在没有BouncyCastle的情况下在Java中创建X509证书？

Question

是否有可能在不使用Bouncy Castle X509V * CertificateGenerator类的情况下正确创建Java代码中的X509证书？

Answer 1

签名证书的能力不是标准Java库或扩展的一部分。

很多需要自己做的代码都是核心的一部分。有些类可以对X.500名称，X.509证书扩展名，各种算法的公钥进行编码和解码，当然也可以用于实际执行数字签名。

自己实现这个并不是微不足道的，但它绝对是可行的—我第一次为证书签名制作了一个工作原型，可能会花费4或5天的时间。这对我来说是一个梦幻般的学习练习，但是当有可用的免费库时，很难证明这个花费是合理的。

Answer 2

JRE中提供了所有用于制作自签名证书（签名，X509编码等）的基本组件。与BC不同，Sun的JCE不提供任何公共电话来签署证书。但是，所有功能都可以在Keytool中使用。您可以简单地复制keytool中的代码来执行此操作。您需要复制的方法是doSelfCert()。

Answer 3

取决于你想要做什么（也可能是你对“Sanely”的定义）。正如ZZ Coder指出的那样，您可以通过复制keytool直接创建自签名证书。但我不相信你可以用标准的JCE创建一个PKCS10证书请求对象，如果你想创建标准的CA签名的EEC，你可能需要这样做。

Answer 4

是的，但没有公开记录的类。我已经记录了过程in this article。

import sun.security.x509.*; 
import java.security.cert.*; 
import java.security.*; 
import java.math.BigInteger; 
import java.util.Date; 
import java.io.IOException 

/**  
 * Create a self-signed X.509 Certificate 
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB" 
 * @param pair the KeyPair 
 * @param days how many days from now the Certificate is valid for 
 * @param algorithm the signing algorithm, eg "SHA1withRSA" 
 */  
X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) 
  throws GeneralSecurityException, IOException 
{ 
  PrivateKey privkey = pair.getPrivate(); 
  X509CertInfo info = new X509CertInfo(); 
  Date from = new Date(); 
  Date to = new Date(from.getTime() + days * 86400000l); 
  CertificateValidity interval = new CertificateValidity(from, to); 
  BigInteger sn = new BigInteger(64, new SecureRandom()); 
  X500Name owner = new X500Name(dn); 
  
  info.set(X509CertInfo.VALIDITY, interval); 
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); 
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); 
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); 
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); 
  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); 
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); 
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); 
  
  // Sign the cert to identify the algorithm that's used. 
  X509CertImpl cert = new X509CertImpl(info); 
  cert.sign(privkey, algorithm); 
  
  // Update the algorith, and resign. 
  algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG); 
  info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo); 
  cert = new X509CertImpl(info); 
  cert.sign(privkey, algorithm); 
  return cert; 
}    

Answer 5

import sun.security.x509.*; 

import java.security.cert.*; 
import java.security.*; 
import java.math.BigInteger; 
import java.security.cert.Certificate; 
import java.util.Date; 
import java.io.IOException; 

public class Example { 
    /** 
    * Create a self-signed X.509 Example 
    * 
    * @param dn  the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB" 
    * @param pair  the KeyPair 
    * @param days  how many days from now the Example is valid for 
    * @param algorithm the signing algorithm, eg "SHA1withRSA" 
    */ 
    public X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) 
      throws GeneralSecurityException, IOException { 
     PrivateKey privkey = pair.getPrivate(); 
     X509CertInfo info = new X509CertInfo(); 
     Date from = new Date(); 
     Date to = new Date(from.getTime() + days * 86400000l); 
     CertificateValidity interval = new CertificateValidity(from, to); 
     BigInteger sn = new BigInteger(64, new SecureRandom()); 
     X500Name owner = new X500Name(dn); 

     info.set(X509CertInfo.VALIDITY, interval); 
     info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); 
     info.set(X509CertInfo.SUBJECT, owner); 
     info.set(X509CertInfo.ISSUER, owner); 
     info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); 
     info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); 
     AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); 
     info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); 

     // Sign the cert to identify the algorithm that's used. 
     X509CertImpl cert = new X509CertImpl(info); 
     cert.sign(privkey, algorithm); 

     // Update the algorith, and resign. 
     algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG); 
     info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo); 
     cert = new X509CertImpl(info); 
     cert.sign(privkey, algorithm); 
     return cert; 
    } 

    public static void main (String[] argv) throws Exception { 
     KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); 
     KeyPair keyPair = keyPairGenerator.generateKeyPair(); 
     Example example = new Example(); 
     String distinguishedName = "CN=Test, L=London, C=GB"; 
     Certificate certificate = example.generateCertificateOriginal(distinguishedName, keyPair, 365, "SHA256withRSA"); 
     System.out.println("it worked!"); 
    } 
} 

我喜欢vbence的答案，但我一直得到以下异常：

java.security.cert.CertificateException：主题类类型无效。

很多尝试找出为一个有效的主题类我发现X509CerInfo想X500Name的实例后。

1 info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); 
2 info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); 
3 info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); 
4 info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); 

所以线2 & 3需要改变到

2 info.set(X509CertInfo.SUBJECT, owner); 
3 info.set(X509CertInfo.ISSUER, owner);