Java Encryption decryption

Source: Internet
Author: User
Tags base64 dname openssl x509 pkcs12 rfc sha1 asymmetric encryption cipher suite

One:
1.Keymanagerfactory Class (Key Management factory, used to manage keys):
Building a KeyStore management factory as in the following example:
System.setproperty ("Javax.net.ssl.keyStore", "D:\\server.keystore");
System.setproperty ("Javax.net.ssl.keyStorePassword", "123456");
2.Trustmanagerfactory Class (Manager factory for managing trust materials)
Building a Truststore management factory as in the following example:
System.setproperty ("Javax.net.ssl.trustStore", "D:\\server.keystore");
System.setproperty ("Javax.net.ssl.trustStorePassword", "123456");
3.The Sslcontext class (used to represent a secure socket context, for the implementation of a Secure sockets protocol, to act as a secure sockets factory or a factory for Sslengine): Initializes this class with a set of keys and trust managers and security random bytes
4.Httpsurlconnection Class (Build HTTPS connection)
5.SSLsession interface (for maintaining SSL protocol network Interactive session state, you can obtain encryption suite Ciphersuite, digital certificate).
6.Sslsocketfactory class (for creating sslsocket and obtaining the appropriate cipher suite)
7.Sslsocket Class (SSL protocol-based socket for setting cryptographic suites, handling handshake end events, and managing SSLsession)
8.Sslserversocketfactory class (like the Sslsocketfactory class, just build the socket is the Sslserversocket class)
9.Sslserversocket Class (Sslsocket, which is dedicated to the server side, is a subclass of ServerSocket)

Two: Digital certificate concept Description:
1. digital certificates are the carrier of cryptographic algorithms and public keys.
1.1 Certificate Issuance Process: Digital signature for the public key of the application digital certificate
1.2 Certificate validation Process: A verification signature for the public key of the digital certificate, including certificate validity period validation.
2. The digital certificate uses the public Key Infrastructure (PKI), contains: Asymmetric encryption algorithm, the digital signature algorithm, the Message digest algorithm:
2.1 Asymmetric Encryption algorithm: used to encrypt/decrypt data to ensure data confidentiality
2.2 Digital Signature algorithm: for signing/validating data to ensure data integrity and anti-repudiation
2.3 Message digest algorithm: Used to digest the digital certificate itself, to ensure the integrity of digital certificate (some are called: fingerprint algorithm)
3. digital certificate file Encoding format: CER (variable length), DER (fixed length)
4. There are currently mainly JKS and PEM two encoding format files:
4.1 Jks:java Native KeyStore/truststore file
4.2 PEM (Privacy enhanced mail): Internet e-mail that uses multiple encryption methods to provide confidentiality, authentication, and information integrity, the most common KeyStore file in OpenSSL.
5. typically use the BASE64 encoding format as the digital certificate file storage format
6.Keytool Digital certificate management: for digital certificate applications, import, export and revocation operations. Associated with the local keystore, the private key is stored in the KeyStore, and the public key is exported as a digital certificate. Keytool in the%jdk_home%\bin directory

