https代理服务器（四）java动态签发【失败】

https://zhuanlan.zhihu.com/p/355241710?utm_id=0

http://t.zoukankan.com/xiaxj-p-8961131.html

https://www.cnblogs.com/cwjcsu/archive/2012/10/05/8433078.html

https://www.iteye.com/blog/zhuyuehua-1102143

https://www.cnblogs.com/cwjcsu/archive/2012/10/05/8433079.html

 

 sslcontxt

https://www.codenong.com/11143360/

https://blog.csdn.net/shuxiaohua/article/details/118463065

 

始终搞不定，算了，用mkcert，因为这一块Security本身就是jdk jre强相关，可移植性可部署性也没比mkcert强到哪里：

package com.jds.test.httpproxy.miniserver;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.InputAEADDecryptor;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;


import java.io.*;
import java.math.BigInteger;
import java.security.cert.Certificate;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;

/**
 * Created by mac on 2022/12/19.
 */
public class CAServer {
    public static void main(String[] args) throws KeyStoreException,
            NoSuchAlgorithmException, CertificateException,
            FileNotFoundException, IOException, UnrecoverableEntryException {
        //读取CA证书的JKS文件
        KeyStore store = KeyStore.getInstance("PKCS12");
//        File file = new File("/Users/mac/Downloads/rootCA.txt");
        InputStream inputStream = CAServer.class.getClassLoader().getResourceAsStream("rootCA.p12");
        store.load(inputStream, "hhh123".toCharArray());

        KeyStore.PrivateKeyEntry ke = (KeyStore.PrivateKeyEntry) store.getEntry("1",
                new KeyStore.PasswordProtection("hhh123".toCharArray()));
        String subject = "C=cn,ST=sh,L=sh,O=mkcert development certificate,OU=mac@macdeMacBook.local,CN=myhost.com,E=sh";
        //给alice签发证书并存为xxx-alice.jks的文件
        gen(ke, subject, "myhost.com");

    }

    //用KeyEntry形式存储一个私钥以及对应的证书，并把CA证书加入到它的信任证书列表里面。
    public static void store(PrivateKey key, Certificate cert,
                             Certificate caCert, String name) throws KeyStoreException,
            NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore store = KeyStore.getInstance("JKS");
        store.load(null, null);
        store.setKeyEntry(name, key, "".toCharArray(), new Certificate[] {
                cert, caCert });
        File file = new File("/Users/mac/Downloads/jdk.jks");
        if (file.exists() || file.createNewFile()) {
            store.store(new FileOutputStream(file), ("_"+name).toCharArray());
        }
    }

    //用ke所代表的CA给subject签发证书，并存储到名称为name的jks文件里面。
    public static void gen(KeyStore.PrivateKeyEntry ke, String subject, String name) {
        try {
            X509Certificate caCert = (X509Certificate) ke.getCertificate();
            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
            kpg.initialize(2048);
            KeyPair keyPair = kpg.generateKeyPair();

            KeyStore store = KeyStore.getInstance("JKS");
            store.load(null, null);
            String issuer = caCert.getIssuerDN().toString();
            Certificate cert = generateV3(issuer, subject,
                    BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis() - 1000
                            * 60 * 60 * 24),
                    new Date(System.currentTimeMillis() + 1000L * 60 * 60 * 24
                            * 365 * 2), keyPair.getPublic(),//待签名的公钥
                    ke.getPrivateKey()//CA的私钥
                    , null);
            store(keyPair.getPrivate(), cert, ke.getCertificate(), name);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static Certificate generateV3(String issuer, String subject,
                                         BigInteger serial, Date notBefore, Date notAfter,
                                         PublicKey publicKey, PrivateKey privKey, List<Extension> extensions)
            throws OperatorCreationException, CertificateException, IOException {

        X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
                new X500Name(issuer), serial, notBefore, notAfter,
                new X500Name(subject), publicKey);
        Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
        ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
                .setProvider("BC").build(privKey);
        //privKey是CA的私钥，publicKey是待签名的公钥，那么生成的证书就是被CA签名的证书。
        GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.dNSName, "myhost.com"));
        builder.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
        X509CertificateHolder holder = builder.build(sigGen);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream is1 = new ByteArrayInputStream(holder.toASN1Structure()
                .getEncoded());
        X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
        is1.close();
        return theCert;
    }
}