in my job i was assigned a task in which i have to programmatically load a private and public keys from files and then store them in a .jks file,the private key was generated using openssl, its an rsa des encrypted key in der format,i have no problem loading the public key, however,i haven't found a way to load the private key in its original form, the only way i found consist in decrypt the key and then convert it to a pk8 file, its there any other way to do it without decrypting the private key?
OpenSSL's standard way to save keys is to use PEM format (PEM header and footer and base64-encoded DER key inside). Private key is additionally encrypted (encryption algorithm is specified in header). JKS doesn't use DER for encryption of the private key, so you can't just take the encrypted DER sequence and put it to JKS. To add the keypair to JKS you need to get both public and private key in DER format and the private key must be decrypted.
Related
I have a certificates (public key) in a standardized X.509 format (without private key) and I want to convert it into JKS or PKCS12 format as these formats are only supported by my application.
Is it possible to convert it without private key?
I am trying to store my own secret key in PKCS12 keystore. I tried by using below code:
char[] passArray = "password".toCharArray();// this is key store pass
String key = "test123"; // this is my own secret key
// Loading a Keystore
KeyStore p12KeyStore = KeyStore.getInstance("PKCS12");
p12KeyStore.load(new FileInputStream("testKeyStore.p12"), passArray);
Storing my own secret key like as shown below:
byte [] byteKey = key.getBytes();
SecretKeySpec keySpec = new SecretKeySpec(byteKey, "DSA");
KeyStore.SecretKeyEntry secret = new KeyStore.SecretKeyEntry(keySpec);
KeyStore.ProtectionParameter password = new KeyStore.PasswordProtection(passArray);
p12KeyStore.setEntry("secret-key", secret, password);
but i am not sure whether storing the my own secret key as per best practice or not. and also when trying to get my own key from keystore as it is not getting like as my original secret key.
Key eKey = p12KeyStore.getKey("secret-key", passArray);
Can anyone please help me on this to store & get my own secret in PKCS12 keystore?
Are you sure the code you have above worked? Because DSA is a asymmetric algorithm, not a symmetric algorithm. If you are sure it is a secret key, it has to be AES or DES or DESede (Triple DES). Your above code should have failed.
And answers to your questions:
Just like databases stores data, keys (secret keys and key pairs) and certificates are meant to be stored in a keystore, that's where they should residing in your application. You should be referring/retrieving them from the keystore.
And from what you said in one of the statements, that the key is different from what you had originally when you stored and then retrieved, judging by this, I think the key you have is a Triple DES or a DES key. DES/TripleDES uses parity bits, and the parity bits are corrected by the Java API SecretKeySpec. This causes the key to look different from the original, but it is actually the same. You can read more about the parity bits here.
And as a best practice you shouldn't be storing the secret keys in a PKCS12 Keystore. The internet standard defines that the PKCS12 keystore should contain only one KeyPair entry associated with its certificate chain. Even though it can contain more than one entry, it is ideal to have only one entry, with the key password same as the keystore password. They can store secret keys too, but it is best if you store them in a JCEKS keystore format.
I know this issue may be duplicated somewhere else, but i wasted a lot of time to fix this issue.
