美文网首页密码学
国密SM2双证书申请

国密SM2双证书申请

作者: jockie911 | 来源:发表于2021-08-16 14:02 被阅读0次

    最近在处理国密SM2双证书申请,网上查了很多资料零零散散,所以自己写下一点总结

    1.本次需求是移动端App上申请双证书(加密证书 + 签名证书),加密证书用于数据加密,签名证书用于签名。我们只需要生成请求证书的pkcs10 的 csr,让后端去CA申请双证书

    2.前期准备:引入BC库(版本1.6.0)生成公私钥对,公钥是椭圆曲线上的点(x,y)

    public static KeyPairgenerateBCKeyaPair()throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC",new BouncyCastleProvider());
    keyGen.initialize(new ECNamedCurveGenParameterSpec(AIG_NAME));
    KeyPair keyPair = keyGen.generateKeyPair();
    return keyPair;
}

    3.生成申请pkcs10的CSR事例,先设置DN项

    public static String createP10(CertInitBean applyInfo, KeyPair keypair)throws Exception {
    String dnFormat ="CN=%s,C=%s,O=%s";
    String c = applyInfo.getTenantName() +"@" + applyInfo.getCardNo();
    String o = !applyInfo.isPersonal() ? applyInfo.getTenantName() :"";
    String dn = String.format(dnFormat,c,applyInfo.getCountry(),o);

    //1. 创建签名
    ContentSigner signer =new JcaContentSignerBuilder("SM3WITHSM2")
        .setProvider(new BouncyCastleProvider()).build(keypair.getPrivate());
    //2. 创建证书请求
    PKCS10CertificationRequestBuilder pkcs10CertificationRequestBuilder =new JcaPKCS10CertificationRequestBuilder(new X500Name(dn),keypair.getPublic());
    PKCS10CertificationRequest pkcs10CertificationRequest = pkcs10CertificationRequestBuilder.build(signer);
    return Base64Utils.encode(pkcs10CertificationRequest.getEncoded());
}

    4.请求CA申请证书事例以及返回数据格式

    image image

    5.我们需要主要拿到三个数据(加密证书/签名证书/加密证书的私钥),加密证书的私钥是经过签名证书私钥加密的对称密钥加密过的,所以接下来需要解密数字信封 获取加密证书的私钥

    处理encPrivateKey_shecaSM2    
public static String decryptECB(CertDBEntity certDBEntity) {
    String enc_envelope = certDBEntity.getEncEnvelope();
    //签名证书私钥
    PrivateKey sign_privateKey = GmUtil.getPrivatekeyFromD(new BigInteger(certDBEntity.getD()));

    byte[] decode = Base64Utils.decode(enc_envelope);
    System.out.println(Arrays.toString(decode));
    System.out.println(decode.length);
    byte[] version = new byte[4];
    byte[] ulSymmAlgID = new byte[4];
    byte[] ulBits = new byte[4];
    byte[] encryptedPriKey = new byte[64];
    byte[] pubKey = new byte[132];
    byte[] pairCipher = new byte[180];

    System.arraycopy(decode, 0, version, 0, version.length);
    System.arraycopy(decode, version.length, ulSymmAlgID, 0, ulSymmAlgID.length);
    System.arraycopy(decode, version.length+ulSymmAlgID.length, ulBits, 0, ulBits.length);
    System.arraycopy(decode, version.length+ulSymmAlgID.length+ulBits.length, encryptedPriKey, 0, encryptedPriKey.length);
    System.arraycopy(decode, version.length+ulSymmAlgID.length+ulBits.length+encryptedPriKey.length, pubKey, 0, pubKey.length);
    System.arraycopy(decode, version.length+ulSymmAlgID.length+ulBits.length+encryptedPriKey.length+pubKey.length, pairCipher, 0, pairCipher.length);
    byte[] priBytes = new byte[32];
    System.arraycopy(encryptedPriKey, 64-priBytes.length, priBytes, 0, priBytes.length);

    //转换公钥密文
    byte[] encDataToDer = encDataToDer(pairCipher);
    //获取公钥加密的对称密钥
    //uu7X9qbPO+UTqmWchIZfxw==
    byte[] sm4Key = GmUtil.sm2Decrypt(encDataToDer, sign_privateKey);

