如何使用x509证书生成数字签名?
我们如何获取x509data和x509certificate标记并将其附加到由以下代码生成的xml中
String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI"); XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance()); Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList( fac.newTransform(Transform.ENVELOPED,(XMLStructure) null)), null, null); SignedInfo si = fac.newSignedInfo (fac.newCanonicalizationMethod (CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, (XMLStructure) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(ref)); KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(512); KeyPair kp = kpg.generateKeyPair(); KeyInfoFactory kif = fac.getKeyInfoFactory(); KeyValue kv = kif.newKeyValue(kp.getPublic()); KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv)); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); Document doc1 = dbf.newDocumentBuilder(). parse(new FileInputStream("C:/Documents and Settings/sbtho/Desktop/downloads/samp.xml")); DOMSignContext dsc = new DOMSignContext (kp.getPrivate(), doc.getDocumentElement()); XMLSignature signature = fac.newXMLSignature(si, ki); signature.sign(dsc); TransformerFactory tf = TransformerFactory.newInstance(); Transformer trans = tf.newTransformer(); trans.transform( new DOMSource(doc), new StreamResult( new FileOutputStream("C:/Documents and Settings/sbtho/Desktop/downloads/signedsamp.xml"))); 上面代码的输出看起来像这样,我想在keyinfo标签内插入x509标签。
Kjgj/nVt41Q8gfDwSdfTGW42FQ8= nhdbvODcXYvc5w65todyDBkVJJW/VgN3sxMjILO+qavIln0np57qSYvC6CjavLEdD5KZ0uLoD7r/ o07X9k3I5Q== qc/XQnBZ2/waPw+wUmdFiYUEY8RDLpaDn+Xmm56WoHn9jKKB0BCrYxz33q+z4O7VwQdv1eAdv9cK eTHEEpJpIQ== AQAB
x509certificate是如何创建的?
我知道问题已经有一段时间了,但我有同样的问题,我解决了,所以我想分享解决方案它使用从安全令牌获得的密钥库使用iaik pkcs工具:
用于替换singletonList的技巧
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
对于包含证书和keyvalue的列表。
整个魔法的代码(希望它可以帮助某人):
public void generateSignatureforResumen(String originalXmlFilePath, String destnSignedXmlFilePath, IAIKPkcs11 pkcs11Provider_, KeyStore tokenKeyStore, String pin) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, GeneralSecurityException, TokenException { //Get the XML Document object Document doc = getXmlDocument(originalXmlFilePath); //Create XML Signature Factory PrivateKey signatureKey_ = null; PublicKey pubKey_ = null; X509Certificate signingCertificate_ = null; Boolean prik = false; Boolean pubk = false; Enumeration aliases = tokenKeyStore.aliases(); while (aliases.hasMoreElements()) { String keyAlias = aliases.nextElement().toString(); java.security.Key key = tokenKeyStore.getKey(keyAlias, pin.toCharArray()); if (key instanceof java.security.interfaces.RSAPrivateKey) { Certificate[] certificateChain = tokenKeyStore.getCertificateChain(keyAlias); X509Certificate signerCertificate = (X509Certificate) certificateChain[0]; boolean[] keyUsage = signerCertificate.getKeyUsage(); // check for digital signature or non-repudiation, // but also accept if none is set if ((keyUsage == null) || keyUsage[0] || keyUsage[1]) { signatureKey_ = (PrivateKey) key; signingCertificate_ = signerCertificate; prik = true; pubKey_ = signerCertificate.getPublicKey(); break; } } } if (signatureKey_ == null) { throw new GeneralSecurityException( "Found no signature key. Ensure that a valid card is inserted."); } XMLSignatureFactory xmlSigFactory = XMLSignatureFactory.getInstance("DOM"); Reference ref = null; SignedInfo signedInfo = null; try { ref = xmlSigFactory.newReference("", xmlSigFactory.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(xmlSigFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null); signedInfo = xmlSigFactory.newSignedInfo( xmlSigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), xmlSigFactory.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(ref)); } catch (NoSuchAlgorithmException ex) { ex.printStackTrace(); } KeyInfoFactory kif = xmlSigFactory.getKeyInfoFactory(); X509Data x509data = kif.newX509Data(Collections.nCopies(1, signingCertificate_)); KeyValue kval = kif.newKeyValue(pubKey_); List keyInfoItems = new ArrayList(); keyInfoItems.add(kval); keyInfoItems.add(x509data); //Object list[]; KeyInfo keyInfo = kif.newKeyInfo(keyInfoItems); //Create a new XML Signature XMLSignature xmlSignature = xmlSigFactory.newXMLSignature(signedInfo, keyInfo); DOMSignContext domSignCtx = new DOMSignContext((Key) signatureKey_, doc.getDocumentElement()); try { //Sign the document xmlSignature.sign(domSignCtx); } catch (MarshalException ex) { ex.printStackTrace(); } catch (XMLSignatureException ex) { ex.printStackTrace(); } //Store the digitally signed document inta a location storeSignedDoc(doc, destnSignedXmlFilePath);
此链接可能有所帮助: https : //www.owasp.org/index.php/Digital_Signature_Implementation_in_Java或http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html
//亨里克