I need to use third party API and as per their documentation i have to generate private/public key using the command ssh-keygen -t rsa, send to them the public key and for every request i must sign the request body using my private key
i found many code sample to read private/public key of formats like pem or der, but not the format generated using ssh-keygen -t rsa
my private key now is
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,07E3CD04C0D5E7AEC5BFB3660C389A79
iP+UVOT9UUma638HRLzyd9hLeZGbs2NxTakIWCB5Inpvd5+O4vcdjNhmV3zxSyDY
JpHlU8417Fyn3qHjHbG2Tj86qgFeexcZ83pjXxFU8JnXfqutSe6Zpa4sDuZYKve6
Xv2oxF64pVqEesH+C9XOkyYiWVqr09vpKBlIM2GcI2WqQwLuDYhj/AAWJhpKGVJu
+fwiQj7VS+tzBE1QW4Kva5xwEE4z/XZHkYMNDHUXBPeifsYXwkz8ZcXlcVZ+CAql
jwKh4ORXkBO/Ok2wva3dFfU7no2YSNIDhgHFGK6C9n5igbstYbTEPEH/YeSbqz1L
SucLiftfdvL9UdFb1/NQfcFhusNPHctGybvfAzttQEfSU/W5OYcN25SKF5pHUtHZ
Widu5M3JFCJ5Gw0P2sjANZVN/+8p0alT61dy6OqLckJmJfixpkvRQqdEP8ucUlTe
r+X5Fe2xH+cYh2MLq9IXxrK4g0sUZKoZw4AGKq24CfvD2K7UqHlXVO1hocyhlq+m
rRCVvRLJc7mpvpBtIQ6qXbr1chMa3zgkf6jW9thJ40jt4Giarj5s80fSC3Dk3lQN
ENV7nnhmd2uzz5yXx4sITnoDnItYDcJZk5pcOR4FAjUR2wRaLokae0pdEbS4heMa
KPOGOZGJNxs2CpwFUZL3CKIVMOmh14pzjZ4DNb9yzVhyd6wag5HlN9JNB1322eDO
lzfEnyki45wVGnB6ChthOnDRdgP5CUK+eaGqO8BSS+wttR25+MbZEwyljoQXc59h
XbGL5qqxpzrIT9+wDrEq8QNUaIg5OEXvBLa3NVOWSStgx+q5gqb5mzwJVdJiqSfL
xGG0CcyKuDPi6Vt/GKx5SGYi0gHFBs3QlYwzvvBxb5xKTc/meQSCM2ALXuJrFjBT
hXCBRBQ4F6i3pnyqkPJ36hsQ/mv6AWtsNhkMs2LrMjic0Fl5OhU6m1YA1nx8qz8k
ZQBhSWxLaTVwQsYnkH6SApPSo0t+FIzQfpnyYj4A9o6uK3dOiXPZndKqKx4mwqwM
uszlfMobhZUn2+ZcILXSZb1nNrwHKANRsp+I4j8bjG7qYKS5dfPaeIxRVQnpCkK+
SVznB0x8/EtIb8mLvuFtQap9KQ1S5UQxF3HhFoHdKjbDlEhMI3KPzURgYpis8K0y
M6jUbBnFQog9rSRCM79qE/cK6FX/QHrZt1Ijb9sPo54Y1TJQhbTempQ8N8SLnJFE
SY7W9wqOjyjrIKJ1NAWVSAHKu3ctUZHqWqijykkGa/t09BmtKoaHJ3RTJmQ7r/Z2
nxnARy9lDBSXgp8ErcYcf1eeRtCeRMZY+22F8gD7jJ/uKeEj6k8oUITt/dYSJWeA
LI9rPYydva8cNi0RtcB8Vgddi+GnhnGnhIXs3swk4AiVhBAPlAEfMdp3MjARrkJI
2UuMHStfht96aD3x3mL4fP0o6fJ5jSj/aCepwuR18xUHgtCCO8Sj81NBwPTSv654
XzIngNY3OPAOqo3RmS+xSnH8sCwE/wJxVu2sa/Ue8XszsjrzO4plYKh344MdR6g3
ISWyjPnFsdL1gBxoiPGfM/EF0bd4a1iGHDk4Ih4AcPgpgMwgN2VYDvGcxHEkQ0Y9
-----END RSA PRIVATE KEY-----
my public key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ98gmTkAoteabP96SmMDWAsPYIj5tV4iovMC9IEeWtiV1DbOIYVYpp27YM2DezoEuBwbccG9+A2wygyYKAVJurfmQTTL4h2WxJ5UIRJtwKrc2UKZNA6amUfIEcQHt0qJeTk6t5Havte2eTU3P6p15J7sHonLdeVBqybjeUMTOc8g41uUtTtmgTSp3BORkY/qwYzC7bICWZuuoklathRgj0CATkfkz25kggV/cNiWo8Ngr2mM8qB3EZxidF6FYwGROYRFq9jPfn1K3EvgOWWsPeHwd/bJn109sTqaLY5TsKuatxZAE+3CHNoQsEGaAVtEz505Oa8IRJYp9LERuBHx1 melad#pcwrk005.bovc.dk
how to read these files using java and sign,verify strings using them
I have a public key which is used to encrypt some binary data. How can I write the code that can decrypt this data with the same public key ?
You can't - the whole point about public/private-key-cryptography like RSA is that when you encrypt some data using a public key you can only decrypt it using the matching (!) private key. So without the proper private key you won't be able to recover your AES-key and you won't get back to your cleartext.
I wanna know What differences between certificate private key that retrieved from .pfx file and personal My Store.