III: Use Keytool for certificate management:
1.Build a self-signed certificate (you issue a digital certificate for yourself without CA certification)
1.1 Generate a key pair, placed in the generated digital certificate (based on a public private key of an asymmetric encryption algorithm): "Www.zlex.org" is an alias, RSA is an encryption algorithm, the key length is 2048 bits, SHA1WITHRSA is a digital signature algorithm, issued valid for 36,000 days
Example: Keytool-genkeypair-keyalg rsa-keysize 2048-sigalg sha1withrsa-validity 36000-alias www.zlex.org-keystore Zlex.key Store
-dname "cn=www.zlex.org, Ou=zlex, O=zlex, L=BJ, ST=BJ, C=CN"
Command Description:
-genkeypair generating a key pair
-KEYALG Specifies the key algorithm, here is the RSA algorithm
-KEYSIZE Specifies the key length, which is 1024 bits by default and is specified here as 2048 bits
-SIGALG specifies the digital Signature algorithm, here is the Sha1withrsa
-validity Specify the certificate validity period, here is 36,000 days
-ALIAS Specifies the alias, here is www.zlex.org
-keystore Specifies the KeyStore storage location, here is Zlex.keystore (the newly formed key pair is inside)
-dname Specify user information (avoid hand loss when creating digital certificates)
-storepass Specify password (avoid hand loss when creating digital certificates)
1.2 Exporting a digital certificate
Example: Keytool-exportcert-alias www.zlex.org-keystore zlex.keystore-file zlex.cer-rfc-storepass 123456
-exportcert Certificate Export operation
-ALIAS Specifies the alias, here is www.zlex.org
-keystore Specifies the KeyStore file, here is Zlex.keystore
-file Specify the export file path, here is Zlex.cer (this is a digital certificate)
-rfc specifying output in BASE64 encoded format
-storepass Specify the password when exporting, here is 123456
1.3 Print out the contents of the digital certificate (print out the contents of the Zlex.cer)
Example: Keytool-printcert-file zlex.cer
2.Build a CA-issued certificate
1. To obtain a CA agency certified certificate, a digital certificate issuance request (CSR) will be generated, certified and issued by the CA authority, and the certificate is imported into the local KeyStore and Truststore
Example: Keytool-certreq-alias www.zlex.org-keystore zlex.keystore-file zlex.csr-v-storepass 123456
-certreq Generating a digital certificate issuance request operation
-ALIAS Specifies the alias, here is www.zlex.org
-keystore Specifies the KeyStore file, here is Zlex.keystore
-file Specify the export file path, here is ZLEX.CSR
-V Detailed information
-storepass Specify the password when exporting, here is 123456
2.Import a digital certificate
Example: Keytool-importcert-trustcacerts-alias www.zlex.org-file zlex.cer-keystore zlex.keystore-storepass 123456
-importcert Importing Digital certificates
-trustcacerts Importing a digital certificate into the Trust library
-ALIAS Specifies the alias, here is www.zlex.org
-FILE specifies the path to import the digital certificate file, here is Zlex.cer
-keystore Specifies the KeyStore file, here is Zlex.keystore
-STOREPASS Specifies the password that is set when importing, here is 123456
3.List entries in the KeyStore
Example: Keytool-list-alias www.zlex.org-keystore zlex.keystore-storepass 123456
-list listing entries in the KeyStore
-ALIAS Specifies the alias, here is www.zlex.org
-keystore Specifies the KeyStore file, here is Zlex.keystore
-storepass the password to be entered when the output is specified, here is 123456

