I'm a certificate noob. I've been trying to import certificates for the past couple of hours and the more I dig into security stuff, the more it feels impossible to understand.
Here is what I'm trying to achieve in java:
the user can upload any kind of formatted certificate with an optional passphrase
I need to convert the certificate to a non-binary PEM format
Extract the private and public keys to store in a database, throw error if missing one of the two
So far I've been able to parse some certificates using java security's x509Certificate but I can't get the private key. I've also tried bouncy castle but no success there either.
Thanks for your help
An X509Certificate only contains a public key.
Private keys are usually encoded using PKCS#8. Try KeyFactory with a PKCS8EncodedKeySpec.
Combined public key certificates with private keys are usually encoded using PKCS#12 (.pfx, .p12). Try a KeyStore of "PKCS12" type (with Bouncy Castle as provider).
Related
I'm building a xml document signature API backed by Azure Key Vault (AKV).
I have an asymmetric certificate imported into AKV, which is stored as [Key, Secret and Certificate].
I've managed to sign the document, but I think that I'm not getting the right key.
The Java XML Digital Signature API need a key pair (private/public) to get some info.
I've modified a provider that I found here, and now the signature process is called from AKV instead of the java implementation.
The thing is, when I get a Key from AKV, only the public key is coming.
The private key is stored as a Secret, and I run into trouble when I try to convert the value into an instance of PrivateKey.
How can I convert the SecretBundle value into an instance of java.security.PrivateKey ?
Thanks in advance.
Below is how I had converted the Secret into a certificate file. You might be able to convert that into Java.
$kvSecret = Get-AzureKeyVaultSecret -VaultName 'VaultFromCode' -Name 'TestCertificate'
$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, 'test')
$pfxPath = 'C:\cert\test.pfx'
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)
You can find more details in my post - Manage Certificates in Azure Key Vault. You can also find some details on Exportable and Non-Exportable certificates in Key Vault and how those can be used to sign a PDF file.
Hope that helps
I wanted to create a .jks file using a Certificate and a private Key from an etoken programmatically.
I could access the etoken using the password but could not read the Certificate or the private key.
In an earlier question I had asked whether the private Key could be extracted from the etoken for which I was told it was not possible.
So, my question is whether I could get the reference of the private key using PKCS11..
Thank you.
You can get the reference (object handle) of the PrivateKey using PKCS11. You can even get the public components of the PrivateKey. But you cannot extract the sensitive data that comprises the key.
I am very new to Bouncy Castle.I want to know is there any way using Bouncy Castle API that i can get original content if i only have signature using X509Certificate with public key.I am not finding any way as we have only public key.We don't have private key which is used to sign the message.
If one has created a detached signature and you have only that signature (and no original data) then you are out of luck.
If the signature is wrapping, then surely you can get original data back. Signed data doesn't require a private key to be verified and extracted. Public key (actually the certificate with the key) can be included in the wrapping signature in which case you don't even need the certificate separately.
I am using Bouncy Castle library in Java for reading CSR. I need to extract the public key information from CSR. I can see that openssl is able to extract required information from CSR.
I can't find any way to do this in BouncyCastle. I have been able to read PKCS10CertificationRequest object from the CSR. I have seen examples using SubjectPublicKeyInfo for extracting public key. But the code relies on the fact that algorithm of public key is already known. I can do a "instanceof" operation for various algorithm parameters and match but I think there would be something better. I want to derive the algorithm from CSR itself. I tried to find this information but couldn't find anything related to this.
Thanks for help.
Solution is to create a new wrapper around the PKCS10CertificateRequest like this:
JcaPKCS10CertificationRequest jcaCertRequest =
new JcaPKCS10CertificationRequest(pkcs10CertRequest.getEncoded()).setProvider("BC");
This class has the getPublicKey() method.
PublicKey publicKey = jcaCertRequest.getPublicKey();
I have a password protected private key file(I have the passowrd).
I need to put it in java.security.PrivateKey format. Can anyone tell me what is the most secure way to do it?
If the key (with the certificates) is stored in PKCS#12 you can use the KeyStore from Java.
Else bouncy castle could help you (I've no experience with bouncy castle).