Windows gmssl生成SM2证书 + java bc库签名验签

Windows gmssl生成SM2证书 + java bc库签名验签

openssl生成SM2证书

1 生成密钥

gmssl ecparam -genkey -name sm2p256v1 -text -out xxx.key

2 生成证书请求

gmssl req -config "C:\Program Files\Common Files\SSL\f" -new -key xxx.key -out xxx.req

或自定义位置的f

查找f文件的位置：openssl version -d

或

set OPENSSL_CONF=C:\Program Files\Common Files\SSL\f

就不会报 WARNING: can’t open config file: /usr/local/ssl/f

解析证书请求

gmssl req -in xxx.req -text

3 生成证书

自签证书：

gmssl x509 -req -in xxx.req -signkey xxx.key -out aaa.cer -days 10000

如果有CA证书的话：

gmssl x509 -req -in xxx.req -CA CA证书.cer -CAkey CAAkey.key -out xxxxx.cer -sm3 -CAcreateserial -days 10000

4 生成pfx

如果有需要的话，把私钥和证书生成一个pfx文件

gmssl pkcs12 -export -out xxx.pfx -inkey xxx.key -in xxx.cer

查看pfx证书内容

gmssl pkcs12 -in xxx.pfx

java签名验签

库

<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk15on</artifactId><version>1.70</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk15on</artifactId><version>1.70</version></dependency>

签名

/*** sm2 签名* * @param data待签名数据* @param pfxFile pfx文件的路径* @param password pfx文件密码* @return 签名结果*/public byte[] sign(String data, String pfxFile, String pasword) throws Exception {String algorithm = "SM3withSM2";Security.addProvider(new BouncyCastleProvider());FileInputStream fis = new FileInputStream(pfxFile);KeyStore ks2 = KeyStore.getInstance("PKCS12", "BC");ks2.load(fis, password.toCharArray());Enumeration<String> enum1 = ks2.aliases();String keyAlias = null;if (enum1.hasMoreElements()) {keyAlias = enum1.nextElement();}Signature sig = Signature.getInstance(algorithm, "BC");sig.initSign((PrivateKey) ks2.getKey(keyAlias, null), new SecureRandom());sig.update(data.getBytes());return sig.sign();}

验签

/*** sm2 对签名后的数据进行验签** @param signValue 签名产生签名值* @param cert证书* @param data签名原文* @return false or true*/public boolean verify(byte[] signValue, String cert, String data) throws Exception {CertificateFactory factory = new CertificateFactory();X509Certificate certificate = (X509Certificate) factory.engineGenerateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(cert)));Signature signature = Signature.getInstance(certificate.getSigAlgName(), new BouncyCastleProvider());signature.initVerify(certificate);signature.update(data.getBytes());return signature.verify(signValue);}

其中，String cert是Base64编码的证书字符串(以M开头)，需要去掉"-----BEGIN CERTIFICATE-----“和”-----END CERTIFICATE-----"，也需要去掉所有的\r和\n

如果觉得《Windows gmssl生成SM2证书 + java bc库签名验签》对你有帮助，请点赞、收藏，并留下你的观点哦！