在Java中创建PKI(Public Key Infrastructure)通常涉及到使用Java内置的加密库,如Bouncy Castle库。以下是一个简单的例子,演示如何在Java中创建PKI:
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.68</version>
</dependency><dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.68</version>
</dependency>
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.UUID;
public static void generatePKI() {
try {
// 初始化Bouncy Castle
Security.addProvider(new BouncyCastleProvider());
// 生成CA密钥对
KeyPair caKeyPair = generateKeyPair();
// 生成CA证书
X509Certificate caCertificate = generateCertificate(caKeyPair, true);
// 生成用户密钥对
KeyPair userKeyPair = generateKeyPair();
// 生成证书签名请求
PKCS10CertificationRequest csr = generateCertificationRequest(userKeyPair);
// 签发用户证书
X509Certificate userCertificate = signCertificate(csr, caKeyPair, caCertificate);
// 输出证书信息
System.out.println("CA Certificate: " + caCertificate);
System.out.println("User Certificate: " + userCertificate);
} catch (Exception e) {
e.printStackTrace();
}
}
private static KeyPair generateKeyPair() throws Exception {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGenerator.initialize(2048);
return keyPairGenerator.generateKeyPair();
}
private static X509Certificate generateCertificate(KeyPair keyPair, boolean isCA) throws Exception {
X500Name subject = new X500Name("CN=localhost");
BigInteger serial = BigInteger.valueOf(UUID.randomUUID().getMostSignificantBits());
Date notBefore = new Date();
Date notAfter = new Date(notBefore.getTime() + 365L * 24 * 60 * 60 * 1000);
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
JcaX509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(subject, serial, notBefore, notAfter, subject, publicKeyInfo);
if (isCA) {
certificateBuilder.addExtension(X509v3CertificateBuilder.BasicConstraints, true, new BasicConstraints(true));
}
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(keyPair.getPrivate());
X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
}
private static PKCS10CertificationRequest generateCertificationRequest(KeyPair keyPair) throws Exception {
X500Name subject = new X500Name("CN=localhost");
JcaPKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(keyPair.getPrivate());
return csrBuilder.build(contentSigner);
}
private static X509Certificate signCertificate(PKCS10CertificationRequest csr, KeyPair caKeyPair, X509Certificate caCertificate) throws Exception {
X509CertificateHolder certificateHolder = new JcaX509CertificateConverter().setProvider("BC").getCertificateHolder(caCertificate);
X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(certificateHolder.getSubject(), BigInteger.valueOf(UUID.randomUUID().getMostSignificantBits()), new Date(), new Date(new Date().getTime() + 365L * 24 * 60 * 60 * 1000), csr.getSubject(), csr.getSubjectPublicKeyInfo());
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(caKeyPair.getPrivate());
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateBuilder.build(contentSigner));
}
main
方法中调用generatePKI()
方法来生成PKI:public static void main(String[] args) {
generatePKI();
}
这个例子演示了如何在Java中创建PKI。请注意,这个例子仅用于演示目的,实际应用中可能需要更多的安全措施和配置。
领取专属 10元无门槛券
手把手带您无忧上云