I have the following way of generating a self signed certificate using the class CertandKeyGen.
CertandKeyGen cert = new CertandKeyGen("RSA", "SHA256withRSA);
cert.generate(size);
..
X509Certificate certificate = cert.getSelfCertificate(name, validity);
Since these are internal APIs from keytool, I am looking at a similar approach using java.security.* APIs.
I want to know if this is possible currently. If yes, what are those APIs? I dug around but I am unable to find anything about it. I am aware of bouncy castle APIs (X509V3CertificateGenerator) but I do not want to use third party APIs.
Thanks.
At present, I do not believe that the generation/signing mechanisms that are used in keytool are part of the public API for Java.
I have implemented a very simple CA/Signing mechanism utilizing BouncyCastle for testing purposes.
I don't think you're going to be able to do this without a 3rd party api or implementing a very significant amount of code on your own.
Related
I have a case where I need to encrypt some files using OpenPGP. I am using Bouncy Castle to do so.
As I understand it Bouncy Castle encryption can be used in java in two ways:
I add Bouncy Castle as a provider and continue to use the standard Java libraries.
I use the classes specified in the Bouncy Castle library directly.
I wanted to know the pros and cons of both the ways and which method is recommended.
Also if I am using the second approach then why do I still have to add Bouncy Castle as a security provider. If I do not do so then I get a "No Such Provider" exception when I execute the following line:
PGPEncryptedDataGenerator encGen =
new PGPEncryptedDataGenerator(
new JcePGPDataEncryptorBuilder(PGPEncryptedData.CAST5).setWithIntegrityPacket(withIntegrityCheck).setSecureRandom(
new SecureRandom())
.setProvider("BC"));
As I understand it Bouncy Castle encryption can be used in java in two ways:
I add Bouncy Castle as a provider and continue to use the standard Java libraries.
I use the classes specified in the Bouncy Castle library directly.
I wanted to know the pros and cons of both the ways and which method is recommended.
The Java JCA is a better designed and certainly better documented API. It has better defined exception handling, more up to date parameter handling (ByteBuffer).
Furthermore, through the use of the provider abstraction, it can be enhanced not just with software based providers such as Bouncy Castle, but also with platform functionality and hardware providers. So if you program against the JCA you'll be rewarded with a more flexible runtime.
On the other hand the lightweight crypto API is a relatively low level API that provides a lot more functionality in a relatively well structured fashion. If you use it you're basically choosing Bouncy Castle as your sole provider of functionality. Bouncy Castle contains specific implementations in Java code only, which means that you won't get (much) hardware support.
Bouncy Castle's lightweight API doesn't have jurisdictional restrictions (such as 128 bit AES keys). So you can use it for your own protocol if you want to work around those restrictions (don't get me started on the reason why these restrictions are there in the first place if you can download an equivalent library without issue).
Also if I am using the second approach then why do I still have to add Bouncy Castle as a security provider. If I do not do so then I get a "No Such Provider" exception (...) ?
The Bouncy Castle PGP functionality is actually build upon the JCA; it's that simple. If it wasn't you could not use Java keys or other (platform or hardware) cryptographic functionality.
A lot of other software components also assume the JCA to be used. You cannot simply plug the lightweight API into an existing protocol implementation.
Is it possible that a file signed by GPG https://gpgtools.org/ can be verified using some other tool say BouncyCastle or GnuPG https://www.gnupg.org/? In my opinion it should not be because key providers are different. Am I right? I need some knowledge in this context. Please help.
Is it possible that a file signed by GPG https://gpgtools.org/ can be verified using some other tool say BountyCastle or GnuPG https://www.gnupg.org/?
Yes, of course! Both GnuPG and BouncyCastle implement the common standard OpenPGP. GPGTools just ships GnuPG as binary distribution and adds some tools.
In my opinion it should not be because key providers are different. Am I right?
There is no central trust entity like a certificate authority in OpenPGP, with other words no trusted keys are preconfigured.
To verify signatures, you need to fetch the matching public key. This will tell you, whether the signatures was issued by the matching private key and whether the file was tampered or not. It does not say anything on the validty of the key and signature; you have to verify the key on some other way. This might be by comparing the fingerprints manually, or using the OpenPGP web of trust to find a trust path from a trust anchor like your own key.
I need some knowledge in this context.
It looks you're still very new to those technologies. Covering them in depth is far beyond an answer on Stack Exchange. I'd strongly recommend to read up on the following topics, to get a feeling for the topics:
Public-key cryptography
PGP and OpenPGP
Public key infrastructure, especially the Web of trust in contrast to the Certificate authority system
Is there a way to create a pkcs10 CSR using native java library?
Hello there, i am looking for a way to generate a PKCS10 CSR within an java application.
I prefer native java librarys. Absolutely obsolet are commandline tools. I know it is possible by using BouncyCastle, but currently i am looking for a alternative way to do that.
The library itself should be free to use for commertial belongings.
Have a look into answer number 2 on Building a Certificate Authority architecture. There seems to be no way to do what you want with JSSE directly.
I have determined, after some research, that in order to generate and sign certificates programmatically in java I need the bouncycastle library.
Unfortunately it appears that the library has gone through a major overhaul sometime fairly recently. A great deal of their classes are now deprecated and all of the tutorials and code samples I can find that are simple enough to understand are deprecated along with them.
I am reasonably new to cryptography. Armed with only basic knowledge and fuzzy idea of what I'm actually trying to accomplish, I've fumbled through the out of date tutorials and the assumed-knowledge Bouncycastle documentation, and its been an arduous experience.
Are there any simple to understand, up to date Bouncycastle tutorials, or alternative libraries I should look at? Or should I grit my teeth, ignore the deprecation warnings and hope for the best?
It is a little hard to find, but the bouncycastle wiki has some short but sweet documention. In particular this first example at this page entitled A Simple Operator Example should get you started.
Another perfectly fine alternative is to just use version 1.46 of the library, the last version to use the old api.
Do you really need to use Bouncycastle directly or can't you use it as a Cryptographic Service Provider? So you do not need to use BCs API. See the JCA Reference Guide. I use for some encryption these lines:
static {
Security.addProvider(new BouncyCastleProvider());
}
public void someMethod() {
KeyFactory fact = KeyFactory.getInstance("RSA", "BC");
Key key = fact.generatePublic(PUB_KEY_SPEC);
// do stuff
}
You might take a closer look at the CertificateFactory.
I want create certificates to be stored on a database and i dont have any idea about how to do it, if exits an API or library help me do it
Thanks
A public key infrastructure is far more than a database of signed public keys. For instance one of the most important parts of the PKI is the ability to revoke certificates using the OCSP protocol.
In short everything needed to build a PKI in java has been built for you and is open source, you should use EJBCA.
Here is the Java PKI programming guide from Sun.
Have you seen http://www.mozilla.org/projects/security/pki/?