Cryptography research-Certificate

Introduction:

In cryptography, the certificate is a very important concept, I do not want to expand here, the general certificate is based on the X.509 specification, interested students can see the corresponding introduction: http://en.wikipedia.org/wiki/X509

Practice:

In fact, certificates are everywhere. In our browsers, we usually see some certificates, some of which are automatically added, and some can be manually added. For example, on my own machine, Chrome: On chrome: // settings/advanced

When you see HTTPS/SSL, clickManage Certificates...Button: the list of managed certificates is displayed:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/123433FS-0.png "title =" 2.png" alt = "161615114.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/1234333U3-1.png "title =" 3.png" alt = "161705736.png"/>

Select a Certificate, such as Alibaba.com, and export it to the local computer. Then, use the Certificate Class provided by java to analyze the Certificate.

To analyze the certificate, we wrote a tool class:

Package com. charles. certificatestudy; import java. io. fileInputStream; import java. math. bigInteger; import java. security. publicKey; import java. security. cert. CRL; import java. security. cert. certificate; import java. security. cert. certificateFactory; import java. security. cert. x509Certificate; import java. util. date; import javax. security. auth. x500.X500Principal; import sun. misc. BASE64Encoder;/***** Description: This tool class provides general certificate operations ** @ author charles. wang * @ created Oct 29,201 3 2:57:58 PM **/public class CertificateUtil {public static X509Certificate failed (String certificateName) throws Exception {CertificateFactory certificateFactory = CertificateFactory. getInstance ("X.509"); // obtain the input stream FileInputStream in = new FileInputStream (certificateName) of the Certificate file; // obtain the certificate Certificate certificate = certificateFactory. generateCertificate (in); // certificate type String certType = certificate. getType (); System. out. println ("certificate type:" + certType); X509Certificate x509cert = (X509Certificate) certificate; // close the stream in. close (); return x509cert;}/*** analyze the Certificate file * @ param certficateName the path name of the analyzed certificate * @ throws Exception */public static void parseX509Certificate (X509Certificate x509cert) throws Exception {// start to use the certificate API to extract the relevant information: // read the certificate version number. The certificate version number identifies the X.509 standard version used for the certificate, it can be used to affect the information that the certificate can specify. // so far, three versions of int version = x509cert have been defined. getVersion (); System. out. println ("\ n certificate version:" + version); // read the certificate serial number BigInteger serialNumber = x509cert. getSerialNumber (); System. out. println ("\ n certificate serial number:" + (new BASE64Encoder ()). encode (serialNumber. toByteArray (); // read the signature algorithm name of the Certificate. CA uses this algorithm to sign the certificate String algName = x509cert. getSigAlgName (); System. out. println ("\ n certificate signature algorithm name:" + algName); // The issuer of the certificate, whose name follows the X.500 standard, and provide information // The issuer of this certificate is usually a CA. Using this Certificate means that the entity X500Principal issuerPrincipal = x509cert that trusts to sign the certificate. getIssuerX500Principal (); System. out. println ("\ n certificate Publisher:" + issuerPrincipal. getName (); // read the certificate validity period Date notAfter = x509cert. getNotAfter (); Date notBefore = x509cert. getNotBefore (); System. out. println ("\ n certificate validity period:" + notBefore. toLocaleString () + "," + notAfter. toLocaleString () + "before"); // The entity that reads the certificate. It represents the entity of the public key. Its name still uses X.500 standard X500Principal subjectPrincipal = x509cert. getSubjectX500Principal (); System. out. println ("certificate subject:" + subjectPrincipal. getName (); // read the certificate's public key PublicKey publicKey = x509cert. getPublicKey (); System. out. println ("\ n obtain the public key information of the Certificate"); System. out. println ("the algorithm of the public key of the