生成GOST 34.10-2001密钥对并将其保存到某个密钥库 [英] Generate GOST 34.10-2001 keypair and save it to some keystore

查看:197
本文介绍了生成GOST 34.10-2001密钥对并将其保存到某个密钥库的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

当前,我需要为GOST 34.10-2001签名算法生成一个密钥对.很高兴发现有弹性的城堡提供程序已支持此算法,但是我无法生成密钥对并将其保存到任何类型的任何密钥库中.当前,我尝试了此命令(如果keyalgDSA并且sigalg为SHA1withDSA,则此命令非常有用):

Currently I need to generate a keypair for GOST 34.10-2001 signature algorithm. It was pleasant to discover that bouncy castle provider has supported this algorithm, but I can not generate a keypair and save it to any keystore of any type. Currently I tried this command (this command works great if keyalg is DSA and sigalg is SHA1withDSA):

keytool -genkey -alias test1 -keyalg ECGOST3410 -keysize 512  -sigalg GOST3411withECGOST3410 \
-keypass test_1 -validity 1000 -storetype JKS -keystore test1.jks -storepass test_1 -v \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-1.46.jar"

但是我有一个错误:

keytool error: java.lang.IllegalArgumentException: unknown key size.
java.lang.IllegalArgumentException: unknown key size.
        at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
        at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
        at sun.security.tools.KeyTool.run(KeyTool.java:172)
        at sun.security.tools.KeyTool.main(KeyTool.java:166)

与尝试操作键大小或从命令中删除keysize选项时看到的错误完全相同.但是有一些特殊情况.当我将keysize设置为256时,出现另一个错误:

Exactly the same error I can see when I try to manipulate keysize or remove keysize option from the command. But there is some special case. When I set keysize to 256 I've got another error:

keytool error: java.lang.IllegalArgumentException: key size not configurable.
java.lang.IllegalArgumentException: key size not configurable.
        at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
        at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
        at sun.security.tools.KeyTool.run(KeyTool.java:172)
        at sun.security.tools.KeyTool.main(KeyTool.java:166)

目前,我不知道如何生成密钥对以及如何将其保存到密钥库.另外,我还有一些可以为GOST 34.10-2001算法生成密钥对的Java代码:

Currently I have no idea how to generate a keypair and how to save it to a keystore. Also I've got some java code that can generate a key pair for GOST 34.10-2001 algorithm:

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECGOST3410", "BC");
kpg.initialize(new ECGenParameterSpec("GostR3410-2001-CryptoPro-A"));

KeyPair kp = kpg.generateKeyPair();

此代码示例使用ECGenParameterSpec类初始化密钥对生成器,所以我应该以某种方式将其提供给keytool(-providerArg provider_arg-Jjavaoption)吗?

This code sample uses ECGenParameterSpec class to initialize a key pair generator, so may be I should provide it somehow to the keytool (-providerArg provider_arg or -Jjavaoption)?

P.S.我认为我应该提供曲线名称作为某些参数,但是我无法确定应该使用什么参数.

P.S. I think that I should provide curve name as some parameter but I can not determine what parameter I should use.

推荐答案

您将无法使用keytool和BC创建具有GOST3410密钥的密钥库.

You will not be able to use keytool and BC to create a keystore with GOST3410 keys.

sun.security.x509.CertAndKeyGen类没有提供使用参数初始化密钥生成器的选项,而

sun.security.x509.CertAndKeyGen class used by the keytool does not provide an option to initialize the key generator with parameters, while BC GOST3410 key generator requires the initialization with ECParameterSpec.

您可以创建密钥对+证书,并以编程方式将其放入密钥库:

You can create the keypair+certificate and place them into the keystore programmatically:

Security.addProvider( new org.bouncycastle.jce.provider.BouncyCastleProvider() );

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( "ECGOST3410", "BC" );
keyPairGenerator.initialize( new ECGenParameterSpec( "GostR3410-2001-CryptoPro-A" ) );
KeyPair keyPair = keyPairGenerator.generateKeyPair();

org.bouncycastle.asn1.x500.X500Name subject = new org.bouncycastle.asn1.x500.X500Name( "CN=Me" );
org.bouncycastle.asn1.x500.X500Name issuer = subject; // self-signed
BigInteger serial = BigInteger.ONE; // serial number for self-signed does not matter a lot
Date notBefore = new Date();
Date notAfter = new Date( notBefore.getTime() + TimeUnit.DAYS.toMillis( 365 ) );

org.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder(
        issuer, serial,
        notBefore, notAfter,
        subject, keyPair.getPublic()
);
org.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build(
        new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder( "GOST3411withECGOST3410" )
                .build( keyPair.getPrivate() )
);
org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter = new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter();
X509Certificate certificate = certificateConverter.getCertificate( certificateHolder );

KeyStore keyStore = KeyStore.getInstance( "JKS" );
keyStore.load( null, null ); // initialize new keystore
keyStore.setEntry(
        "alias",
        new KeyStore.PrivateKeyEntry(
                keyPair.getPrivate(),
                new Certificate[] { certificate }
        ),
        new KeyStore.PasswordProtection( "entryPassword".toCharArray() )
);
keyStore.store( new FileOutputStream( "test.jks" ), "keystorePassword".toCharArray() );

这篇关于生成GOST 34.10-2001密钥对并将其保存到某个密钥库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