Java 對 PDF 文件進行電子簽章 如何生成PKCS12證書

記錄世界，記住你。侵權請聯繫博主刪除。

轉自：https://blog.csdn.net/qq_30336433/article/details/83819572

相關代碼，親測可用：

public class Extension {
	 
    private String oid;
    private boolean critical;
    private byte[] value;

    public String getOid() {
        return oid;
    }
    public byte[] getValue() {
        return value;
    }
    public boolean isCritical() {
        return critical;
    }

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Random;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

public class ItextUtil {

	private static KeyPair getKey() throws NoSuchAlgorithmException {
		// 密鑰對 生成器，RSA算法 生成的  提供者是 BouncyCastle
		KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA",  new BouncyCastleProvider());
		generator.initialize(1024);  // 密鑰長度 1024
		// 證書中的密鑰 公鑰和私鑰
		KeyPair keyPair = generator.generateKeyPair();
		return keyPair;
	}

	/**
	 * @param password  密碼   
	 * @param issuerStr 頒發機構信息
	 * @param subjectStr 使用者信息
	 * @param certificateCRL 頒發地址
	 * @return
	 */
	public static Map<String, byte[]> createCert(String password, String issuerStr, String subjectStr, String certificateCRL) {

		Map<String, byte[]> result = new HashMap<String, byte[]>();
		ByteArrayOutputStream out = null;
		try {
			//  生成JKS證書
			//  KeyStore keyStore = KeyStore.getInstance("JKS");
			//  標誌生成PKCS12證書
			KeyStore keyStore = KeyStore.getInstance("PKCS12",  new BouncyCastleProvider());
			keyStore.load(null, null);
			KeyPair keyPair = getKey();
			//  issuer與 subject相同的證書就是CA證書
			Certificate cert = generateCertificateV3(issuerStr, subjectStr,  keyPair, result, certificateCRL, null);
			// cretkey隨便寫，標識別名
			keyStore.setKeyEntry("cretkey",  keyPair.getPrivate(),  password.toCharArray(),  new Certificate[] { cert });
			out = new ByteArrayOutputStream();
			cert.verify(keyPair.getPublic());
			keyStore.store(out, password.toCharArray());
			byte[] keyStoreData = out.toByteArray();
			result.put("keyStoreData", keyStoreData);
			return result;
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (out != null) {
				try {
					out.close();
				} catch (IOException e) {
				}
			}
		}
		return result;
	}

	/**
	 * @param issuerStr
	 * @param subjectStr
	 * @param keyPair
	 * @param result
	 * @param certificateCRL
	 * @param extensions
	 * @return
	 */
	public static Certificate generateCertificateV3(String issuerStr, String subjectStr, KeyPair keyPair, Map<String, byte[]> result,
			String certificateCRL, List<Extension> extensions) {

		ByteArrayInputStream bout = null;
		X509Certificate cert = null;
		try {
			PublicKey publicKey = keyPair.getPublic();
			PrivateKey privateKey = keyPair.getPrivate();
			Date notBefore = new Date();
			Calendar rightNow = Calendar.getInstance();
			rightNow.setTime(notBefore);
			// 日期加1年
			rightNow.add(Calendar.YEAR, 1);
			Date notAfter = rightNow.getTime();
			// 證書序列號
			BigInteger serial = BigInteger.probablePrime(256, new Random());
			X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
					new X500Name(issuerStr), serial, notBefore, notAfter,new X500Name(subjectStr), publicKey);
			JcaContentSignerBuilder jBuilder = new JcaContentSignerBuilder( "SHA1withRSA");
			SecureRandom secureRandom = new SecureRandom();
			jBuilder.setSecureRandom(secureRandom);
			ContentSigner singer = jBuilder.setProvider(  new BouncyCastleProvider()).build(privateKey);
			// 分發點
			ASN1ObjectIdentifier cRLDistributionPoints = new ASN1ObjectIdentifier( "2.5.29.31");
			GeneralName generalName = new GeneralName( GeneralName.uniformResourceIdentifier, certificateCRL);
			GeneralNames seneralNames = new GeneralNames(generalName);
			DistributionPointName distributionPoint = new DistributionPointName( seneralNames);
			DistributionPoint[] points = new DistributionPoint[1];
			points[0] = new DistributionPoint(distributionPoint, null, null);
			CRLDistPoint cRLDistPoint = new CRLDistPoint(points);
			builder.addExtension(cRLDistributionPoints, true, cRLDistPoint);
			// 用途
			ASN1ObjectIdentifier keyUsage = new ASN1ObjectIdentifier( "2.5.29.15");
			// | KeyUsage.nonRepudiation | KeyUsage.keyCertSign
			builder.addExtension(keyUsage, true, new KeyUsage( KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
			// 基本限制 X509Extension.java
			ASN1ObjectIdentifier basicConstraints = new ASN1ObjectIdentifier("2.5.29.19");
			builder.addExtension(basicConstraints, true, new BasicConstraints(true));
			// privKey:使用自己的私鑰進行簽名，CA證書
			if (extensions != null){
				for (Extension ext : extensions) {
					builder.addExtension(
							new ASN1ObjectIdentifier(ext.getOid()),
							ext.isCritical(),
							ASN1Primitive.fromByteArray(ext.getValue()));
				}
			}
			X509CertificateHolder holder = builder.build(singer);
			CertificateFactory cf = CertificateFactory.getInstance("X.509");
			bout = new ByteArrayInputStream(holder.toASN1Structure() .getEncoded());
			cert = (X509Certificate) cf.generateCertificate(bout);
			byte[] certBuf = holder.getEncoded();
			SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd");
			// 證書數據
			result.put("certificateData", certBuf);
			//公鑰
			result.put("publicKey", publicKey.getEncoded());
			//私鑰
			result.put("privateKey", privateKey.getEncoded());
			//證書有效開始時間
			result.put("notBefore", format.format(notBefore).getBytes("utf-8"));
			//證書有效結束時間
			result.put("notAfter", format.format(notAfter).getBytes("utf-8"));
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (bout != null) {
				try {
					bout.close();
				} catch (IOException e) {
				}
			}
		}
		return cert;
	}

	public static void main(String[] args) throws Exception{
		// CN: 名字與姓氏    OU : 組織單位名稱
		// O ：組織名稱  L : 城市或區域名稱  E : 電子郵件
		// ST: 州或省份名稱  C: 單位的兩字母國家代碼 
		String issuerStr = "CN=天天憑證,OU=研發部,O=gitbook有限公司,C=CN,[email protected],L=北京,ST=北京";
		String subjectStr = "CN=huangjinjin,OU=用戶,O=借款人,C=CN,[email protected],L=北京,ST=北京";
		String certificateCRL  = "https://gitbook.cn";
		Map<String, byte[]> result = createCert("123456", issuerStr, subjectStr, certificateCRL);

//		FileOutputStream outPutStream = new FileOutputStream("C:/pdf/keystore.p12"); // 生成.p12
//		outPutStream.write(result.get("keyStoreData"));
//		outPutStream.close();
		FileOutputStream fos = new FileOutputStream(new File("C:/pdf/zheng.cer"));//生成.p12頒發給用戶的證書
		fos.write(result.get("certificateData"));
		fos.flush();
		fos.close();
	}