I have a X509 Certificate and I want to store it in a MySQL DB instead of saving the file. Therefore, I thought it is better to convert the certificate to base64 and store it. I have done the forward and reverse of this conversion however, I did not get true results.
I'm using javax.security.cert.X509Certificate and import org.apache.commons.codec.binary.Base64 as follows:
X509Certificate cert = X509Certificate.getInstance(new FileInputStream(certFile));
System.out.println("Vigencia: "+cert.getNotAfter());
System.out.println("Inicio: "+cert.getNotBefore());
String cert64 = bytes2String(Base64.encodeBase64(cert.toString().getBytes("UTF-8")));
System.out.println("Cert 64: "+ cert64);
String certRegreso = bytes2String(Base64.decodeBase64(cert64.getBytes()));
System.out.println("Cert Regreso: "+ certRegreso);
X509Certificate certNuevo = X509Certificate.getInstance(certRegreso.getBytes());
According to the javadocs X509Certificate implements Serializable so why not use the much simpler solution and store it as a byte array? Something like:
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutput out = new ObjectOutputStream(bos);
out.writeObject(certificate);
byte[] data = bos.toByteArray();
bos.close();
And now just store the byte array as a blob. To recreate it you can just use:
ByteArrayIntputSream bis = new ByteArrayInputStream(byteData);
ObjectInput in = new ObjectInputStream(bis);
X509Certificate cert = (X509Certificate) in.readObject();
bis.close();
Related
I would like to convert an OpenSSH ecdsa public key string(.pub file) to a BCECPublicKey instance.
What I want to achieve it the reverse of this code:
BCECPublicKey publicKey = ...;
byte[] point = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(publicKey.getEncoded())).getPublicKeyData().getOctets();
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
dataOutputStream.writeInt("ecdsa-sha2-nistp256".getBytes().length);
dataOutputStream.write("ecdsa-sha2-nistp256".getBytes());
dataOutputStream.writeInt("nistp256".getBytes().length);
dataOutputStream.write("nistp256".getBytes());
dataOutputStream.writeInt(point.length);
dataOutputStream.write(point);
String base64 = Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray());
This is what I've tried:
// Valid ecdsa-sha2-nistp256 public key string from a .pub file.
String base64 = "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG93uDMAjwxpPFXgLFFs7FzWZXrQRaXnBMqmHaRN/5JRzljuqYAUAkW98HvFxGKrnb2JdW3X785AxLNzVhiiw+4=";
byte[] bytes = Base64.getDecoder().decode(base64);
ECNamedCurveParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
// java.lang.IllegalArgumentException: Incorrect length for infinity encoding
ECPoint point = ecSpec.getCurve().decodePoint(bytes);
ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(point, ecSpec);
KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC");
PublicKey pk = keyFactory.generatePublic(publicKeySpec);
But this doesn't seem to work.
Is there an easy way to do this with bouncy castle?
You know you created the blob by concatenating six things, only the sixth of which was the actual point encoding, so how on Earth could you imagine that using all of the blob as a point encoding would be correct?
