In my java app I have a JKS keystore with a self-signed cert/key. I need to load them and convert them to BouncyCastle types.
I am using java.security.KeyStore to load the cert/key which gives me java.security.cert.Certificate and java.security.Key.
How do I then convert these to a format that BouncyCastle uses (org.bouncycastle.asn1.x509.Certificate etc.)
If I use Security.addProvider(new BouncyCastleProvider()); will that make the KeyStore return different types???
Or does BC have it's own KeyStore API (note: the keystore is in JKS/SUN format).
Thanks
I figured it out, here is some pseudo code.
To convert certs:
byte data[] = java.security.cert.Certificate.getEncoded();
org.bouncycastle.asn1.x509.Certificate.getInstance(data);
To convert keys:
byte data[] = java.securty.Key.getEncoded();
if (isRSA) {
RSAPrivateKey rsa = RSAPrivateKey.getInstance(data);
return new RSAPrivateCrtKeyParameters(rsa.getModulus(), rsa.getPublicExponent(),
rsa.getPrivateExponent(), rsa.getPrime1(), rsa.getPrime2(), rsa.getExponent1(),
rsa.getExponent2(), rsa.getCoefficient());
} else {
return PrivateKeyFactory.createKey(data);
}
Related
Would like to know if JWT implementation (generating token) in Java is only possible only via .jks file in keystore of we can do it using a .pem (certificate and key) file as well ?
I would like to store the .jks file in a secured location offered by the PaaS provider on which my application is running and this service does not allow a physical file to be stored but rather the encoded format of the binary contents can be stored in key value pair which we have to refer by decoding. However when i do so , I get a Invalid keystore error.Hence i would like to know if .jks is a mandate for JWT token generation ?
As per your requirement, you don't want to use the Keystore & instead of that you directly wants to read the private & public keys (or public certificate), you can easily achieve it by the following. I've added the apache codec library dependency import org.apache.commons.codec.binary.Base64; for the Base64 decoding purpose.
public static RSAPrivateKey readPrivateKey(File file) throws Exception {
String key = new String(Files.readAllBytes(file.toPath()), Charset.defaultCharset());
String privateKeyPEM = key.replace("-----BEGIN PRIVATE KEY-----", "")
.replaceAll(System.lineSeparator(), "").replace("-----END PRIVATE KEY-----", "");
byte[] encoded = Base64.decodeBase64(privateKeyPEM);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
return (RSAPrivateKey) keyFactory.generatePrivate(keySpec);
}
// to call above code
// private.key in PEM format
File file = new File("private.key");
PrivateKey key = readPrivateKey(file);
Similar things can be done for reading the public key and public certificate as per the requirement.
I'am trying to generate signatures from files, in order to verify them by clients using OpenSSL, so to implement the corresponding openSSL command in Java using Bouncy Castle :
openssl.exe dgst -sha256 -sign privateKey.pem -out \data.txt.sig \data.txt
using bouncy castle 1.57 and java, we get bytes array signature from file, which i could verify it in the code. Private, public and certificate are generated from openSSL.
so to generate certificates :
read the private key from the pem private key file:
PEMParser pemParser = new PEMParser(new FileReader(PRIVATE_FILE_PATH));
PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) pemParser.readObject();
JceOpenSSLPKCS8DecryptorProviderBuilder jce = new JceOpenSSLPKCS8DecryptorProviderBuilder();
jce.setProvider("BC");
InputDecryptorProvider decProv = jce.build(password.toCharArray());
PrivateKeyInfo info = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(decProv);
JcaPEMKeyConverter pemKeyConverter = new JcaPEMKeyConverter();
PrivateKey pk = pemKeyConverter.getPrivateKey(info);
and generate the RSA SHA 256 signature and write the result in the signature file:
byte[] data = Files.readAllBytes(Paths.get(txtFileToSignPath));
Signature sig = Signature.getInstance("SHA256withRSA");
sig.initSign(pk);
sig.update(data);
byte[] signature = sig.sign();
FileOutputStream dfis = new FileOutputStream(SignaturefilePath);
dfis.write(bytesToWrite);
dfis.close();
programmatically i could verify signatures generated from the code above as well as from open SSL:
Signature verifySignature = Signature.getInstance("SHA256withRSA");
byte[] signatureBytes =
Files.readAllBytes(Paths.get(SignaturefilePath);
verifySignature.initVerify(getPublicKeyFromCertFile(CERT_PEM));
verifySignature.update(data);
verifySignature.verify(signatureBytes);
on the other hand openSSL is getting always "verification failure" by verifiying signatures generated from code.
is OpenSSL able to verify array of bytes signatures directly, or am I missing anything ?
code above works fine, was verifying the signature against another file. Question maitained for learning purpose.
i am trying to decrypt a pkcs8 encrypted private key using bouncy castle library. I parsed the file containing the private key using PEMParser provided by bouncy castle. I got PKCS8EncryptedPrivateKeyInfo object. I am unable to get the PrivateKeyInfo object from this.
