How to create a PKI in Java - java

I want create certificates to be stored on a database and i dont have any idea about how to do it, if exits an API or library help me do it
Thanks

A public key infrastructure is far more than a database of signed public keys. For instance one of the most important parts of the PKI is the ability to revoke certificates using the OCSP protocol.
In short everything needed to build a PKI in java has been built for you and is open source, you should use EJBCA.

Here is the Java PKI programming guide from Sun.

Have you seen http://www.mozilla.org/projects/security/pki/?

Related

Alternative to CertandKeygen for self signed certificate generation in java

I have the following way of generating a self signed certificate using the class CertandKeyGen.
CertandKeyGen cert = new CertandKeyGen("RSA", "SHA256withRSA);
cert.generate(size);
..
X509Certificate certificate = cert.getSelfCertificate(name, validity);
Since these are internal APIs from keytool, I am looking at a similar approach using java.security.* APIs.
I want to know if this is possible currently. If yes, what are those APIs? I dug around but I am unable to find anything about it. I am aware of bouncy castle APIs (X509V3CertificateGenerator) but I do not want to use third party APIs.
Thanks.
At present, I do not believe that the generation/signing mechanisms that are used in keytool are part of the public API for Java.
I have implemented a very simple CA/Signing mechanism utilizing BouncyCastle for testing purposes.
I don't think you're going to be able to do this without a 3rd party api or implementing a very significant amount of code on your own.

How to create a Certificate sign request using native Java

Is there a way to create a pkcs10 CSR using native java library?
Hello there, i am looking for a way to generate a PKCS10 CSR within an java application.
I prefer native java librarys. Absolutely obsolet are commandline tools. I know it is possible by using BouncyCastle, but currently i am looking for a alternative way to do that.
The library itself should be free to use for commertial belongings.
Have a look into answer number 2 on Building a Certificate Authority architecture. There seems to be no way to do what you want with JSSE directly.

‘pgp_sym_encrypt’ and ‘pgp_sym_decrypt’ mechanism with HSM (hardware security module)

I want to replace PostgreSQL encryption function ‘pgp_sym_encrypt’ and ‘pgp_sym_decrypt’ mechanism with HSM (hardware security module). Can i implement it to replace existing algorithm with HSM.
If your client is paying you to find this out, it'd be nice if you would do some research and work on it, not just ask Stack Overflow.
The pgp_sym_ functions are in contrib/pgcrypto/pgp-pgsql.c. They're wrappers for decrypt_internal, and in turn around the functions exposed in pgp.h and implemented in the pgp*.c files.
You'll see that pgcrypto has its own OpenPGP implementation. That means it's not using GnuPG as a library, and therefore cannot simply use GnuPG's support for hardware security modules directly.
If you want support for HSMs, you will need to implement it yourself in the pgcrypto extension. You may be able to use libgcrypt and GPGME functions to help you out, and/or functionality in OpenSSL. It depends on what HSM you're using; it might just a client library that does most of what you want.
It may be simpler, if your HSM has a client library that has functionality you want, to wrap that with PostgreSQL user-defined functions and expose it to SQL as a new contrib module.
Either way, you will have to do a lot of reading and a lot of research. You will need to know the C programming language and be comfortable working with it. You will need to understand how user-defined functions in PostgreSQL work. If you can't manage any of that, you'll need to subcontract the work to somebody who does, give them access to a sample of the HSM in question, and pay them for their time. (No, I'm not fishing for work, I already have too much).
Many HSM's can be programmed some of them will undoubtedly be both Turing complete and have enough memory to perform your encryption function (whatever that may be). So the answer is "yes".

What's the best way to secure data between an PHP webservice and a Android/Java application

And by that i don't mean using HTTPS, but data encryption.
Is there a nice encryption method that i can use in PHP to encrypt the data and decrypt in Java?
Thanks in advance.
AES-256 is the same in both Java as PHP: the algorithm itself is naturally language agnostic, so you can just pick one. That said, if you were to use HTTPS, the data would be encrypted either way, so perhaps you're overcomplicating things? Is the data that important and privacy-sensitive?
HTTPS does data encryption. If you're planning to negotiate the encryption without any pre-shared keys then HTTPS is probably one of your best options. It's not trivial to get encryption done in a proper way, so it's usually best to leverage existing implementations.
If you are planning on using a shared key that the client and server each know about, then you do likely want to use AES. For the Java side see an example here. You'll have to search around for the PHP side. Be sure to follow all of the best practices if you're aiming for security.

Using Java keystore in PHP

I'm looking to port a small Java security library to PHP. The Java implementation makes use of a keystore for signing some stuff and I'm wondering how to go about recreating this functionality in PHP. Of course the original Java implementation must still work with the same key pair/keystore.
I have very little experience with PHP and havn't tried to do anything portable with Java keystores before.
I expect there is some way to export the private key to a format that can be used by PHP.
Does anyone know exactly what I need to do in this situation?
If you aren't absolutely set on porting your code to php, you can use the php-java bridge to make calls to it from php. If your java code is proven, there's no reason to discard it out of hand.
http://phpkeystore.org/ may be of use.
EDIT: As implied by Mihir below, that site appears to be gone.
The last "good" archive of it is available at https://web.archive.org/web/20170607151254/http://phpkeystore.org/

Categories

Resources