The clean and robust way is to parse the blob back into its pieces and extract the point encoding; the dirty way is to just assume the blob is, as expected, for ecdsa-sha2-nistp256 (and uncompressed) so the last 65 bytes are the point encoding:
String base64 = "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG93uDMAjwxpPFXgLFFs7FzWZXrQRaXnBMqmHaRN/5JRzljuqYAUAkW98HvFxGKrnb2JdW3X785AxLNzVhiiw+4=";
byte[] bytes = Base64.getDecoder().decode(base64), temp;
if( clean ){
DataInputStream instr = new DataInputStream (new ByteArrayInputStream (bytes));
temp = new byte[instr.readInt()]; instr.read(temp);
if( !Arrays.equals(temp,"ecdsa-sha2-nistp256".getBytes())) throw new Exception ("bad key");
temp = new byte[instr.readInt()]; instr.read(temp);
if( !Arrays.equals(temp,"nistp256".getBytes())) throw new Exception ("bad key");
temp = new byte[instr.readInt()]; instr.read (temp);
}else{
temp = Arrays.copyOfRange(bytes, bytes.length-65, bytes.length);
}
ECNamedCurveParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec ("secp256r1");
org.bouncycastle.math.ec.ECPoint point = ecSpec.getCurve().decodePoint (temp);
KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC");
PublicKey pk = keyFactory.generatePublic(new org.bouncycastle.jce.spec.ECPublicKeySpec(point, ecSpec));
I would like to create a detached signature in a PDF file using a PKCS7 container. The data (hash) is being signed beforehand on a different device with the private key. I want to create a PKCS7 containing the signed data along with the certificate with the public key. I can't seem to create the PKCS7 with bouncy castle without supplying the private key and having the library signing the data. This doesn't seem to work:
InputStream inStream = new FileInputStream("1_public.pem");
BufferedInputStream bis = new BufferedInputStream( inStream );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<Certificate> certList = new ArrayList<Certificate>();
Certificate certificate = cf.generateCertificate(bis);
certList.add(certificate);
Store certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addCertificates( certs );
CMSProcessableInputStream msg = new CMSProcessableInputStream( new ByteArrayInputStream( "signedhash".getBytes() ) );
CMSSignedData signedData = gen.generate(msg, false);
byte[] pkcs7 = signedData.getEncoded() ) );
I managed to do this by providing a ContentSigner that doesn't sign, actually quite simple:
InputStream inStream = new FileInputStream("1_public.pem");
BufferedInputStream bis = new BufferedInputStream( inStream );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<Certificate> certList = new ArrayList<Certificate>();
Certificate certificate = cf.generateCertificate(bis);
certList.add(certificate);
Store certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addCertificates( certs );
final byte[] signedHash = "signedhash".getBytes();
ContentSigner nonSigner = new ContentSigner() {
#Override
public byte[] getSignature() {
return signedHash;
}
#Override
public OutputStream getOutputStream() {
return new ByteArrayOutputStream();
}
#Override
public AlgorithmIdentifier getAlgorithmIdentifier() {
return new DefaultSignatureAlgorithmIdentifierFinder().find( "SHA256WithRSA" );
}
};
org.bouncycastle.asn1.x509.Certificate cert = org.bouncycastle.asn1.x509.Certificate.getInstance(ASN1Primitive.fromByteArray(certificate.getEncoded()));
JcaSignerInfoGeneratorBuilder sigb = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build());
sigb.setDirectSignature( true );
gen.addSignerInfoGenerator(sigb.build(nonSigner, new X509CertificateHolder(cert)));
CMSProcessableInputStream msg = new CMSProcessableInputStream( new ByteArrayInputStream( "not used".getBytes() ) );
CMSSignedData signedData = gen.generate(msg, false);
byte[] pkcs7 = signedData.getEncoded();
In case the "external signature" is performed by a hardware device it is possible that it also contains "signed attributes". In this case the code must also contain:
AttributeTable signedAttributes = signer.getSignedAttributes();
signerInfoBuilder.setSignedAttributeGenerator(new SimpleAttributeTableGenerator(signedAttributes));
signatureGenerator.addSignerInfoGenerator(signerInfoBuilder.build(nonSigner, signCertificate));
you should also remove the
signatureGenerator.setDirectSignature(true)
a complete example can be found here https://www.len.ro/work/attach-payload-into-detached-pkcs7-signature/. Since I spend a lot of time searching for a solution and this post provided a vital clue I thought I should complete with the information I still missed in an article. Thanks.
I take this code from YouTube video.From this code I encrypt image correctly but could not decrypt that image..
Can anyone help me???