Four: OpenSSL certificate management
1.Features far more than Keytool, can be used for root certificates, server certificates, client certificate management.
2.Environment variables must be configured before you download OpenSSL
2.1 Variable Name: Openssl_home C:\OpenSSL (Installation directory)
2.2 Adding variables to the system variable path:%openssl_home%\bin;
3.Building the root certificate
3.1 Build a random number file (. rand) before building the root certificate
Example: OpenSSL rand-out Private/.rand 1000
Rand Random number command
-out output file path, where the random number file is output to the private directory
1000 generation of Pseudo-random bytes
4.Build the root certificate private key (typically the private key is saved in PEM encoded format) (where the private key is used in 5)
Example: OpenSSL genrsa-aes256-out private/ca.key.pem 2048 (after executing this command, you have to set the root certificate password: 123456)
Genrsa Generate RSA Key command
The-aes256 uses the AES algorithm (256-bit key) to encrypt the resulting private key. Optional algorithms include DES, desede, Idea, and AES
Out output path, here refers to PRIVATE/CA.KEY.PEM (generated root certificate private key)
2048 refers to the RSA key length bits, the default length is 512 bits
5.After the key is built, you also have to generate the root certificate signing request file (CA.CSR) (after you execute the following command, enter the root certificate password: 123456)
Example: OpenSSL req-new-key private/ca.key.pem-out private/ca.csr-subj "/c=cn/st=bj/l=bj/o=zlex/ou=zlex/cn=*.zlex.org"
Req Generate certificate Issuance request order
-new represents a new request
-key key, here is the Private/ca.key.pem file (root certificate private key)
-out output path, here is the PRIVATE/CA.CSR file (root certificate request file)
-SUBJ Specify user information, use the generic domain name "*.zlex.org" as the user name
6.After obtaining the root certificate issuance request file, the root certificate is issued (typically, CA.CSR is issued to the CA institution, which is issued on its own.) You will also need to enter the root certificate key after executing the following command: 123456)
Example: OpenSSL x509-req-days 10000-shal-extensions v3_ca-signkey private/ca.key.pem-in private/ca.csr-out certs/ca.cer
X509 issuing the certificate of the Order
-req Certificate Input Request
-days Certificate Valid days, here is 10,000 days
-shal Certificate Digest algorithm, here is the SHA1 algorithm
-extensions adding extensions by the OpenSSL profile V3_ca item
-signkey self-signed key, here is Private/ca.key.pem (Root certificate private key)
-in input file, here is PRIVATE/CA.CSR (Root certificate request file)
-out output file, here is Certs/ca.cer (generated root certificate)
7.Root certificate conversion: After the issuance of a digital certificate (root certificate), in the Java environment is not directly used, need to convert to PKCS#12 encoding format. (You will also need to enter the root certificate key after executing the following command: 123456)
Example: OpenSSL pkcs12-export-cacerts-inkey private/ca.key.pem-in certs/ca.cer-out certs/ca.p12
PKCS12 PKCS#12 encoded Format Certificate command
-export Exporting certificates
-cacerts Export CA certificates only
-inkey Enter the key, here is Private/ca.key.pem (Root certificate key)
-in input file, here is Certs/ca.cer (original root certificate)
-out output file, here is CERTS/CA.P12 (transcoded root certificate)
8.Use Keytool to view the personal Information Exchange file (PKCS#12), which can be used as a keystore or Truststore. (Below as KeyStore file, view keystore information)
Example: Keytool-list-keystore certs/ca.p12-storetype pkcs12-v-storepass 123456
Note: After the build root certificate (ca.cer) succeeds, the server certificate and the client certificate can be issued according to the root certificate

9.Build the key for the server certificate (after you execute the following command, enter the server certificate password: 123456)
Example: OpenSSL genrsa-aes256-out Private/server.key.pem 2048
Genrsa Generate RSA Key command
The-aes256 uses the AES algorithm (256-bit key) to encrypt the resulting private key. Optional algorithms include DES, desede, Idea, and AES
Out output path, here refers to PRIVATE/SERVER.KEY.PEM (generated server certificate private key)
2048 refers to the RSA key length bits, the default length is 512 bits
.After the server certificate key is successfully built, you need to generate the server certificate signing request file (after executing the following command, enter the server certificate password: 123456)
Example: OpenSSL req-new-key private/server.key.pem-out private/server.csr-subj "/c=cn/st=bj/l=bj/o=zlex/cn=www.zlex.org "
Req Generate certificate Issuance request File command
-new New Request
-key key, here is PRIVATE/SERVER.KEY.PEM (the server certificate key generated for 9)
-out output path, here is PRIVATE/SERVER.CSR (generated certificate issued request file)
-SUBJ Specify user information, where the domain name "www.zlex.org" is used as the user name
One by one .The server certificate is issued according to the root certificate, and the server certificate is generated (after you execute the following command, set the server certificate password: 123456)
Example: OpenSSL x509-req-days 3650-shal-extensions v3_req-ca certs/ca.cer-cakey private/ca.key.pem-caserial CA.SRL-CACR Eateserial-in Private/server.csr-out Certs/server.cer
X509 issuing the certificate of the Order
-req Certificate Input Request
-days effective days, here is 3,650 days
-SHA1 Certificate Digest algorithm, here is the SHA1 algorithm
-extensions adding extensions by the OpenSSL profile V3_req item
-ca CA certificate, here is Certs/ca.cer (Root certificate)
-cakey CA Certificate Key, here is Private/ca.key.pem
-caserial CA Certificate Serial Number file, here is CA.SRL
-cacreateserial Creating a CA certificate serial number
-in input file, here is PRIVATE/SERVER.CSR (Server certificate issue request file)
-out output file, here is Certs/server.cer (server certificate)
.The generated server certificate cannot be used directly, you need to convert the certificate to pkcs#12 format (after executing the following command, enter the server certificate password: 123456)
Example: OpenSSL pkcs12-export-clcerts-inkey private/server.key.pem-in certs/server.cer-out certs/server.p12
PKCS12 PKCS#12 encoded Format Certificate command
-export Exporting certificates
-clcerts Export only Client certificates
-inkey Enter the key file path, here is PRIVATE/SERVER.KEY.PEM (the server certificate key generated for 9)
-in input file path, here is Certs/server.cer (Original certificate file)
-out output file path, here is CERTS/SERVER.P12 (transcoded certificate file)
Note :This indicates that the build server certificate is successful and can be used to build a one-way authentication-based network interaction platform.

