java 安全（二）

在前一篇文章  “java 安全（一）” 中讲述了如何通过 java 自带的工具进行密钥库和证书 的生成以及对要传输的文件进行签名和校验的过程，这里继续阐述一下如何通过jdk的接口来进行程序上的签名和验证工作。 这里仍然以Susan 和 Ray 两人为例,并使用了 keytool来生成密钥库。

1： 生成密钥库文件

keytool -genkey -alias signFiles -keypass kpi135 -keystore susanstore -storepass ab987c

 

2： Susan 编写程序生成 证书，并对要传输的文件进行签名

import java.io.BufferedInputStream; import java.io.FileInputStream; import java.io.FileOutputStream; import java.security.KeyStore; import java.security.PrivateKey; import java.security.Signature; class GenSig { public static void main(String[] args) { /* Generate a DSA signature */ if (args.length != 5) { System.out.println("Usage: GenSig KeyStoreName StorePassword keyAlias keyPassword datafile"); } else try { /* Generate a Private Key from keystore */ KeyStore ks = KeyStore.getInstance("JKS"); FileInputStream ksfis = new FileInputStream(args[0]); BufferedInputStream ksbufin = new BufferedInputStream(ksfis); ks.load(ksbufin, args[1].toCharArray()); PrivateKey priv = (PrivateKey) ks.getKey(args[2], args[3].toCharArray()); java.security.cert.Certificate cert = ks.getCertificate(args[2]); byte[] encodedCert = cert.getEncoded(); /* save the certificate in a file named "suecert" */ FileOutputStream certfos = new FileOutputStream("suecert"); certfos.write(encodedCert); certfos.close(); /* * Create a Signature object and initialize it with the private * key */ Signature dsa = Signature.getInstance("SHA1withDSA", "SUN"); dsa.initSign(priv); /* Update and sign the data */ FileInputStream fis = new FileInputStream(args[4]); BufferedInputStream bufin = new BufferedInputStream(fis); byte[] buffer = new byte[1024]; int len; while (bufin.available() != 0) { len = bufin.read(buffer); dsa.update(buffer, 0, len); } bufin.close(); /* * Now that all the data to be signed has been read in, generate * a signature for it */ byte[] realSig = dsa.sign(); /* Save the signature in a file */ FileOutputStream sigfos = new FileOutputStream("sig"); sigfos.write(realSig); sigfos.close(); } catch (Exception e) { System.err.println("Caught exception " + e.toString()); } } }

编译执行程序，

D:/study/security/demo_3/susan>javac GenSig.java

D:/study/security/demo_3/susan>java GenSig susanstore ab987c signFiles kpi135 data

 

即 生成证书文件。这里可以通过 D:/study/security/demo_3/susan>keytool -list -v -keystore susanstore 命令来查看密钥库信息比如证书类型（Keystore 类型： JKS），和证书指纹等信息。

 

 

 

3： 接受方Ray 接受到 发送方 Susan 传输过来的 签名文件，证书，数据文件编写验证程序进行校验

 

import java.io.BufferedInputStream; import java.io.FileInputStream; import java.security.PublicKey; import java.security.Signature; class VerSig { public static void main(String[] args) { /* Verify a DSA signature */ if (args.length != 3) { //EG: java VerSig suecert sig data System.out.println("Usage: VerSig certName signaturefile datafile"); } else try { FileInputStream certfis = new FileInputStream(args[0]); java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509"); java.security.cert.Certificate cert = cf.generateCertificate(certfis); PublicKey pubKey = cert.getPublicKey(); /* input the signature bytes */ FileInputStream sigfis = new FileInputStream(args[1]); byte[] sigToVerify = new byte[sigfis.available()]; sigfis.read(sigToVerify); sigfis.close(); /* * create a Signature object and initialize it with the public * key */ Signature sig = Signature.getInstance("SHA1withDSA", "SUN"); sig.initVerify(pubKey); /* Update and verify the data */ FileInputStream datafis = new FileInputStream(args[2]); BufferedInputStream bufin = new BufferedInputStream(datafis); byte[] buffer = new byte[1024]; int len; while (bufin.available() != 0) { len = bufin.read(buffer); sig.update(buffer, 0, len); } bufin.close(); boolean verifies = sig.verify(sigToVerify); System.out.println("signature verifies: " + verifies); } catch (Exception e) { System.err.println("Caught exception " + e.toString()); } } }

编译执行程序，

D:/study/security/demo_3/ray>javac VerSig.java

D:/study/security/demo_3/ray>java VerSig suecert sig data
signature verifies: true

即可看到验证是否通过结果