Encrypt code
FileInputStream file = new FileInputStream("src/image/A.jpg");
FileOutputStream output = new FileOutputStream("src/image/AA.jpg");
byte j[]="12345678".getBytes();
SecretKeySpec kye = new SecretKeySpec(j,"DES");
System.out.println(kye);
Cipher enc = Cipher.getInstance("DES");
enc.init(Cipher.ENCRYPT_MODE,kye);
CipherOutputStream cos = new CipherOutputStream(output, enc);
byte[] buf = new byte[1024];
int read;
while((read=file.read(buf))!=-1){
cos.write(buf,0,read);
}
file.close();
output.flush();
cos.close();
Decrypt code
FileInputStream file = new FileInputStream("src/image/AA.jpg");
FileOutputStream output = new FileOutputStream("src/image/AAA.jpg");
byte j[]="12345678".getBytes();
SecretKeySpec kye = new SecretKeySpec(j,"DES");
System.out.println(kye);
Cipher enc = Cipher.getInstance("DES");
enc.init(Cipher.DECRYPT_MODE,kye);
CipherOutputStream cos = new CipherOutputStream(output, enc);
byte[] buf = new byte[1024];
int read;
while((read=file.read(buf))!=-1){
cos.write(buf,0,read);
}
file.close();
output.flush();
cos.close();
thank you
It is a relativly old post but I think I can help.
First, you should encode the Image into a ASCII representation. I would recommend Base64. It is much easier and less error attached when encrypting Base64. (Maybe not as strong but that depends on your needs)
The benefit of Base64 is the Alphabet it is using. No weird symbols at all.
1) Convert the image into a ByteArrayOutputStream by writing it with the ImageIO Class into one.
2) Encode the byte array into a Base64 String
3) Encrypt like you did above (Do not forget the flush).
4) Save bytes to new File. Delete old one.
Decrypt accordingly .....
Be aware, encoding into Base64 will blow up your memory and the file will be much bigger because of the Base64 AND the Encryption overhead.
Hope that helps !
I have certificate created using java class CertAndKeyGen and X500Name and I am able to generate the certificate which is in byte array. Now I want the private key I used in certificate and convert it into readable format. Below is the code I used to create the certificate,
CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
X500Name x500Name = new X500Name(commonName, organizationalUnit, organization, city, state, country);
keypair.generate(keysize);
PrivateKey privKey = keypair.getPrivateKey();
PKCS10 certReq = keypair.getCertRequest(x500Name);
X509Certificate[] chain = new X509Certificate[1];
chain[0] = keypair.getSelfCertificate(x500Name, new Date(), (long) validity * 24 * 60 * 60);
keyStore.setKeyEntry(alias, privKey, keyStorePassword.toCharArray(), chain);
ByteArrayOutputStream bs = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(bs);
certReq.print(ps);
byte[] certReqPrintable = bs.toByteArray();
I have got no clues, please help me to go in right direction to get private key and convert it into readable format. Thanks in advance.
If you want to save the private key to a file use
byte[] privateKeyBytes = privKey.getEncoded();
This returns the key in DER encoded (binary) format.
In case you want just to display the contained values on the console just print it using toString():
System.out.println(privKey);
BouncyCastle has the useful PEMWriter class that you can use to write the private key to a file in PEM format (this is what tools like OpenSSH and curl expect).
PEMWriter privatepemWriter = new PEMWriter(new FileWriter(filename)));
privatepemWriter.writeObject(privKey);
privatepemWriter.close();
Otherwise you can just save the byte array from the private key which is the DER format also used by many tools.
Finally you can write it to a JKS keystore used by other java programs using this:
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null);
keyStore.setKeyEntry("some alias", privKey, somePassword.toCharArray(), chain[0]));
FileOutputStream fos = new FileOutputStream(filename);
keyStore.store(fos, somePassword.toCharArray());
fos.close();
I want to read certificate from eToken when it plugged-in, when I store that certificate on local machine I can read it through my java application but, I don't know how to read it from eToken.
RSAPublicKey pub;
String fileName = "C:\\myCert.cer";
InputStream inStream = new FileInputStream(fileName);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert =
(X509Certificate)cf.generateCertificate(inStream);
inStream.close();
pub = (RSAPublicKey) cert.getPublicKey();
System.out.println(cert.getIssuerDN());
System.out.println(cert.getSubjectDN());
System.out.println(cert.getSubjectAlternativeNames());
byte [] tempPub = pub.getEncoded();
String sPub = new String( tempPub );
One way to do this is by using the PKCS#11 provider. It comes with examples, too.