package java.security.cert 包下的X509Certificate.java 是X.509證書的抽象類。這提供了一個標準訪問X.509證書所有屬性的方法。
使用ASN.1語言描述,我們可以將X509Certificate抽象爲以下結構:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
即基本證書域、簽名算法、簽名值。
其中TBSCertificate的結構爲:
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version must be v3
}
即版本、序列號、簽名算法、頒發者、有效期、使用者、主體公鑰信息、擴展項。
主體公鑰信息:
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
算法標識符:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
package java.security包下Key.java的一段註釋:
* The Key interface is the top-level interface for all keys. It * defines the functionality shared by all key objects. All keys * have three characteristics: * * <UL> * * <LI>An Algorithm * * <P>This is the key algorithm for that key. The key algorithm is usually * an encryption or asymmetric operation algorithm (such as DSA or * RSA), which will work with those algorithms and with related * algorithms (such as MD5 with RSA, SHA-1 with RSA, Raw DSA, etc.) * The name of the algorithm of a key is obtained using the * {@link #getAlgorithm() getAlgorithm} method.
可知祕鑰具有的三個特徵,其一爲Algorithm,通過getAlgorithm()獲取。所以獲取祕鑰算法的方法爲cert.getAlgorithm();
另一常用方法:獲取簽名算法
/**
* Gets the signature algorithm name for the certificate
* signature algorithm. An example is the string "SHA256withRSA".
* The ASN.1 definition for this is:
* <pre>
* signatureAlgorithm AlgorithmIdentifier
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* -- contains a value of the type
* -- registered for use with the
* -- algorithm object identifier value
* </pre>
*
* <p>The algorithm name is determined from the {@code algorithm}
* OID string.
*
* @return the signature algorithm name.
*/
public abstract String getSigAlgName();