Java/Security/Certificate
Содержание
- 1 Adding a Certificate to a Key Store
- 2 Creating a Certification Path
- 3 Getting the Subject and Issuer Distinguished Names of an X509 Certificate
- 4 Importing a Certificate from a File
- 5 Listing the Most-Trusted Certificate Authorities (CA) in a Key Store
- 6 Retrieving a Certificate from a Key Store
- 7 Retrieving the Certification Path of an SSL Server
- 8 Signature Test
- 9 Specify the keystore of certificates using the javax.net.ssl.keyStore system property:
- 10 Validating a Certification Path using the most-trusted CAs in the JDK"s cacerts file.
Adding a Certificate to a Key Store
<source lang="java">
import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.security.Key; import java.security.KeyStore; import java.security.cert.Certificate; public class Main {
public static void main(String[] argv) throws Exception { FileInputStream is = new FileInputStream("your.keystore"); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(is, "my-keystore-password".toCharArray()); String alias = "myalias"; char[] password = "password".toCharArray(); Certificate cert = keystore.getCertificate(alias); File keystoreFile = new File("your.keystore"); // Load the keystore contents FileInputStream in = new FileInputStream(keystoreFile); keystore.load(in, password); in.close(); // Add the certificate keystore.setCertificateEntry(alias, cert); // Save the new keystore contents FileOutputStream out = new FileOutputStream(keystoreFile); keystore.store(out, password); out.close(); }
}
</source>
Creating a Certification Path
<source lang="java">
import java.io.FileInputStream; import java.security.KeyStore; import java.security.cert.CertPath; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.util.Arrays; public class Main {
public static void main(String[] argv) throws Exception { FileInputStream is = new FileInputStream("your.keystore"); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(is, "my-keystore-password".toCharArray()); String alias = "myalias"; Certificate cert = keystore.getCertificate(alias); CertificateFactory certFact = CertificateFactory.getInstance("X.509"); CertPath path = certFact.generateCertPath(Arrays.asList(new Certificate[]{cert})); }
}
</source>
Getting the Subject and Issuer Distinguished Names of an X509 Certificate
<source lang="java">
import java.io.FileInputStream; import java.security.KeyStore; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.Enumeration; public class Main {
public static void main(String[] argv) throws Exception { FileInputStream is = new FileInputStream("your.keystore"); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(is, "my-keystore-password".toCharArray()); Enumeration e = keystore.aliases(); for (; e.hasMoreElements();) { String alias = (String) e.nextElement(); java.security.cert.Certificate cert = keystore.getCertificate(alias); if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; // Get subject Principal principal = x509cert.getSubjectDN(); String subjectDn = principal.getName(); // Get issuer principal = x509cert.getIssuerDN(); String issuerDn = principal.getName(); } } }
}
</source>
Importing a Certificate from a File
<source lang="java">
import java.io.File; import java.io.FileInputStream; import java.security.cert.CertificateFactory; public class Main {
public static void main(String[] argv) throws Exception { FileInputStream is = new FileInputStream(new File("your")); CertificateFactory cf = CertificateFactory.getInstance("X.509"); java.security.cert.Certificate cert = cf.generateCertificate(is); }
}
</source>
Listing the Most-Trusted Certificate Authorities (CA) in a Key Store
<source lang="java">
import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.Iterator; public class Main {
public static void main(String[] argv) throws Exception { String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace("/", File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "password"; keystore.load(is, password.toCharArray()); PKIXParameters params = new PKIXParameters(keystore); Iterator it = params.getTrustAnchors().iterator(); for (; it.hasNext();) { TrustAnchor ta = (TrustAnchor) it.next(); X509Certificate cert = ta.getTrustedCert(); System.out.println(cert.getSigAlgName()); } }
}
</source>
Retrieving a Certificate from a Key Store
<source lang="java">
import java.io.FileInputStream; import java.security.KeyStore; public class Main {
public static void main(String[] argv) throws Exception { FileInputStream is = new FileInputStream("your.keystore"); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(is, "my-keystore-password".toCharArray()); // Get certificate java.security.cert.Certificate cert = keystore.getCertificate("myalias"); }
}
</source>
Retrieving the Certification Path of an SSL Server
<source lang="java">
import java.security.cert.Certificate; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; public class Main {
public static void main(String[] argv) throws Exception { int port = 443; String hostname = "hostname"; SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory(); SSLSocket socket = (SSLSocket) factory.createSocket(hostname, port); socket.startHandshake(); // Retrieve the server"s certificate chain Certificate[] serverCerts = socket.getSession().getPeerCertificates(); socket.close(); }
}
</source>
Signature Test
<source lang="java">
import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import java.security.SecureRandom; import java.security.Signature; public class SignatureTest {
public static void main(String[] args) { try { KeyPairGenerator keygen = KeyPairGenerator.getInstance("DSA"); SecureRandom secrand = new SecureRandom(); keygen.initialize(512, secrand); KeyPair keys1 = keygen.generateKeyPair(); PublicKey pubkey1 = keys1.getPublic(); PrivateKey privkey1 = keys1.getPrivate(); KeyPair keys2 = keygen.generateKeyPair(); PublicKey pubkey2 = keys2.getPublic(); PrivateKey privkey2 = keys2.getPrivate(); Signature signalg = Signature.getInstance("DSA"); signalg.initSign(privkey1); String message = "Pay authors a bonus of $20,000."; signalg.update(message.getBytes()); byte[] signature = signalg.sign(); Signature verifyalg = Signature.getInstance("DSA"); verifyalg.initVerify(pubkey1); verifyalg.update(message.getBytes()); if (!verifyalg.verify(signature)) System.out.print("not "); System.out.println("signed with private key 1"); verifyalg.initVerify(pubkey2); verifyalg.update(message.getBytes()); if (!verifyalg.verify(signature)) System.out.print("not "); System.out.println("signed with private key 2"); } catch (Exception e) { System.out.println("Error " + e); } }
}
</source>
Specify the keystore of certificates using the javax.net.ssl.keyStore system property:
<source lang="java">
java -Djavax.net.ssl.keyStore=mySrvKeystore -Djavax.net.ssl.keyStorePassword=123456 MyServer
</source>
Validating a Certification Path using the most-trusted CAs in the JDK"s cacerts file.
<source lang="java">
import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; import java.security.cert.CertPath; import java.security.cert.CertPathValidator; import java.security.cert.CertPathValidatorResult; import java.security.cert.PKIXCertPathValidatorResult; import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; public class Main {
public static void main(String[] argv) throws Exception { String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace("/", File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "password"; keystore.load(is, password.toCharArray()); PKIXParameters params = new PKIXParameters(keystore); params.setRevocationEnabled(false); CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator .getDefaultType()); CertPath certPath = null; CertPathValidatorResult result = certPathValidator.validate(certPath, params); PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result; TrustAnchor ta = pkixResult.getTrustAnchor(); X509Certificate cert = ta.getTrustedCert(); }
}
</source>