I am getting the following exception while trying to decrypt.
org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: 1.2.840.113549.1.5.13 not available: No such provider: 1.2.840.113549.1.5.13
here is the code which I used
PEMParser parser = new PEMParser(br);
PKCS8EncryptedPrivateKeyInfo pair = (PKCS8EncryptedPrivateKeyInfo)parser.readObject();
JceOpenSSLPKCS8DecryptorProviderBuilder jce = new JceOpenSSLPKCS8DecryptorProviderBuilder();
jce.setProvider("1.2.840.113549.1.5.13");
InputDecryptorProvider decProv = jce.build(password.toCharArray());
PrivateKeyInfo info = pair.decryptPrivateKeyInfo(decProv);
Have you tried with jce.setProvider("BC"); instead of jce.setProvider("1.2.840.113549.1.5.13");
Edit to add solution provided by #PeterDettman :
In addition to use jce.setProvider("BC"); also install the BC provider bouncycastle.org/wiki/display/JA1/Provider+Installation
Security.addProvider(new BouncyCastleProvider());
thats whats missing
I am trying to do the AES encryption/decryption in java
I generated the secretkey using KeyGenerator. I stored the key using java keystore.
Key myKey = KeyGenerator.getInstance("AES").generateKey();
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection("secretpass".toCharArray());
//For writing the secret Key
KeyStore.SecretKeyEntry skEntry =
new KeyStore.SecretKeyEntry((SecretKey)myKey);
FileOutputStream fout = new FileOutputStream("test.ks");
KeyStore ksout = KeyStore.getInstance("JCEKS");
ksout.load(null,"changeit".toCharArray());
ksout.setEntry("secretalias", skEntry, protParam);
I wanted to get this secretkey from this file using openssl programatically. Is it possible? If so, please give me some suggestions on how do I proceed.
Thank you in advance.
This is not possible as the default keystore (jks) is a proprietary format used by Java.
To exchange the key you would need something portable like PKCS#11 (which is a supported KeyStore format at least in Java 8).
I obtain a randomly generated RSA certificate and private key as strings from another service, and I would like to use those strings to create a Java KeyStore. All of the examples I see involve saving these strings to files, using the openssl and keytool command line tools to create the keystore on disk, and then loading the resulting KeyStore into memory (like here). However, it makes more sense for my purposes to create the KeyStore entirely in memory.
To that end, I am trying to use the Java Security API. I am able to convert the certificate string into an instance of the java.security.cert.Certificate class, but I am unable to convert the private key into an instance of java.security.PrivateKey. Here's method I am trying to create:
private PrivateKey generatePrivateKey (String newKey)
throws NoSuchAlgorithmException,
InvalidKeySpecException, IOException {
//Configuring the KeyFactory to use RSA
KeyFactory kf = KeyFactory.getInstance("RSA");
//Convert the key string to a byte array
byte[] keyBytes = newKey.getBytes();
KeySpec ks = new PKCS8EncodedKeySpec(keyBytes);
PrivateKey key = kf.generatePrivate(ks);
return key;
}
Where the value of newKey is something like "-----BEGIN RSA PRIVATE KEY-----\nMIIEow...gNK3x\n-----END RSA PRIVATE KEY-----".
When I run the code, I receive the following exception:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
... 30 more
Caused by: java.security.InvalidKeyException: invalid key format
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:341)
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:367)
at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
... 32 more
This particular error is very similar to this stackoverflow question, and I would be grateful if that question were resolved, but I also want to know if my higher level goal (creating a JKS programmatically and solely in memory using Java) is feasible, and if so, whether I am on the right path.
you need to decode base64 if your key is in the base64 representation:
KeySpec ks = new PKCS8EncodedKeySpec(Base64.decodeBase64(newKey));
you can use org.apache.commons.codec.binary.Base64 to do this.
if you want to generate keyPair you can you this code:
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.genKeyPair();
// extract the encoded private key, this is an unencrypted PKCS#8 private key
byte[] encodedprivkey = keyPair.getPrivate().getEncoded();
System.out.println(Base64.encodeBase64String(encodedprivkey));