Java基于BC生成X509v3证书，以及部分扩展Extension的使用

package com.liwl.cert; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DERIA5String; import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; import org.bouncycastle.asn1.x509.*; import org.bouncycastle.cert.X509ExtensionUtils; import org.bouncycastle.jce.X509KeyUsage; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.bc.BcDigestCalculatorProvider; import java.io.IOException; import java.security.PublicKey; /** * 扩展 * * @author Liwl */ public class ExtensionUtils { /** * 基本约束 * * @return 基本约束 Extension */ public static Extension getBasicConstraintsExtension(boolean isCAPublicKey) throws IOException { // Other used this // Extension extension; // if (isCAPublicKey) { // extension = new Extension( // Extension.basicConstraints, true, new BasicConstraints(3).toASN1Primitive().getEncoded()); // } else { // extension = new Extension( // Extension.basicConstraints, false, new BasicConstraints(0).toASN1Primitive().getEncoded()); // } // CI used this Extension extension = new Extension( Extension.basicConstraints, true, new BasicConstraints(isCAPublicKey).toASN1Primitive().getEncoded()); return extension; } /** * 密钥用法 default digitalSignature * * @return 密钥用法 Extension * @see ExtensionUtils getKeyUsage() */ public static Extension getKeyUsageExtension() throws IOException { Extension extension = new Extension( Extension.keyUsage, true, // new KeyUsage(KeyUsage.digitalSignature).toASN1Primitive().getEncoded() new X509KeyUsage( X509KeyUsage.digitalSignature).toASN1Primitive().getEncoded()); return extension; } /** * 增强密钥用法 * * @return 增强密钥用法 Extension */ public static Extension getExtendedKeyUsageExtension() throws IOException { KeyPurposeId[] keyPurposeIds = new KeyPurposeId[2]; keyPurposeIds[0] = KeyPurposeId.id_kp_serverAuth; keyPurposeIds[1] = KeyPurposeId.id_kp_clientAuth; // keyPurposeIds[2] = KeyPurposeId.id_kp_eapOverLAN; ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(keyPurposeIds); Extension extension = new Extension( Extension.extendedKeyUsage, true, extendedKeyUsage.toASN1Primitive().getEncoded()); return extension; } /** * 添加CRL分布点 * * @return CRL分布点 */ public static Extension getCRLDIstPointExtension(String[] names) throws IOException { // 建议格式: SERVER_BASE_REST_PKI_URL + issuerName + CRL_URL // e.g. String SERVER_BASE_REST_PKI_URL = "http://localhost:8080/rest/pki/"; // String issuerName = "issuer"; // String CRL_URL = "/crl"; DistributionPoint[] distributionPoints = new DistributionPoint[names.length]; int index = 0; for (String name : names) { DistributionPointName distributionPoint = new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, name))); distributionPoints[index] = new DistributionPoint(distributionPoint, null, null); index++; } CRLDistPoint crlDistPoint = new CRLDistPoint(distributionPoints); Extension extension = new Extension( Extension.cRLDistributionPoints, false, crlDistPoint.toASN1Primitive().getEncoded()); return extension; } /** * 证书策略 * * @return Policies 证书策略 */ public static Extension getCertificatePoliciesExtension() throws IOException { CertificatePolicies certificatePolicies = new CertificatePolicies( new PolicyInformation(new ASN1ObjectIdentifier("1.2.3.4.3.2.1"))); Extension extension = new Extension( Extension.certificatePolicies, true, certificatePolicies.toASN1Primitive().getEncoded()); return extension; } /** * 证书策略映射 * * @return Policies 证书策略映射 */ public static Extension getPolicyMappingsExtension() throws IOException { // Test Data CertPolicyId iCertPolicyId = CertPolicyId.getInstance(new ASN1ObjectIdentifier("1.2.3.4.5.6.7.8.9.0.1")); CertPolicyId sCertPolicyId = CertPolicyId.getInstance(new ASN1ObjectIdentifier("1.2.3.4.5.6.7.8.9.0.2")); CertPolicyId[] issuerCertPolicyIds = new CertPolicyId[2]; CertPolicyId[] subjectCertPolicyIds = new CertPolicyId[2]; issuerCertPolicyIds[0] = iCertPolicyId; subjectCertPolicyIds[0] = sCertPolicyId; issuerCertPolicyIds[1] = iCertPolicyId; subjectCertPolicyIds[1] = sCertPolicyId; // 单组 // PolicyMappings policyMappings = new PolicyMappings(iCertPolicyId, sCertPolicyId); // 多组 PolicyMappings policyMappings = new PolicyMappings(issuerCertPolicyIds, subjectCertPolicyIds); Extension extension = new Extension( Extension.policyMappings, true, policyMappings.toASN1Primitive().getEncoded()); return extension; } /** * 权限信息访问 * * @return Extension 权限信息访问 */ public static Extension getAuthorityInfoAccessExtension(String issuerName) throws IOException { // 建议格式: SERVER_BASE_REST_PKI_URL + issuerName + AIA_URL // e.g. String SERVER_BASE_REST_PKI_URL = "http://localhost:8080/rest/pki/"; // String issuerName = issuerName; // String AIA_URL = "/cert"; AccessDescription caIssuers = new AccessDescription( AccessDescription.id_ad_caIssuers, new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String("http://www.baidu.com/rest/pki/issuer/cert"))); ASN1EncodableVector aia_ASN = new ASN1EncodableVector(); aia_ASN.add(caIssuers); Extension extension = new Extension( Extension.authorityInfoAccess, false, caIssuers.toASN1Primitive().getEncoded()); return extension; } /** * 颁发者密钥标识 * * @param publicKey 颁发者公钥 * @return 颁发者密钥标识 */ public static Extension getAuthorityKeyIdentifierExtension(PublicKey publicKey) throws OperatorCreationException, IOException { SubjectPublicKeyInfo subjectPublicKeyInfo = BcKeyUtil.createSubjectPublicKeyInfo(publicKey); DigestCalculator calculator = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils extensionUtils = new X509ExtensionUtils(calculator); Extension extension = new Extension( Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo).toASN1Primitive().getEncoded()); return extension; } /** * 使用者密钥标识 * * @param publicKey 使用者公钥 * @return 使用者密钥标识 */ public static Extension getSubjectKeyIdentifierExtension(PublicKey publicKey) throws OperatorCreationException, IOException {