Java BouncyCastle ECC密钥和自签名证书 [英] Java BouncyCastle ECC Keys and Self Signed Certificates

查看:5143
本文介绍了Java BouncyCastle ECC密钥和自签名证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我一直在努力寻找一个Java示例来创建椭圆曲线(EC)键和自签名证书。到目前为止,我只找到了片段和例子,其中许多不工作。

I've been scouring the internet for hours looking for a Java example for creating Elliptic Curve (EC) keys and self signed certificates. So far I've only found snippets and examples, many of which do not work.

更新:

我在这里取得了一些进展,这里是我的代码,任何人可能会发现它有用!只需要制定出如何自我签署吧!

I've made some progress here, here's my code for anybody that might find it useful! Just need to work out how to self sign it now! 

 import org.bouncycastle.asn1.x500.X500Name;

 import org.bouncycastle.jce.ECNamedCurveTable;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.jce.spec.ECParameterSpec;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
 import java.security.*;

 /**
  * A simple example showing generation and verification of a PKCS#10 request.
  */
 public class genECKeyExample {
     private static final String BC = BouncyCastleProvider.PROVIDER_NAME;
     public static void main(String[] args)
             throws Exception {
         Security.addProvider(new BouncyCastleProvider());


         // Create an eliptic curve key

         ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime192v1");
         KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
         g.initialize(ecSpec, new SecureRandom());
         KeyPair pair = g.generateKeyPair();
         System.out.println(pemUtils.toPem(pair.getPrivate()));
         System.out.println(pemUtils.toPem(pair.getPublic()));

         ContentSigner signer = new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(pair.getPrivate());


         PKCS10CertificationRequestBuilder reqBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name("CN=XXX"), pair.getPublic());
         PKCS10CertificationRequest req = reqBuilder.build(signer);

         ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder().setProvider(BC).build(pair.getPublic());
         // System.out.println(verifier);

         req = new PKCS10CertificationRequest(req.getEncoded());
         System.out.println(pemUtils.toPem(req));
         pemUtils.toFile("csr.pem", pemUtils.toPem(req));
         pemUtils.toFile("pkey.pem", pemUtils.toPem(pair.getPrivate()));


     }

 }

这是我最近的,但不创建CSR或证书。此外,它似乎不允许选择不同的键大小(我认为他们是曲线)。有人有一些woking的例子,他们可以分享吗?

This is the closest I've got but does not create the CSR or certificate. Also, it doesn't appear to allow different key sizes (I think they are curves) to be selected. Does anybody have some woking examples they can share?

 import org.bouncycastle.openssl.PEMWriter;

 import java.io.StringWriter;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.security.spec.ECFieldFp;
 import java.security.spec.ECParameterSpec;
 import java.security.spec.ECPoint;
 import java.security.spec.EllipticCurve;

 import javax.crypto.KeyAgreement;

 public class X509CertificateGenerator {
     public static void main(String[] args) throws Exception {
         Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

         KeyPairGenerator keyGen = KeyPairGenerator.getInstance("ECDH", "BC");
         EllipticCurve curve = new EllipticCurve(new ECFieldFp(new BigInteger(
                 "fffffffffffffffffffffffffffffffeffffffffffffffff", 16)), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16));

         ECParameterSpec ecSpec = new ECParameterSpec(curve, new ECPoint(new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16)), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16), 1);

         keyGen.initialize(ecSpec, new SecureRandom());

         KeyAgreement aKeyAgree = KeyAgreement.getInstance("ECDH", "BC");
         KeyPair aPair = keyGen.generateKeyPair();
         KeyAgreement bKeyAgree = KeyAgreement.getInstance("ECDH", "BC");
         KeyPair bPair = keyGen.generateKeyPair();

         aKeyAgree.init(aPair.getPrivate());
         bKeyAgree.init(bPair.getPrivate());

         aKeyAgree.doPhase(bPair.getPublic(), true);
         bKeyAgree.doPhase(aPair.getPublic(), true);

         MessageDigest hash = MessageDigest.getInstance("SHA1", "BC");

         System.out.println(new String(hash.digest(aKeyAgree.generateSecret())));
         System.out.println(new String(hash.digest(bKeyAgree.generateSecret())));
         System.out.println(aPair.getPrivate());

         StringWriter pemWrtPublic = new StringWriter();
         PEMWriter pubkey = new PEMWriter(pemWrtPublic);
         pubkey.writeObject(aPair.getPublic());
         pubkey.flush();
         String pemPublicKey = pemWrtPublic.toString();
         System.out.println(pemPublicKey);

         StringWriter pemWrtPrivate = new StringWriter();
         PEMWriter privkey = new PEMWriter(pemWrtPrivate);
         privkey.writeObject(aPair.getPrivate());
         privkey.flush();
         String pemPrivateKey = pemWrtPrivate.toString();
         System.out.println(pemPrivateKey);
     }
 }


推荐答案

Ive按照这些步骤(假设您有一个X509证书存储在密钥库中)按照程序创建CSR:

Ive managed to create a CSR programatically following these steps (assuming you have a X509 Certificate stored in a keystore):

X509Certificate generatedCertificate = (X509Certificate)getKeystore().getCertificate(r.keystoreAlias);
PrivateKey      privateRequestKey    = (PrivateKey)getKeystore().getKey("alias", "password".toCharArray());
Signature       signature            = Signature.getInstance("MD5WithRSA");

signature.initSign(privateRequestKey);

X500NameBuilder x500NameBld = new X500NameBuilder(BCStyle.INSTANCE);

//possibly less or more of these, depending on your needs
x500NameBld.addRDN(BCStyle.C, "country");
x500NameBld.addRDN(BCStyle.O, "ORG");
x500NameBld.addRDN(BCStyle.E, "email");
x500NameBld.addRDN(BCStyle.CN, "SubjectName");
x500NameBld.addRDN(BCStyle.SN, "12345678");


X500Name                   subject = x500NameBld.build();
PKCS10CertificationRequest req     = new PKCS10CertificationRequest("MD5WithRSA",X509Name.getInstance(subject),generatedCertificate.getPublicKey(),new DERSet(),privateRequestKey);

请注意,此代码适用于常规密钥对,但应适用于所有公共/私人密钥对。

Please note that this code works for "regular" keypairs but should work for all public/private keypairs.

这篇关于Java BouncyCastle ECC密钥和自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