CertInfo cinfo2 = (X509CertInfo) cimp2.get (X509CertImpl. NAME + "." + X509CertImpl. INFO); get the X509CertInfo object
(6) set the validity period of the new certificate
Date begindate = new Date (); get the current time
Date enddate = new Date (begindate. getTime () + 3000*24*60*60 * 1000L); valid for 3000 days
CertificateValidity cv = new CertificateValidity (begindate, enddate); create an object
Cinfo2.set (X509CertInfo. VALIDITY, cv); set the VALIDITY period
(7) set the serial number of the new certificate
Int sn = (int) (begindate. getTime ()/1000); with the current time as the serial number
CertificateSerialNumber csn = new CertificateSerialNumber (sn );
Cinfo2.set (X509CertInfo. SERIAL_NUMBER, csn );
(8) set a new certificate issuer
Cinfo2.set (X509CertInfo. ISSUER + "." + CertificateIssuerName. DN_NAME, issuer); apply the result of step 3
(9) set the new certificate signature algorithm Information
AlgorithmId algorithm = new AlgorithmId (AlgorithmId. md5WithRSAEncryption_oid );
Cinfo2.set (CertificateAlgorithmId. NAME + "." + CertificateAlgorithmId. ALGORITHM, algorithm );
(10) create a certificate and sign it with the CA's private key
X509CertImpl newcert = new X509CertImpl (cinfo2 );
Newcert. sign (caprk, "MD5WithRSA"); Use the CA private key to sign it.
(11) write the new certificate to the keystore
Ks. setCertificateEntry ("lf_signed", newcert );
FileOutputStream out = new FileOutputStream ("newstore ");
Ks. store (out, "newpass". toCharArray (); a new keystore is written here. You can also use Article 7 to add entries.

10: digital certificate inspection
(1) verify the validity period of the certificate
(A) Get the X509Certificate type object
CertificateFactory cf = CertificateFactory. getInstance ("X.509 ");
FileInputStream in1 = new FileInputStream ("aa. crt ");
Java. security. cert. Certificate c1 = cf. generateCertificate (in1 );
X509Certificate t = (X509Certificate) c1;
In2.close ();
(B) Date of Acquisition
Date TimeNow = new Date ();
(C) test effectiveness
Try {
T. checkValidity (TimeNow );
System. out. println ("OK ");
} Catch (CertificateExpiredException e) {// expiration
System. out. println ("Expired ");
System. out. println (e. getMessage ());
} Catch (CertificateNotYetValidException e) {// not activated
System. out. println ("Too early ");
System. out. println (e. getMessage ());}
(2) verify the validity of the Certificate Signature
(A) Obtain the CA certificate
CertificateFactory cf = CertificateFactory. getInstance ("X.509 ");
FileInputStream in2 = new FileInputStream ("caroot. crt ");
Java. security. cert. Certificate cac = cf. generateCertificate (in2 );
In2.close ();
(C) obtain the CA Public Key
PublicKey pbk = cac. getPublicKey ();
(B) obtain the certificate to be verified (C1 is obtained in the previous step)
(C) certificate inspection
Boolean pass = false;
Try {
C1.verify (pbk );
Pass = true;
} Catch (Exception e ){
Pass = false;
System. out. println (e );
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.