在Java Security中使用openssh公钥(ecdsa-sha2-nistp256) [英] Using openssh public key (ecdsa-sha2-nistp256) with Java Security
问题描述
是否有一个Java库/示例可以读取Java中JCE PublicKey
的openssh格式ecdsa公钥?我想对 JWT 使用EC.
我尝试读取的格式是按照authorized_keys或Github API(例如 https ://api.github.com/users/davidcarboni/keys ):ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK8hPtB72/sfYgNw1WTska2DNOJFx+QhUxuV6OLINSD2ty+6gxcM8yZrvMqWdMePGRb2cGh8L/0bGOk+64IQ/pM=
我找到了这个答案,这对于RSA和DSS来说很好:
使用具有Java安全性的authorized_keys中的公钥,以及关于ECDSA的openssh格式的讨论: ECPublicKeySpec
.它需要ECPoint
,EllipticCurve
,ECParameterSpec
,ECField
. openssh格式仅包含两个整数,这对于ECPoint
是有意义的,但我不知道如何设置其余部分.
我一直在闲逛一堆库,包括 jsch , sshj , Bouncycastle .我最近的是:
com.jcraft.jsch.KeyPair load = com.jcraft.jsch.KeyPair.load(jsch, null, bytes[openSshKey]);
可以很好地加载密钥,但不能让我进入JCE PublicKey
-只是byte[] getPublicKeyBlob()
方法.
我缺少明显的东西吗?
为完整起见,这是我使用的代码.它是几乎纯的JCE,在帮助器方法中散布了Bouncycastle(这会更新 Is there a Java library/example to read an openssh format ecdsa public key to a JCE The format I'm trying to read is as per authorized_keys, or Github API (e.g. https://api.github.com/users/davidcarboni/keys): I've found this answer, which is fine for RSA and DSS:
Using public key from authorized_keys with Java security, and this discussion of the openssh format for ECDSA: https://security.stackexchange.com/questions/129910/ecdsa-why-do-ssh-keygen-and-java-generated-public-keys-have-different-sizes However I'm getting lost trying to adapt the RSS/DSA code for ECDSA - I'm not sure how to set up an I've been poking around a bunch of libraries, including jsch, sshj, ssh-tools and good old Bouncycastle. The closest I have is: Which loads the key fine, but doesn't get me to a JCE Am I missing something obvious? For completeness, here's the code I've gone with. It's nearly-pure JCE, with a sprinkling of Bouncycastle inside helper methods (this updates the example code in Using public key from authorized_keys with Java security):
这篇关于在Java Security中使用openssh公钥(ecdsa-sha2-nistp256)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!PublicKey
in Java? I want to use EC for JWT .ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK8hPtB72/sfYgNw1WTska2DNOJFx+QhUxuV6OLINSD2ty+6gxcM8yZrvMqWdMePGRb2cGh8L/0bGOk+64IQ/pM=
ECPublicKeySpec
. It needs ECPoint
, EllipticCurve
, ECParameterSpec
, ECField
. The openssh format only contains two integers, which makes sense for ECPoint
, but I don't know how to set up the rest.com.jcraft.jsch.KeyPair load = com.jcraft.jsch.KeyPair.load(jsch, null, bytes[openSshKey]);
PublicKey
- just a byte[] getPublicKeyBlob()
method....
} else if (type.startsWith("ecdsa-sha2-") &&
(type.endsWith("nistp256") || type.endsWith("nistp384") || type.endsWith("nistp521"))) {
// Based on RFC 5656, section 3.1 (https://tools.ietf.org/html/rfc5656#section-3.1)
String identifier = decodeType();
BigInteger q = decodeBigInt();
ECPoint ecPoint = getECPoint(q, identifier);
ECParameterSpec ecParameterSpec = getECParameterSpec(identifier);
ECPublicKeySpec spec = new ECPublicKeySpec(ecPoint, ecParameterSpec);
return KeyFactory.getInstance("EC").generatePublic(spec);
} ...
/**
* Provides a means to get from a parsed Q value to the X and Y point values.
* that can be used to create and ECPoint compatible with ECPublicKeySpec.
*
* @param q According to RFC 5656:
* "Q is the public key encoded from an elliptic curve point into an octet string"
* @param identifier According to RFC 5656:
* "The string [identifier] is the identifier of the elliptic curve domain parameters."
* @return An ECPoint suitable for creating a JCE ECPublicKeySpec.
*/
ECPoint getECPoint(BigInteger q, String identifier) {
String name = identifier.replace("nist", "sec") + "r1";
ECNamedCurveParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(name);
org.bouncycastle.math.ec.ECPoint point = ecSpec.getCurve().decodePoint(q.toByteArray());
BigInteger x = point.getAffineXCoord().toBigInteger();
BigInteger y = point.getAffineYCoord().toBigInteger();
System.out.println("BC x = " + x);
System.out.println("BC y = " + y);
return new ECPoint(x, y);
}
/**
* Gets the curve parameters for the given key type identifier.
*
* @param identifier According to RFC 5656:
* "The string [identifier] is the identifier of the elliptic curve domain parameters."
* @return An ECParameterSpec suitable for creating a JCE ECPublicKeySpec.
*/
ECParameterSpec getECParameterSpec(String identifier) {
try {
// http://www.bouncycastle.org/wiki/pages/viewpage.action?pageId=362269#SupportedCurves(ECDSAandECGOST)-NIST(aliasesforSECcurves)
String name = identifier.replace("nist", "sec") + "r1";
AlgorithmParameters parameters = AlgorithmParameters.getInstance("EC");
parameters.init(new ECGenParameterSpec(name));
return parameters.getParameterSpec(ECParameterSpec.class);
} catch (InvalidParameterSpecException | NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Unable to get parameter spec for identifier " + identifier, e);
}
}