I retrieved certificate private key with these two types by using java language.
retrieved from personal My Store :
Private Key : RSAPrivateKey [size=2048 bits, type=Exchange, container={DE6E412F-9F87-4E26-8A3A-9C1DAC06A110}]
retrieved from .pfx file by user input :
Private Key : RSA Private CRT Key
modulus: c5fa714a47a29dd5344035ef10484eb5b477d8caf8a9466c94e700a3ab2298a21fba809b9f426c5c2f8bf7263c1ca261e2310d097031bf0727361c0d7b0a432a310a4f5fb0f3e268ee42e64c3f6081d64a586dd90e87e7443246491ef9bb9d5ec8decae31240d49a8e1dcdb4f56baa3c170e5d6529d4a1cac192d628716083344763b267b1643a325e80935eafc31ff3900d859f05668677f28619800d52c0a89e353d208f72671558a9feb9dfbbb809cb99e50b375620ccde8bfe2d45b74df7e07925f9ccb0eb84a54d92937a0b631e4115d67b7f29f6a4256341d1b038be49a08b24ee12e5cc93006e7668eebf14888693260e43f47961c87372b6ebafbe57
public exponent: 10001
private exponent: 3863f45eeef68fb449b4bc6802a045e315ab4951cef010421f4b88f0156fbe3ff77f9ce036c5a9adbc5146ad5a53e1a0b5d7b8d9e65e15064991ecfd9dfd37524e339c962a05dd887bcd0c61cd6f84abeff32e1eb437db949e294cec88bf7abca3c469cfb1c44b8a564e80e8393b587ad32a6149ce57655a2636d7cf1f34194a8b8369daea458dc0e37172ea29ab4004ca6a7e571e4118474121239f58628bee948e08e4d0780e691b66009aacf60eb833053d3a58ca3f98e3fe4b2a2e1e1e254f8f11737692895b0f7b8c8644cc00e6fc3cd6153613cfb9fd1a1f4b649a88849a34f0178cc0b12974dec9a6143850fd9a04a1c64d83839d89d0bb168eb968d9
primeP: ddad2933da59cbc2a7129df80e5ddd730ce4711f056fff802699dc12816dcd742a8bcb8bff10acc4eb43bb24dbaf8e3db3b1e026a39a69042907aed105aa344131da0817749ef25d02ce51e34adabede8e4a09b2dae5268b5da4e154939e10a67b2cd9ebe9fcfb93c1c5508dacb2a7d7b4821bc83f97e30d1973e32538bb1b15
primeQ: e4a1eeb2137558806760445f25f6a90a9450160e153782c0c1ac4b76e63aeec605093764cb02d40a1ab74cdb7180c02e9052c40b7bcb4aafd9e24a4797cda0d5090bf70665ddd55de041bb3d48a0359e28a831a2db77ae5265316b26b3722a52d019c98a8c4e34999f8f90671691d172ea4f4e020f5ce31d70018976621c9ebb
primeExponentP: 5aa210c58591cf305fb4c9e780a03a096f0cfb7f2e6ef32cc71b831201df0df05ff0d6210001265240ca697a91637ea9958db552b6f34bda8a97fc8eb35d3a8e293eb6ae385d40446d004414c5271880cff64f6ed3f67ac2e25fa64d3929982f290f566e113600fa11708615d6b518d0a599c89820000eb1ed65274ab19e365d
primeExponentQ: ad7b31e36d605d071169ba777816f1ad555c6f5fc0399ebd2437d80b20271786a9cb947ca68e3ed66bef2a2258bd9915bbed1154a55a5c11930261da711556344fe904479683fca27ec7618bdecfb1df907a0f2fc3d7cc2e391a86739735c9678d00042d5cc8faa096b218a0204004ed6d5d3f93d0946ac0ab7c7f1194e0a29
crtCoefficient: 7f70f9439d3ab04af8dc5ff8f11fbc60d3e62d5a6220c9421de09374f431214f7cba3cb8eb302c8c79a5c84555c5e29ebec9edc2d1547fd07aea860888a50d5aa1aa2eeb5a40d2f46523bd8fa4125c34dde6a91f9f3c88e9bc3bee484e9367125b20c630fcf2e8144ea31f688a67def228fdcdc02dd6b64e23e0bd67e330c5e6
Please explain me.
Your private remains the same. You can generate your private key in the Microsoft key store referenced by a key container. When you import your private key from a PFX, the private key gets imported in to the Microsoft key store byt referenced by the PFX certificate context.