JAVA API創建密鑰庫並向其附加CSR和密鑰對

Question

我需要將現有的csr和密鑰對附加到密鑰庫。 下面給出的是一個使用GUI（java swing）從用戶那里獲取輸入的實現，例如密鑰庫名稱，別名，通用名稱，組織等。

我嘗試使用keystore.setkeyentry（...）將csr鏈接到密鑰庫，但是密鑰庫仍然為空。

我在下面附加了我的代碼，任何幫助將非常有用：

下面的代碼用於創建一個csr

            public String getCSR(String cn, String ou, String o, String l,String s) throws Exception {
            byte[] csr = generatePKCS10(cn, ou, o, l,s,"US");

            return new String(csr);
        }


private static byte[] generatePKCS10(String CN, String OU, String O,
                String L, String S, String C) throws Exception {
            // generate PKCS10 certificate request
            String sigAlg = "MD5WithRSA";
            PKCS10 pkcs10 = new PKCS10(publicKey);
            Signature signature = Signature.getInstance(sigAlg);
            signature.initSign(privateKey);
            // common, orgUnit, org, locality, state, country
            X500Principal principal = new X500Principal( "CN=Ole Nordmann, OU=ACME, O=Sales, C=NO");

       //     pkcs10CertificationRequest kpGen = new PKCS10CertificationRequest(sigAlg, principal, publicKey, null, privateKey);  
         //   byte[] c = kpGen.getEncoded();  
            X500Name x500name=null;
            x500name= new X500Name(principal.getEncoded());
          pkcs10.encodeAndSign(x500name, signature);
            ByteArrayOutputStream bs = new ByteArrayOutputStream();
            PrintStream ps = new PrintStream(bs);
            pkcs10.print(ps);
            byte[] c = bs.toByteArray();
            try {
                if (ps != null)
                    ps.close();
                if (bs != null)
                    bs.close();
            } catch (Throwable th) {
            }
            return c;
        }


        public static X509Certificate generateX509Certificate(String certEntry) throws IOException {

            InputStream in = null;
            X509Certificate cert = null;
            try {
                byte[] certEntryBytes = certEntry.getBytes();
                in = new ByteArrayInputStream(certEntryBytes);
                CertificateFactory certFactory = CertificateFactory.getInstance("X.509");

                cert = (X509Certificate) certFactory.generateCertificate(in);
            } catch (CertificateException ex) {

            } finally {
                if (in != null) {
                        in.close();
                }
            }
            return cert;
        }

在main方法中，我執行以下操作來創建密鑰庫並將其附加到csr

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());


                        char[] pass = password.toCharArray();
                        ks.load(null, pass);

                        ks.store(fos, pass);
                        fos.close();
                         GenerateCSR gcsr = GenerateCSR.getInstance();

                    System.out.println("Public Key:\n"+gcsr.getPublicKey().toString());

                    System.out.println("Private Key:\n"+gcsr.getPrivateKey().toString());

                    String csr = gcsr.getCSR(CN,OU,O,L,S);

                    System.out.println("CSR Request Generated!!");
                    System.out.println(csr);


                    X509Certificate[] certChain = new X509Certificate[1];
                 //   certChain[0]= gcsr.generateX509Certificate(csr);
                    X509Certificate myCert = (X509Certificate) CertificateFactory
                                                 .getInstance("X509")
                                                 .generateCertificate(
                                                    // string encoded with default charset
                                                    new ByteArrayInputStream(csr.getBytes())
                                                 ); 
                    certChain[0]= myCert;
                    ks.setKeyEntry("alias", (Key)gcsr.getPrivateKey(), pass, certChain);

當我檢查密鑰庫的內容時，它為空。 任何建議將被認真考慮

謝謝！！！

Answer 1

您有兩個主要錯誤 ：

• 證書簽名請求（也稱為CSR或PKCS10）不是證書 。 CertificateFactory.generateCertificate將僅讀取證書，而不讀取CSR，並且當您向其提供CSR時，它將引發異常，您的代碼會巧妙地抑制該異常，而不會向任何人表明存在嚴重問題。 您在早期版本中使用的注釋掉的代碼更接近於生成證書所需的代碼。

• （如果您確實創建/擁有有效的證書） KeyStore.set*僅設置內存KeyStore對象中的條目。 如果要在程序退出后將密鑰庫的內容保存在文件中的某個位置，則必須在執行“設置”之后store其store 。

這是您對代碼進行了足夠的修改，可以像我所希望的那樣工作。 除瑣碎的格式化和腳手架外，我更改的位置用//--標記，表示刪除， //**標記，表示添加。 即使如此，我也不建議這樣做，因為：

