导入RSA keyPair到KeyStore [英] import RSA keyPair to KeyStore

查看:181
本文介绍了导入RSA keyPair到KeyStore的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

对于我的具体情况,我必须使用以下代码生成RSA密钥对(在我的Android应用程序中):-

For my specific situation, I have to generate a RSA key pair (in my Android application) using the following codes :-

 KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA/ECB/PKCS1Padding");
 generator.initialize(1024,new SecureRandom());
 KeyPair keyPair = generator.generateKeyPair);

如何将keyPair导入Android keyStore?我有时在Internet上进行搜索,但没有得到如何为RSA公用密钥创建自签名证书以导入到基石的方法.

How can I import the keyPair into the Android keyStore ? I have been searching on the Internet for sometimes and did not get how can I create the self-signed certificate for the RSA public key for import to the keystone.

欣赏所有提示甚至示例代码.

Appreciate any hints or even sample code.

推荐答案

我假设,您明确需要在AndroidKeyStore之外生成密钥并将其导入到AndroidKeyStore中.在Android中,推荐的生成密钥的方法是在AndroidKeyStore中生成密钥.

I'm assuming, you explicitly need to generate keys outside of the AndroidKeyStore and import them into the AndroidKeyStore. In Android, recommended way to generate keys is generating keys into the AndroidKeyStore.

将键导入到AndroidKeyStore非常容易.但是棘手的部分是生成自签名证书,因为Android SDK和Java本身都没有内置的X509Certificate生成器.

Importing keys to the AndroidKeyStore is quite easy. But the tricky part is generating self-signed certificate because there is no built-in X509Certificate generator neither in Android SDK nor in Java itself.

您可以使用以下代码段生成和导入密钥:

You can generate and import keys with this code snippet:

KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048, new SecureRandom());
KeyPair keyPair = generator.generateKeyPair();

Certificate selfSignedCertificate = generateSelfSignedCertificate(keyPair);
Certificate[] certificateChain = new Certificate[]{selfSignedCertificate};

KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
keyStore.setKeyEntry("meaningful_key_alias", keyPair.getPrivate(), null, certificateChain);

棘手的部分,生成X509证书:

因为在Android中没有提供生成X509Certificate的方法,所以我认为生成证书的最佳方法是使用一些可信赖的加密库. BouncyCastle是著名的证书之一,并且bouncycastle-bcpkix支持证书生成.

Because of there is no provided way to generate X509Certificate in an Android, I think the best way to generate certificate is using some trustworthy crypto libraries. BouncyCastle is one of the famous one and bouncycastle-bcpkix supports certificate generation.

在应用程序的build.gradle文件中添加依赖项:

Add dependency in your app's build.gradle file:

implementation 'org.bouncycastle:bcpkix-jdk15on:1.64' // check for updated version

实现generateSelfSignedCertificate方法可满足您的要求,例如:

implement generateSelfSignedCertificate method for your requirement something like:

private X509Certificate generateSelfSignedCertificate(KeyPair keyPair) throws IOException, OperatorCreationException, CertificateException {
    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA"); // don't use SHA1withRSA. It's not secure anymore.
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
    AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
    SubjectPublicKeyInfo spki = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
    ContentSigner signer = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(keyParam);
    X500Name issuer = new X500Name("CN=Tolga Okur CA, L=Istanbul");
    X500Name subject = new X500Name("CN=MyBeautifulApp, L=Istanbul");
    BigInteger serial = BigInteger.valueOf(1); // Update with unique one if it will be used to identify this certificate
    Calendar notBefore = Calendar.getInstance();
    Calendar notAfter = Calendar.getInstance();
    notAfter.add(Calendar.YEAR, 20); // This certificate is valid for 20 years.

    X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(issuer,
            serial,
            notBefore.getTime(),
            notAfter.getTime(),
            subject,
            spki);
    X509CertificateHolder certificateHolder = v3CertGen.build(signer);

    return new JcaX509CertificateConverter().getCertificate(certificateHolder);
}

替代项:

如果您将在服务器上生成密钥,并希望将其安全地导入硬件支持的密钥库中,那么Keymaster 4或更高版本附带的Android 9(API级别28)及更高版本,您可以使用 WrappedKeyEntry

If you will generate keys on the server and want to import them securely into the hardware backed keystore, prior to Android 9 (API level 28) and higher which shipped with Keymaster 4 or higher, you can import keys using WrappedKeyEntry

https://developer.android.com/training/articles/keystore#ImportingEncryptedKeys

这篇关于导入RSA keyPair到KeyStore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
移动开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