生成GOST 34.10-2001密钥对并将其保存到某个密钥库 [英] Generate GOST 34.10-2001 keypair and save it to some keystore
问题描述
当前,我需要为GOST 34.10-2001签名算法生成一个密钥对.很高兴发现有弹性的城堡提供程序已支持此算法,但是我无法生成密钥对并将其保存到任何类型的任何密钥库中.当前,我尝试了此命令(如果keyalg
为DSA
并且sigalg为SHA1withDSA
,则此命令非常有用):
Currently I need to generate a keypair for GOST 34.10-2001 signature algorithm. It was pleasant to discover that bouncy castle provider has supported this algorithm, but I can not generate a keypair and save it to any keystore of any type. Currently I tried this command (this command works great if keyalg
is DSA
and sigalg is SHA1withDSA
):
keytool -genkey -alias test1 -keyalg ECGOST3410 -keysize 512 -sigalg GOST3411withECGOST3410 \
-keypass test_1 -validity 1000 -storetype JKS -keystore test1.jks -storepass test_1 -v \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-1.46.jar"
但是我有一个错误:
keytool error: java.lang.IllegalArgumentException: unknown key size.
java.lang.IllegalArgumentException: unknown key size.
at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
与尝试操作键大小或从命令中删除keysize
选项时看到的错误完全相同.但是有一些特殊情况.当我将keysize
设置为256
时,出现另一个错误:
Exactly the same error I can see when I try to manipulate keysize or remove keysize
option from the command. But there is some special case. When I set keysize
to 256
I've got another error:
keytool error: java.lang.IllegalArgumentException: key size not configurable.
java.lang.IllegalArgumentException: key size not configurable.
at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
目前,我不知道如何生成密钥对以及如何将其保存到密钥库.另外,我还有一些可以为GOST 34.10-2001算法生成密钥对的Java代码:
Currently I have no idea how to generate a keypair and how to save it to a keystore. Also I've got some java code that can generate a key pair for GOST 34.10-2001 algorithm:
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECGOST3410", "BC");
kpg.initialize(new ECGenParameterSpec("GostR3410-2001-CryptoPro-A"));
KeyPair kp = kpg.generateKeyPair();
此代码示例使用ECGenParameterSpec
类初始化密钥对生成器,所以我应该以某种方式将其提供给keytool(-providerArg provider_arg
或-Jjavaoption
)吗?
This code sample uses ECGenParameterSpec
class to initialize a key pair generator, so may be I should provide it somehow to the keytool (-providerArg provider_arg
or -Jjavaoption
)?
P.S.我认为我应该提供曲线名称作为某些参数,但是我无法确定应该使用什么参数.
P.S. I think that I should provide curve name as some parameter but I can not determine what parameter I should use.
推荐答案
您将无法使用keytool和BC创建具有GOST3410密钥的密钥库.
You will not be able to use keytool and BC to create a keystore with GOST3410 keys.
sun.security.x509.CertAndKeyGen
类没有提供使用参数初始化密钥生成器的选项,而
sun.security.x509.CertAndKeyGen
class used by the keytool does not provide an option to initialize the key generator with parameters, while BC GOST3410 key generator requires the initialization with ECParameterSpec
.
您可以创建密钥对+证书,并以编程方式将其放入密钥库:
You can create the keypair+certificate and place them into the keystore programmatically:
Security.addProvider( new org.bouncycastle.jce.provider.BouncyCastleProvider() );
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( "ECGOST3410", "BC" );
keyPairGenerator.initialize( new ECGenParameterSpec( "GostR3410-2001-CryptoPro-A" ) );
KeyPair keyPair = keyPairGenerator.generateKeyPair();
org.bouncycastle.asn1.x500.X500Name subject = new org.bouncycastle.asn1.x500.X500Name( "CN=Me" );
org.bouncycastle.asn1.x500.X500Name issuer = subject; // self-signed
BigInteger serial = BigInteger.ONE; // serial number for self-signed does not matter a lot
Date notBefore = new Date();
Date notAfter = new Date( notBefore.getTime() + TimeUnit.DAYS.toMillis( 365 ) );
org.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder(
issuer, serial,
notBefore, notAfter,
subject, keyPair.getPublic()
);
org.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build(
new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder( "GOST3411withECGOST3410" )
.build( keyPair.getPrivate() )
);
org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter = new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter();
X509Certificate certificate = certificateConverter.getCertificate( certificateHolder );
KeyStore keyStore = KeyStore.getInstance( "JKS" );
keyStore.load( null, null ); // initialize new keystore
keyStore.setEntry(
"alias",
new KeyStore.PrivateKeyEntry(
keyPair.getPrivate(),
new Certificate[] { certificate }
),
new KeyStore.PasswordProtection( "entryPassword".toCharArray() )
);
keyStore.store( new FileOutputStream( "test.jks" ), "keystorePassword".toCharArray() );
这篇关于生成GOST 34.10-2001密钥对并将其保存到某个密钥库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!