这些代码首先加载CA证书,然后分别用CA给Alice和Bob签发一个证书并保存到resource/目录下面,用jks格式存储。

CA证书也是用java编程方式制作的,制作过程请看我的上一篇博客。


  1. public static void main(String[] args) throws KeyStoreException,  

  2.             NoSuchAlgorithmException, CertificateException,  

  3.             FileNotFoundException, IOException, UnrecoverableEntryException {  

  4.         //读取CA证书的JKS文件  

  5.         KeyStore store = KeyStore.getInstance("JKS");  

  6.         File file = new File("resource/atlas-ca.jks");  

  7.         store.load(new FileInputStream(file), "atlas".toCharArray());  

  8.           

  9.         PrivateKeyEntry ke = (PrivateKeyEntry) store.getEntry("atlas",  

  10.                 new PasswordProtection("atlas".toCharArray()));  

  11.         String subject = "C=CN,ST=GuangDong,L=Shenzhen,O=Skybility,OU=Cloudbility,CN=Alice,E=alice@163.com";  

  12.         //给alice签发证书并存为xxx-alice.jks的文件  

  13.         gen(ke, subject, "alice");  

  14.         subject = "C=CN,ST=GuangDong,L=Shenzhen,O=Skybility,OU=Cloudbility,CN=Bob,E=Bob@gmail.com";  

  15.         //给Bob签发证书并存为xxx-bob.jks的文件  

  16.         gen(ke, subject, "bob");  

  17.     }  

  18.   

  19.     //用KeyEntry形式存储一个私钥以及对应的证书,并把CA证书加入到它的信任证书列表里面。  

  20.     public static void store(PrivateKey key, Certificate cert,  

  21.             Certificate caCert, String name) throws KeyStoreException,  

  22.             NoSuchAlgorithmException, CertificateException, IOException {  

  23.         KeyStore store = KeyStore.getInstance("JKS");  

  24.         store.load(nullnull);  

  25.         store.setKeyEntry(name, key, name.toCharArray(), new Certificate[] {  

  26.                 cert, caCert });  

  27.         File file = new File("resource/atlas-" + name + ".jks");  

  28.         if (file.exists() || file.createNewFile()) {  

  29.             store.store(new FileOutputStream(file), ("_"+name).toCharArray());  

  30.         }  

  31.     }  

  32.   

  33.     //用ke所代表的CA给subject签发证书,并存储到名称为name的jks文件里面。  

  34.     public static void gen(PrivateKeyEntry ke, String subject, String name) {  

  35.         try {  

  36.             X509Certificate caCert = (X509Certificate) ke.getCertificate();  

  37.             KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");  

  38.             kpg.initialize(2048);  

  39.             KeyPair keyPair = kpg.generateKeyPair();  

  40.   

  41.             KeyStore store = KeyStore.getInstance("JKS");  

  42.             store.load(nullnull);  

  43.             String issuer = caCert.getIssuerDN().toString();  

  44.             Certificate cert = generateV3(issuer, subject,  

  45.                     BigInteger.ZERO, new Date(System.currentTimeMillis() - 1000  

  46.                             * 60 * 60 * 24),  

  47.                     new Date(System.currentTimeMillis() + 1000L * 60 * 60 * 24  

  48.                             * 365 * 32), keyPair.getPublic(),//待签名的公钥  

  49.                     ke.getPrivateKey()//CA的私钥  

  50.                     , null);  

  51.             store(keyPair.getPrivate(), cert, ke.getCertificate(), name);  

  52.         } catch (Exception e) {  

  53.             e.printStackTrace();  

  54.         }  

  55.     }  

  56.       

  57.     public static Certificate generateV3(String issuer, String subject,  

  58.             BigInteger serial, Date notBefore, Date notAfter,  

  59.             PublicKey publicKey, PrivateKey privKey, List<Extension> extensions)  

  60.             throws OperatorCreationException, CertificateException, IOException {  

  61.   

  62.         X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(  

  63.                 new X500Name(issuer), serial, notBefore, notAfter,  

  64.                 new X500Name(subject), publicKey);  

  65.         ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA")  

  66.                 .setProvider("BC").build(privKey);  

  67.         //privKey是CA的私钥,publicKey是待签名的公钥,那么生成的证书就是被CA签名的证书。  

  68.         if (extensions != null)  

  69.             for (Extension ext : extensions) {  

  70.                 builder.addExtension(new ASN1ObjectIdentifier(ext.getOid()),  

  71.                         ext.isCritical(),  

  72.                         ASN1Primitive.fromByteArray(ext.getValue()));  

  73.             }  

  74.         X509CertificateHolder holder = builder.build(sigGen);  

  75.         CertificateFactory cf = CertificateFactory.getInstance("X.509");  

  76.         InputStream is1 = new ByteArrayInputStream(holder.toASN1Structure()  

  77.                 .getEncoded());  

  78.         X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);  

  79.         is1.close();  

  80.         return theCert;  

  81.     }