导入RSA keyPair到KeyStore [英] import RSA keyPair to KeyStore
问题描述
对于我的具体情况,我必须使用以下代码生成RSA密钥对(在我的Android应用程序中):-
For my specific situation, I have to generate a RSA key pair (in my Android application) using the following codes :-
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA/ECB/PKCS1Padding");
generator.initialize(1024,new SecureRandom());
KeyPair keyPair = generator.generateKeyPair);
如何将keyPair导入Android keyStore?我有时在Internet上进行搜索,但没有得到如何为RSA公用密钥创建自签名证书以导入到基石的方法.
How can I import the keyPair into the Android keyStore ? I have been searching on the Internet for sometimes and did not get how can I create the self-signed certificate for the RSA public key for import to the keystone.
欣赏所有提示甚至示例代码.
Appreciate any hints or even sample code.
推荐答案
我假设,您明确需要在AndroidKeyStore
之外生成密钥并将其导入到AndroidKeyStore
中.在Android中,推荐的生成密钥的方法是在AndroidKeyStore
中生成密钥.
I'm assuming, you explicitly need to generate keys outside of the AndroidKeyStore
and import them into the AndroidKeyStore
. In Android, recommended way to generate keys is generating keys into the AndroidKeyStore
.
将键导入到AndroidKeyStore
非常容易.但是棘手的部分是生成自签名证书,因为Android SDK和Java本身都没有内置的X509Certificate生成器.
Importing keys to the AndroidKeyStore
is quite easy. But the tricky part is generating self-signed certificate because there is no built-in X509Certificate generator neither in Android SDK nor in Java itself.
您可以使用以下代码段生成和导入密钥:
You can generate and import keys with this code snippet:
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048, new SecureRandom());
KeyPair keyPair = generator.generateKeyPair();
Certificate selfSignedCertificate = generateSelfSignedCertificate(keyPair);
Certificate[] certificateChain = new Certificate[]{selfSignedCertificate};
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
keyStore.setKeyEntry("meaningful_key_alias", keyPair.getPrivate(), null, certificateChain);
棘手的部分,生成X509证书:
因为在Android中没有提供生成X509Certificate
的方法,所以我认为生成证书的最佳方法是使用一些可信赖的加密库. BouncyCastle
是著名的证书之一,并且bouncycastle-bcpkix
支持证书生成.
Because of there is no provided way to generate X509Certificate
in an Android, I think the best way to generate certificate is using some trustworthy crypto libraries. BouncyCastle
is one of the famous one and bouncycastle-bcpkix
supports certificate generation.
在应用程序的build.gradle
文件中添加依赖项:
Add dependency in your app's build.gradle
file:
implementation 'org.bouncycastle:bcpkix-jdk15on:1.64' // check for updated version
实现generateSelfSignedCertificate
方法可满足您的要求,例如:
implement generateSelfSignedCertificate
method for your requirement something like:
private X509Certificate generateSelfSignedCertificate(KeyPair keyPair) throws IOException, OperatorCreationException, CertificateException {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA"); // don't use SHA1withRSA. It's not secure anymore.
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
SubjectPublicKeyInfo spki = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
ContentSigner signer = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(keyParam);
X500Name issuer = new X500Name("CN=Tolga Okur CA, L=Istanbul");
X500Name subject = new X500Name("CN=MyBeautifulApp, L=Istanbul");
BigInteger serial = BigInteger.valueOf(1); // Update with unique one if it will be used to identify this certificate
Calendar notBefore = Calendar.getInstance();
Calendar notAfter = Calendar.getInstance();
notAfter.add(Calendar.YEAR, 20); // This certificate is valid for 20 years.
X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(issuer,
serial,
notBefore.getTime(),
notAfter.getTime(),
subject,
spki);
X509CertificateHolder certificateHolder = v3CertGen.build(signer);
return new JcaX509CertificateConverter().getCertificate(certificateHolder);
}
替代项:
如果您将在服务器上生成密钥,并希望将其安全地导入硬件支持的密钥库中,那么Keymaster 4或更高版本附带的Android 9(API级别28)及更高版本,您可以使用 WrappedKeyEntry
If you will generate keys on the server and want to import them securely into the hardware backed keystore, prior to Android 9 (API level 28) and higher which shipped with Keymaster 4 or higher, you can import keys using WrappedKeyEntry
https://developer.android.com/training/articles/keystore#ImportingEncryptedKeys
这篇关于导入RSA keyPair到KeyStore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!