java 安全（二）

在前一篇文章  “java 安全（一）” 中講述瞭如何通過 java 自帶的工具進行密鑰庫和證書 的生成以及對要傳輸的文件進行簽名和校驗的過程，這裏繼續闡述一下如何通過jdk的接口來進行程序上的簽名和驗證工作。 這裏仍然以Susan 和 Ray 兩人爲例,並使用了 keytool來生成密鑰庫。

1： 生成密鑰庫文件

keytool -genkey -alias signFiles -keypass kpi135 -keystore susanstore -storepass ab987c

 

2： Susan 編寫程序生成 證書，並對要傳輸的文件進行簽名

import java.io.BufferedInputStream; import java.io.FileInputStream; import java.io.FileOutputStream; import java.security.KeyStore; import java.security.PrivateKey; import java.security.Signature; class GenSig { public static void main(String[] args) { /* Generate a DSA signature */ if (args.length != 5) { System.out.println("Usage: GenSig KeyStoreName StorePassword keyAlias keyPassword datafile"); } else try { /* Generate a Private Key from keystore */ KeyStore ks = KeyStore.getInstance("JKS"); FileInputStream ksfis = new FileInputStream(args[0]); BufferedInputStream ksbufin = new BufferedInputStream(ksfis); ks.load(ksbufin, args[1].toCharArray()); PrivateKey priv = (PrivateKey) ks.getKey(args[2], args[3].toCharArray()); java.security.cert.Certificate cert = ks.getCertificate(args[2]); byte[] encodedCert = cert.getEncoded(); /* save the certificate in a file named "suecert" */ FileOutputStream certfos = new FileOutputStream("suecert"); certfos.write(encodedCert); certfos.close(); /* * Create a Signature object and initialize it with the private * key */ Signature dsa = Signature.getInstance("SHA1withDSA", "SUN"); dsa.initSign(priv); /* Update and sign the data */ FileInputStream fis = new FileInputStream(args[4]); BufferedInputStream bufin = new BufferedInputStream(fis); byte[] buffer = new byte[1024]; int len; while (bufin.available() != 0) { len = bufin.read(buffer); dsa.update(buffer, 0, len); } bufin.close(); /* * Now that all the data to be signed has been read in, generate * a signature for it */ byte[] realSig = dsa.sign(); /* Save the signature in a file */ FileOutputStream sigfos = new FileOutputStream("sig"); sigfos.write(realSig); sigfos.close(); } catch (Exception e) { System.err.println("Caught exception " + e.toString()); } } }

編譯執行程序，

D:/study/security/demo_3/susan>javac GenSig.java

D:/study/security/demo_3/susan>java GenSig susanstore ab987c signFiles kpi135 data

 

即 生成證書文件。這裏可以通過 D:/study/security/demo_3/susan>keytool -list -v -keystore susanstore 命令來查看密鑰庫信息比如證書類型（Keystore 類型： JKS），和證書指紋等信息。

 

 

 

3： 接受方Ray 接受到 發送方 Susan 傳輸過來的 簽名文件，證書，數據文件編寫驗證程序進行校驗

 

import java.io.BufferedInputStream; import java.io.FileInputStream; import java.security.PublicKey; import java.security.Signature; class VerSig { public static void main(String[] args) { /* Verify a DSA signature */ if (args.length != 3) { //EG: java VerSig suecert sig data System.out.println("Usage: VerSig certName signaturefile datafile"); } else try { FileInputStream certfis = new FileInputStream(args[0]); java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509"); java.security.cert.Certificate cert = cf.generateCertificate(certfis); PublicKey pubKey = cert.getPublicKey(); /* input the signature bytes */ FileInputStream sigfis = new FileInputStream(args[1]); byte[] sigToVerify = new byte[sigfis.available()]; sigfis.read(sigToVerify); sigfis.close(); /* * create a Signature object and initialize it with the public * key */ Signature sig = Signature.getInstance("SHA1withDSA", "SUN"); sig.initVerify(pubKey); /* Update and verify the data */ FileInputStream datafis = new FileInputStream(args[2]); BufferedInputStream bufin = new BufferedInputStream(datafis); byte[] buffer = new byte[1024]; int len; while (bufin.available() != 0) { len = bufin.read(buffer); sig.update(buffer, 0, len); } bufin.close(); boolean verifies = sig.verify(sigToVerify); System.out.println("signature verifies: " + verifies); } catch (Exception e) { System.err.println("Caught exception " + e.toString()); } } }

編譯執行程序，

D:/study/security/demo_3/ray>javac VerSig.java

D:/study/security/demo_3/ray>java VerSig suecert sig data
signature verifies: true

即可看到驗證是否通過結果