certificate is:" + publicKey. getAlgorithm (); System. out. println ("Certificate Public Key format:" + publicKey. getFormat (); // get the byte array byte [] publicKeyBytes = publicKey. getEncoded (); System. out. println ("Certificate Public Key:" + (new BASE64Encoder ()). encode (publicKeyBytes); // read the basic constraints of the certificate System. out. println ("\ n certificate path length:" + x509cert. getBasicConstraints (); // functions or services supported by the public key contained in the certificate boolean [] keyUsages = x509cert. getKeyUsage (); // KeyUsage: = bit string {// digitalSignature (0), // nonRepudiation (1), // keyEncipherment (2 ), // dataEncipherment (3), // keyAgreement (4), // keyCertSign (5), // cRLSign (6), // encipherOnly (7 ), // decipherOnly (8)} if (keyUsages [0]) System. out. println ("the public key of this certificate can be used for digital signature"); if (keyUsages [1]) System. out. println ("the public key of this certificate is undeniable"); if (keyUsages [2]) System. out. println ("the public key of this certificate can be used for encryption"); if (keyUsages [3]) System. out. println ("the public key of this certificate is used to encrypt user data"); if (keyUsages [4]) System. out. println ("the public key of this certificate is used for key Protocol"); if (keyUsages [5]) System. out. println ("the public key of this certificate is used to verify the signature on the certificate"); if (keyUsages [6]) System. out. println ("the public key of this certificate is used to verify the Undo message"); if (keyUsages [7]) System. out. println ("the public key of this certificate can only be used for encryption and implements the Key Protocol"); if (keyUsages [8]) System. out. println ("the public key of this certificate can only be used to decrypt and fulfill the Key Protocol"); // read the OID String of the signature algorithm of the certificate String algOIDString = x509cert. getSigAlgOID (); System. out. println ("\ n Certificate Signature Algorithm OID string:" + algOIDString); x509cert. getSigAlgParams (); // read the Certificate Signature value byte [] certSignature = x509cert. getSignature (); System. out. println ("\ n Certificate Signature value:" + (new BASE64Encoder ()). encode (certSignature); x509cert. getSubjectAlternativeNames (); // read the certificate's DER-encoded binary Certificate Information byte [] tbsCertificate = x509cert. getTBSCertificate (); System. out. println ("\ n certificate DER-encoded binary Certificate Information:" + (new BASE64Encoder ()). encode (tbsCertificate);}/*** obtain the certificate revocation list * @ param certificateName * @ return * @ throws Exception */public static CRL getCRLForCertifate (String certificateName) throws Exception {// instantiate the certificate and specify the certificate type as X.509 CertificateFactory certifateFactory = CertificateFactory. getInstance ("X.509"); // obtain the certificate input stream FileInputStream in = new FileInputStream (certificateName); // obtain the Certificate Revocation List CRL = certifateFactory. generateCRL (in); in. close (); return crl ;}}

Then we write a test class to test these methods. It will first read the Certificate file and then separate the information:

Package com. charles. certificatestudy; import java. security. cert. x509Certificate; import sun. misc. BASE64Encoder;/***** Description: This class is used to demonstrate the general usage of Certificate ** @ author charles. wang * @ created Oct 29,201 3 12:03:51 PM **/public class CertificateDemo {/*** @ param args */public static void main (String [] args) throws Exception {String certificateFilePath = "alibaba. cer "; // obtain the certificate object X509Certificate x509cert = CertificateUtil. getX509certFromCertificatePath (certificateFilePath); // analyze the certificate CertificateUtil. parseX509Certificate (x509cert );}}

We run the example and run the test to print the specified certificate information:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/1234333428-2.png "title =" 4.png" alt = "162044199.png"/>

We compared the selected Certificate file:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/1234331595-3.png "title =" 1.png" alt = "162108330.png"/>

We can see that this information is exactly the same as the information we read using the API.

This article from "parallel line cohesion" blog, please be sure to keep this source http://supercharles888.blog.51cto.com/609344/1316841