    String decryptECB = SM4.decryptECB(Base64Utils.encode(priBytes), Base64Utils.encode(sm4Key));
    return decryptECB;
}

    private static byte[] encDataToDer(byte[] encryptData){
    byte[] XCoordinate = new byte[32];
    System.arraycopy(encryptData, 32, XCoordinate, 0, 32);
    byte[] YCoordinate = new byte[32];
    System.arraycopy(encryptData, 96, YCoordinate, 0, 32);
    byte[] C3_hash = new byte[32];
    System.arraycopy(encryptData, 128, C3_hash, 0, 32);
    byte[] C2_cipher = new byte[encryptData.length - 4 - 32 - 128];
    System.arraycopy(encryptData, 4 + 32 + 128, C2_cipher, 0, C2_cipher.length);
    encryptData = new byte[1 + XCoordinate.length + YCoordinate.length + C3_hash.length + C2_cipher.length];
    System.arraycopy(XCoordinate, 0, encryptData, 1, XCoordinate.length);
    System.arraycopy(YCoordinate, 0, encryptData, 1 + XCoordinate.length, YCoordinate.length);
    System.arraycopy(C3_hash, 0, encryptData, 1 + XCoordinate.length + YCoordinate.length, C3_hash.length);
    System.arraycopy(C2_cipher, 0, encryptData, 1 + XCoordinate.length + YCoordinate.length + C3_hash.length, C2_cipher.length);

    Sm2CipherParser sm2Cipher = new Sm2CipherParser(encryptData);
    return sm2Cipher.decode();
}

    6.得到加密证书的私钥就可以用来加解密了

    公钥加密

    public static byte[] encode(PublicKey publicKey, byte[] encodeData) {
    return changeC1C2C3ToC1C3C2(sm2EncryptOld(encodeData, publicKey));
}

private static byte[] changeC1C2C3ToC1C3C2(byte[] c1c2c3) {
    final int c1Len = (x9ECParameters.getCurve().getFieldSize() + 7) / 8 * 2 + 1; //sm2p256v1的这个固定65。可看GMNamedCurves、ECCurve代码。
    final int c3Len = 32; //new SM3Digest().getDigestSize();
    byte[] result = new byte[c1c2c3.length];
    System.arraycopy(c1c2c3, 0, result, 0, c1Len); //c1
    System.arraycopy(c1c2c3, c1c2c3.length - c3Len, result, c1Len, c3Len); //c3
    System.arraycopy(c1c2c3, c1Len, result, c1Len + c3Len, c1c2c3.length - c1Len - c3Len); //c2
    return result;
}

    私钥解密

    public static byte[] decode(PrivateKey privateKey, byte[] decodeData) {
    return sm2DecryptOld(changeC1C3C2ToC1C2C3(decodeData), privateKey);
}

private static byte[] changeC1C3C2ToC1C2C3(byte[] c1c3c2) {
    final int c1Len = (x9ECParameters.getCurve().getFieldSize() + 7) / 8 * 2 + 1; //sm2p256v1的这个固定65。可看GMNamedCurves、ECCurve代码。
    final int c3Len = 32; //new SM3Digest().getDigestSize();
    byte[] result = new byte[c1c3c2.length];
    System.arraycopy(c1c3c2, 0, result, 0, c1Len); //c1: 0->65
    System.arraycopy(c1c3c2, c1Len + c3Len, result, c1Len, c1c3c2.length - c1Len - c3Len); //c2
    System.arraycopy(c1c3c2, c1Len, result, c1c3c2.length - c3Len, c3Len); //c3
    return result;
}

    7.使用签名证书签名,公钥验签

    签名

    public static byte[] sign(PrivateKey privateKey, byte[] signData) throws Exception {
    byte[] result = null;
    try {
        Signature signature = Signature.getInstance(GMObjectIdentifiers.sm2sign_with_sm3.toString(),new BouncyCastleProvider());
        signature.initSign(privateKey);
        signature.update(signData);
        result = signature.sign();
    }catch (Exception e) {
        throw new Exception("签名失败:"+e.getMessage());
    }
    return result;
}

    验签

    public static boolean verify(PublicKey publicKey, byte[] srcData, byte[] signedData) throws Exception {
    Boolean result = null;
    try {
        Signature signature = Signature.getInstance(GMObjectIdentifiers.sm2sign_with_sm3.toString(),new BouncyCastleProvider());
        signature.initVerify(publicKey);
        signature.update(srcData);
        result = signature.verify(signedData);
    }catch (Exception e) {
        throw new Exception("签名失败:"+e.getMessage());
    }
    return result;
}

    8.以上是基础用法,可以使用EC SM2进行PDF签名,以及验签,后续再补充

    相关文章

      网友评论

        本文标题:国密SM2双证书申请

        本文链接:https://www.haomeiwen.com/subject/efembltx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        密码学

        关于我们|服务条款|联系我们|国密SM2双证书申请|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!