• 我將繼續使用不受支持的sun.security類，即使您使用的是BC，並且它也支持PKCS10和相關位的類，並且僅當您想從CA申請證書時才需要CSR。 自己生成證書只是直接生成證書更容易

• （不太嚴重）在最新版本的BC pkix中已拆分為單獨的jar，並且現在不推薦使用X509V3CertificateGenerator而推薦使用X509v3CertificateBuilder

---

//nopackage
import java.io.*;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import javax.security.auth.x500.*;

import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.x509.X509V3CertificateGenerator;

//--import sun.security.pkcs.PKCS10; -- Java7
import sun.security.pkcs10.PKCS10; //** Java8
import sun.security.x509.X500Name;

public class SO40350607GenerateCertIntoKeystoreFile8 {
    public static void main (String[] args) throws Exception {
        Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
        //**dummy value for test
        KeyPairGenerator kpgen = KeyPairGenerator.getInstance("RSA"); 
        kpgen.initialize(1024); keyPair = kpgen.generateKeyPair();

        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        char[] pass = "password".toCharArray();
        ks.load(null, pass);
        //--ks.store(fos, pass);    useless here
        //--fos.close();

        String csr = new String(generatePKCS10("CommonName","OrgUnit","Org","Locality","State", "US"));
        System.out.println("CSR Request Generated!!");
        System.out.println(csr);

        //--X509Certificate myCert = (X509Certificate) CertificateFactory.getInstance("X509")
        //--    .generateCertificate(new ByteArrayInputStream(csr.getBytes()) ); // string encoded with default charset*/
        X509Certificate myCert = generateCertificate2 (csr); //**
        X509Certificate[] certChain = new X509Certificate[]{myCert};
        ks.setKeyEntry("alias", keyPair.getPrivate(), pass, certChain);
        FileOutputStream fos = new FileOutputStream ("newksfile");
        ks.store(fos,pass); fos.close(); //** NOW store to file
    }
    private static KeyPair keyPair;

    private static byte[] generatePKCS10(String CN, String OU, String O,
            String L, String S, String C) throws Exception {
        // generate PKCS10 certificate request
        String sigAlg = "SHA1WithRSA"; //** don't use "MD5WithRSA" even for CSR 
        PKCS10 pkcs10 = new PKCS10(keyPair.getPublic());
        Signature signature = Signature.getInstance(sigAlg);
        signature.initSign(keyPair.getPrivate());
        // common, orgUnit, org, locality, state, country
        //--X500Principal principal = new X500Principal( "CN=Ole Nordmann, OU=ACME, O=Sales, C=NO");
        //--X500Name x500name= new X500Name(principal.getEncoded());
        //** can do this directly (and better)
        X500Name x500name = new X500Name ("CN="+CN+",OU="+OU+",O="+O+",L="+L+",S="+S+",C="+C);
        pkcs10.encodeAndSign(x500name, signature);
        ByteArrayOutputStream bs = new ByteArrayOutputStream();
        PrintStream ps = new PrintStream(bs);
        pkcs10.print(ps);
        byte[] c = bs.toByteArray();
        ps.close(); //** bs,ps are never null, ps.close automatically closes underlying bs,
        //** and anyway BAOS doesn't need to be closed (although most streams do)
        return c;
    }

    //** (whole) routine to generate an actual (though selfsigned) certificate 
    public static X509Certificate generateCertificate2 (String csrpem) throws Exception {  
        String csrtrim = csrpem.replaceAll("-----[^\\n]*\\n","").replaceAll("\\r?\\n","");
        //--PKCS10 pkcs10 = new PKCS10 (Base64.decode (csrtrim.toCharArray())); --Java7
        PKCS10 pkcs10 = new PKCS10 (Base64.getDecoder().decode (csrtrim.getBytes())); //Java8
        // or use the one we had before encoding it -- or the input data directly?? 

        // X509V3CertificateGenerator is deprecated but stay with it for now
        X509V3CertificateGenerator cert = new X509V3CertificateGenerator();   
        cert.setSerialNumber(BigInteger.valueOf(1));   //or generate a random number  
        cert.setSubjectDN(pkcs10.getSubjectName().asX500Principal());  
        cert.setIssuerDN(pkcs10.getSubjectName().asX500Principal()); //same since it is self-signed  
        cert.setPublicKey(pkcs10.getSubjectPublicKeyInfo());  
        Date now = new Date(); cert.setNotBefore(now);  
        now.setYear(now.getYear()+1); cert.setNotAfter(now);  
        cert.setSignatureAlgorithm("SHA1WithRSA");   
        PrivateKey signingKey = keyPair.getPrivate();    
        return cert.generate(signingKey, "BC");  
    }

}