问题
I read this article.
It says how to generate a KeyPair, however it doesn't specify how to generate a Certificate Signing Request based on the generated keys.
From my research, to generate a CSR in Java, the samples from the web usually use the package sun.* or the BouncyCastle library. It seems like there isn't a way to generate a CSR with the standard java.security API. I read this and it seems to say the same thing.
Do I have no choice but to use BouncyCastle? It is hard to imagine that Android Developers don't consider this kind of usage.
By the way, the article also mentions that:
Generating a new PrivateKey requires that you also specify the initial X.509 attributes that the self-signed certificate will have. You can replace the certificate at a later time with a certificate signed by a Certificate Authority
Suppose I finally get a certificate signed by a Certificate Authority. What exactly should I do to "replace the certificate at a later time"?
回答1:
Regarding generating a CSR (certificate sign request) on the android phone, I think it is rather straightforward to use Spongycastle instead. It is an android port of Bouncycastle.
Suppose I finally get certificate signed by a Certificate Authority. What exactly should I do to "replace the certificate at a later time"?
Once you have the actual signed certificate which you are supposed to get from the CA (Certificate Authority), you no longer need your CSR; you should just store the signed certificate on the phone. Where to save them - I guess you can get help here.
回答2:
The best way to create a CSR on Android is to use SpongyCastle, which is an implementation of BouncyCastle for Android. SpongyCastle already does a lot of the heavy-lifting for you so it will make your life much easier.
My implementation is heavily based on the answer found here, but uses the Android KeyStore for security and SpongyCastle's JcaContentSignerBuilder() instead of the custom ContentSigner.
Add SpongyCastle to your build.gradle file:
compile 'com.madgag.spongycastle:core:1.51.0.0'
compile 'com.madgag.spongycastle:pkix:1.51.0.0'
Create the KeyPair in the Android KeyStore:
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); // store the key in the Android KeyStore for security purposes
keyGen.initialize(new KeyGenParameterSpec.Builder(
"key1",
KeyProperties.PURPOSE_SIGN)
.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
.setDigests(KeyProperties.DIGEST_SHA256,
KeyProperties.DIGEST_SHA384,
KeyProperties.DIGEST_SHA512)
.build()); // defaults to RSA 2048
KeyPair keyPair = keyGen.generateKeyPair();
Create the CSR using said KeyPair:
private final static String CN_PATTERN = "CN=%s, O=Aralink, OU=OrgUnit";
//Create the certificate signing request (CSR) from private and public keys
public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String cn) throws IOException, OperatorCreationException {
String principal = String.format(CN_PATTERN, cn);
ContentSigner signer = new JcaContentSignerBuilder(DEFAULT_RSA_SIGNATURE_ALGORITHM).build(keyPair.getPrivate());
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(
new X500Name(principal), keyPair.getPublic());
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(
true));
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
extensionsGenerator.generate());
PKCS10CertificationRequest csr = csrBuilder.build(signer);
return csr;
}
}
And that's it, now you have a PKCS10CertificationRequest that you can send to your server.
来源:https://stackoverflow.com/questions/25907326/what-is-the-best-way-to-generate-certificate-signing-request-using-androidkeysto