Front-end (support app) RSA encryption Communication Certificate generation method compilation

In a recent project, security considerations require that the front and back end need to encrypt communications using security credentials, involving ios/android-background interaction. There is no formal CA certificate in the test environment, which is developed using the self-visa book.

Below will generate 4 sets of environment for the self-visa book process mark, if necessary, can refer to:

The execution environment for the following commands is Windows-cmd interface (if you need to install JDK, use the JDK's own Keytool tool)

1, generate JKS, CSR certificate (these two certificates temporarily useless):

Keytool-genkey-alias *.test.com-sigalg sha1withrsa-keyalg rsa-keysize 2048-keystore D:/Citificate/testKey/test.jks- Dname "c=cn,st= Zhuhai, l= Zhuhai, o= test sample company, ou= Research and Development department, cn=*.test.com" && keytool-certreq-alias *.test.com-file d:/ Citificate/testkey/test.csr-keystore D:/citificate/testkey/test.jks && echo Your certificate signing request  File is D:/CITIFICATE/TESTKEY/TEST.CSR.  Your keystore file is D:/citificate/testkey/test.jks. Thanks for using the Asian integrity Trustasia keytool CSR Helper.

2. Generate KeyStore KeyStore:

Keytool-genkey-alias *.test.com-keypass password-keyalg rsa-keysize 2048-validity 730-keystore D:/Citificate/testKe Y/test.keystore-dname "c=cn,st= Zhuhai, l= Zhuhai, o= test sample company, ou= Research and Development department, cn=*.test.com"-storepass password

3. Export CER, CRT public key certificate from KeyStore:

Keytool-export-alias *.test.com-keystore d:/citificate/testkey/test.keystore-storepass password-rfc-file D:/ Citificate/testkey/test.cer

CRT public key certificate can directly take the CER certificate generated in this step to modify the file suffix name to get

4. Export the certificate using the Java Tool Class key

Package Test;import Java.io.fileinputstream;import Java.security.keystore;import java.security.privatekey;import Sun.misc.BASE64Encoder, @SuppressWarnings ("Restriction") public class Sslkey {public static KeyStore Getkeystore (        String Keystorepath, String password) throws Exception {FileInputStream is = new FileInputStream (Keystorepath);        KeyStore KS = keystore.getinstance ("JKS");        Ks.load (IS, Password.tochararray ());        Is.close ();    return KS;            } public static Privatekey Getprivatekey () {try {Base64encoder encoder = new Base64encoder ();            KeyStore KS = Getkeystore ("D:/citificate/testkey/test.keystore", "password");            Privatekey key = (Privatekey) ks.getkey ("*.test.com", "Password". ToCharArray ());            String encoded = Encoder.encode (key.getencoded ());            SYSTEM.OUT.PRINTLN ("-----BEGIN RSA PRIVATE KEY-----");            SYSTEM.OUT.PRINTLN (encoded); SYSTEM.OUT.PRINTLN ("-----END RSA PRIVATEKEY-----");        Return key;        } catch (Exception e) {return null;    }} public static void Main (string[] args) {getprivatekey (); }}

After executing the method, copy the result into the new suffix named:. Key text Document

5. Use OpenSSL to make the. key file that you generated in the previous step. unsecure file output (Nginx use, use. Key.unsecure you can avoid using the. key file to enter a password every time you access the file, and the front and back end of this package to encrypt the files are not used)-If you first install the OpenSSL plugin, otherwise cm D will report the OpenSSL command error

OpenSSL rsa-in d:/citificate/testkey/test.key-out d:/citificate/testkey/test.key.unsecure

6. Use the Java Tools class to export the PFX private key from the KeyStore:

Package Test;import Java.io.fileinputstream;import Java.io.fileoutputstream;import java.io.ioexception;import Java.security.key;import Java.security.keystore;import Java.security.cert.certificate;import     Java.util.enumeration;public class Createpfx {/** * convert KeyStore to PFX * * @param keystorefile generated file name and path * @param pfxpsw Password * @param pfxfile original file path and name */public static void Covertopfx () throws Exception {Stri        ng keystorefile = "D:/citificate/testkey/test.keystore";        String PFXPSW = "password";        String pfxfile = "d:/citificate/testkey/test.pfx";        KeyStore inputkeystore = null;        FileInputStream input = null;        FileOutputStream output = null;        String Keyalias = "";            try {inputkeystore = keystore.getinstance ("JKS");            input = new FileInputStream (keystorefile);            char[] Password = null;        if (PFXPSW = = null) | | Pfxpsw.trim (). Equals ("")) {password = null;    } else {password = Pfxpsw.tochararray ();            } inputkeystore.load (input, password);            KeyStore Outputkeystore = keystore.getinstance ("PKCS12");            Outputkeystore.load (NULL, Pfxpsw.tochararray ());            Enumeration enums = Inputkeystore.aliases ();                while (Enums.hasmoreelements ()) {Keyalias = (String) enums.nextelement ();                System.out.println ("alias=[" + Keyalias + "]");                    if (Inputkeystore.iskeyentry (Keyalias)) {Key key = Inputkeystore.getkey (Keyalias, password);                    certificate[] Certchain = Inputkeystore.getcertificatechain (Keyalias);                Outputkeystore.setkeyentry (Keyalias, Key, Pfxpsw.tochararray (), certchain);            }} output = new FileOutputStream (pfxfile);        Outputkeystore.store (output, password);       } catch (Exception e) {System.out.println (E.getmessage ()); } finally {if (input! = null) {try {input.close ();                } catch (IOException e) {System.out.println (E.getmessage ());                }} if (output! = null) {try {output.close ();                } catch (IOException e) {System.out.println (E.getmessage ()); }            }        }    }}

　

The above certificate can be adapted to Android-background encrypted communication

Scheme:

1) Use CER or CRT public key encryption on Android side, use KeyStore decryption in background

2) Use KeyStore signature in the background, use CER or CRT public key to check the Android side

iOS also requires Der and PEM certificate support

7. Use OpenSSL to convert the CER-type public key to the DER-type public key that iOS can use:

OpenSSL x509-outform der-in d:/citificate/testkey/test.cer-out D:/citificate/testkey/test.der

8. Use OpenSSL to generate the Pem file required for iOS end-of-life verification:

OpenSSL rsa-in d:/citificate/testkey/test.key-pubout-out D:/citificate/testkey/test.pem

Detailed encryption and decryption and verification program see:

Front-end (support app) RSA encryption Communication Certificate generation method compilation