Windows gmssl生成SM2证书 + java bc库签名验签
openssl生成SM2证书
1 生成密钥
gmssl ecparam -genkey -name sm2p256v1 -text -out xxx.key
2 生成证书请求
gmssl req -config "C:\Program Files\Common Files\SSL\f" -new -key xxx.key -out xxx.req
或自定义位置的f
查找f文件的位置:openssl version -d
或
set OPENSSL_CONF=C:\Program Files\Common Files\SSL\f
就不会报 WARNING: can’t open config file: /usr/local/ssl/f
解析证书请求
gmssl req -in xxx.req -text
3 生成证书
自签证书:
gmssl x509 -req -in xxx.req -signkey xxx.key -out aaa.cer -days 10000
如果有CA证书的话:
gmssl x509 -req -in xxx.req -CA CA证书.cer -CAkey CAAkey.key -out xxxxx.cer -sm3 -CAcreateserial -days 10000
4 生成pfx
如果有需要的话,把私钥和证书生成一个pfx文件
gmssl pkcs12 -export -out xxx.pfx -inkey xxx.key -in xxx.cer
查看pfx证书内容
gmssl pkcs12 -in xxx.pfx
java签名验签
库
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk15on</artifactId><version>1.70</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk15on</artifactId><version>1.70</version></dependency>
签名
/*** sm2 签名* * @param data待签名数据* @param pfxFile pfx文件的路径* @param password pfx文件密码* @return 签名结果*/public byte[] sign(String data, String pfxFile, String pasword) throws Exception {String algorithm = "SM3withSM2";Security.addProvider(new BouncyCastleProvider());FileInputStream fis = new FileInputStream(pfxFile);KeyStore ks2 = KeyStore.getInstance("PKCS12", "BC");ks2.load(fis, password.toCharArray());Enumeration<String> enum1 = ks2.aliases();String keyAlias = null;if (enum1.hasMoreElements()) {keyAlias = enum1.nextElement();}Signature sig = Signature.getInstance(algorithm, "BC");sig.initSign((PrivateKey) ks2.getKey(keyAlias, null), new SecureRandom());sig.update(data.getBytes());return sig.sign();}
验签
/*** sm2 对签名后的数据进行验签** @param signValue 签名产生签名值* @param cert证书* @param data签名原文* @return false or true*/public boolean verify(byte[] signValue, String cert, String data) throws Exception {CertificateFactory factory = new CertificateFactory();X509Certificate certificate = (X509Certificate) factory.engineGenerateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(cert)));Signature signature = Signature.getInstance(certificate.getSigAlgName(), new BouncyCastleProvider());signature.initVerify(certificate);signature.update(data.getBytes());return signature.verify(signValue);}
其中,String cert是Base64编码的证书字符串(以M开头),需要去掉"-----BEGIN CERTIFICATE-----“和”-----END CERTIFICATE-----",也需要去掉所有的\r
和\n
如果觉得《Windows gmssl生成SM2证书 + java bc库签名验签》对你有帮助,请点赞、收藏,并留下你的观点哦!