.Build a client certificate, build the customer's private key first (similar to building a service certificate, after you execute the following command, set the client certificate password: 123456)
Example: OpenSSL genrsa-aes256-out Private/client.key.pem 2048
Genrsa Generate RSA Key command
The-aes256 uses the AES algorithm (256-bit key) to encrypt the resulting private key. Optional algorithms include DES, desede, Idea, and AES
Out output path, here refers to PRIVATE/CLIENT.KEY.PEM (generated client certificate private key)
2048 refers to the RSA key length bits, the default length is 512 bits
.After the client certificate key request is successful, a client certificate issuance request file must be generated (after executing the following command, enter the client certificate password: 123456)
Example: OpenSSL req-new-key private/client.key.pem-out private/client.csr-subj "/c=cn/st=bj/l=bj/o=zlex/cn=zlex"
Req Generate certificate Issuance request File command
-new New Request
-key key, here is PRIVATE/CLIENT.KEY.PEM (the server certificate key generated for 9)
-out output path, here is PRIVATE/CLIENT.CSR (generated certificate issued request file)
-SUBJ Specify user information, where the domain name "Zlex" is used as the user name
A .Generate a client certificate based on the root certificate and the client certificate (after executing the following command, enter the client certificate password: 123456, and agree to issue the certificate)
Example: OpenSSL ca-days 3650-in private/client.csr-out certs/client.cer-cert certs/ca.cer-keyfile Private/ca.key.pem
CA Issue Certificate Command
-days certificate validity period, here is 3,650 days
-in input file, here is PRIVATE/CLIENT.CSR (client certificate issue request file)
-out output file, here is certs/server.cer (client certificate file)
-cert Root certificate file, here is Certs/ca.cer
-keyfile Root certificate key file, here is Private/ca.key.pem
.The generated client certificate cannot be used directly, PKCS#12 encoding conversion is required (after executing the following command, enter the client certificate password: 123456)
Example: OpenSSL pkcs12-export-clcerts-inkey private/client.key.pem-in certs/client.cer-out certs/client.p12
PKCS12 PKCS#12 encoded Format Certificate command
-export Exporting certificates
-clcerts Export only Client certificates
-inkey Enter the key, this is PRIVATE/CLIENT.KEY.PEM
-in input file, here is Certs/client.cer (original client certificate file)
-out output file, here is CERTS/CLIENT.P12 (transcoding post certificate file)
Note:When you arrive here, the server and client certificates have been generated, and two-way authentication is possible at this time.

Java Encryption decryption

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.