一般用户证书和加密数据是一起发放到客户端的,但是使用用户证书的公钥解密数据前需要验证用户证书是否可信,即从源头来说是否由根证书签发的,按证书链去认证。使用根证书验证用户证书可信并解密的Java实现如下:
1.读取根证书文件初始化根证书对象,并获取根证书中的公钥
1
2
3
| CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Certificate rootCert = certificateFactory.generateCertificate(new FileInputStream(rootCertPath));
PublicKey rootCertPublicKey = rootCert.getPublicKey();
|
2.使用用户证书byte数组数据初始化用户证书对象
1
2
| X509Certificate userCert = (X509Certificate)certificateFactory.generateCertificate(
new ByteArrayInputStream(userCertByteArray));
|
3.使用用户证书验证根证书的公钥,如果验证通过(即不抛出Exception)说明这个用户证书是这个根证书签发的,同时检查用户证书是否有效
1
2
3
4
5
6
7
8
| try {
userCert.verify(rootCertPublicKey);
userCert.checkValidity();
Log.d(TAG,"------------- 工作证书验证成功 -----------");
}catch (Exception e) {
Log.d(TAG,"------------- 工作证书验证失败 -----------");
}
|
4.最后使用用户证书的公钥进行解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| try {
Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, userCert);
byte[] output = cipher.doFinal(cipherData);
return output;
} catch (NoSuchAlgorithmException e) {
throw new Exception("无此解密算法");
} catch (NoSuchPaddingException e) {
e.printStackTrace();
return null;
} catch (InvalidKeyException e) {
throw new Exception("解密公钥非法,请检查");
} catch (IllegalBlockSizeException e) {
throw new Exception("密文长度非法");
} catch (BadPaddingException e) {
throw new Exception("密文数据已损坏");
}
|
