Android Keystore : Failed to store private key - java

I'm trying to store a private key in the android keystore but i keep getting an error, what am i doing wrong here ? I'm self signing the certificate because i need one to store the key but i don't need it.
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(1280);
KeyPair pair = keyPairGen.generateKeyPair();
PrivateKey privKey = pair.getPrivate();
PublicKey publicKey = pair.getPublic();
Certificate certificate = selfSign(pair, "myCer");
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
ks.setKeyEntry("MyPrivateKey", privKey, null, new Certificate[] { certificate });
Self signed certificate method :
public final static Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException, CertIOException, CertificateException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
long now = System.currentTimeMillis();
Date startDate = new Date(now);
X500Name dnName = new X500Name("CN=" + subjectDN);
BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number
Calendar calendar = Calendar.getInstance();
calendar.setTime(startDate);
calendar.add(Calendar.YEAR, 2); // <-- 1 Yr validity
Date endDate = calendar.getTime();
String signatureAlgorithm = "SHA256WithRSA"; // <-- Use appropriate signature algorithm based on your keyPair algorithm.
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic());
// Extensions --------------------------
// Basic Constraints
BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity
certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical.
// -------------------------------------
return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
}

Related

Create x509 certificate that has a Root CA parent

I have a Root CA certificate that has to sign a certificate that I am creating.
public static X509Certificate generateCertificate(final PublicKey publicKey,
final PrivateKey privateKey,
final String signingAlgorithm, GeneralNames names)
throws IOException, CertificateException, OperatorCreationException, NoSuchAlgorithmException
{
final X500NameBuilder subject = new X500NameBuilder(RFC4519Style.INSTANCE);
subject.addRDN(BCStyle.C, COUNTRY_NAME);
subject.addRDN(BCStyle.ST, STATE_NAME);
subject.addRDN(BCStyle.L, LOCALITY_NAME);
subject.addRDN(BCStyle.O, ORGANIZATION_NAME);
subject.addRDN(BCStyle.OU, ORGANIZATION_UNIT_NAME);
subject.addRDN(BCStyle.E, EMAIL_ADDRESS);
final X500NameBuilder issuer = new X500NameBuilder(RFC4519Style.INSTANCE);
issuer.addRDN(BCStyle.C, COUNTRY_NAME);
issuer.addRDN(BCStyle.ST, STATE_NAME);
issuer.addRDN(BCStyle.L, LOCALITY_NAME);
issuer.addRDN(BCStyle.O, ORGANIZATION_NAME);
issuer.addRDN(BCStyle.OU, ISSUER);
final BigInteger sn = new BigInteger(SERIAL_NUMBER_LENGTH, new SecureRandom());
final Date validFrom = Calendar.getInstance().getTime();
final Calendar c = Calendar.getInstance();
c.add(Calendar.YEAR, YEARS_VALID);
final Date validUntil = c.getTime();
File file = new File("PATH TO ROOT CA");
CertificateFactory fact = CertificateFactory.getInstance("X.509");
FileInputStream in = new FileInputStream(file);
X509Certificate cer = (X509Certificate) fact.generateCertificate(in);
final JcaContentSignerBuilder builder = new JcaContentSignerBuilder(signingAlgorithm);
ContentSigner signer = builder.build(privateKey);
final X509v3CertificateBuilder certBuilder=new JcaX509v3CertificateBuilder(cer, sn, validFrom, validUntil, subject.build(), publicKey);
BasicConstraints constr = new BasicConstraints(false);
KeyUsage usage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment);
certBuilder.addExtension(Extension.keyUsage, false, usage);
certBuilder.addExtension(Extension.subjectAlternativeName, false, names);
certBuilder.addExtension(Extension.basicConstraints, false, constr);
// certBuilder.addExtension(Extension.authorityKeyIdentifier, false,utiles.createAuthorityKeyIdentifier(cer));
certBuilder.addExtension(Extension.subjectKeyIdentifier, false,
new SubjectKeyIdentifier(publicKey.getEncoded()));
final byte[] certBytes = certBuilder.build(signer).getEncoded();
final CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes));
}
I have tried a number of things but I can't find exactly a solution. Also I don't understand what i have to set on Subject Key Identifier extension.

It seems you're not getting the X.509 certificate generation process right:
You generate a Certificate Signing Request (CSR), which is basically your certificate's structure, not yet signed by a CA;
A Certificate Authority (in this case, your root CA) signs this CSR.
Have a look at Sign CSR using Bouncy Castle, which is probably what you're looking for.

X509V1CertificateGenerator emigrate to X509v1CertificateBuilder

Hello I am using the class X509V1CertificateGenerator to generate a certificate of the type X509Certificate.
now the class X509V1CertificateGenerator is deprecated and the recommanded alternative is X509v1CertificateBuilder but I do not know how to do the Migration.
Here is the Code:
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
// set the necessary X500-fields
X500Principal dnName = new X500Principal("CN=MyServerName");
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(dnName);
// expire-date
Calendar expireDate = Calendar.getInstance();
certGen.setNotBefore(expireDate.getTime());
// expires in 25 years
expireDate.add(Calendar.YEAR, 25);
certGen.setNotAfter(expireDate.getTime());
certGen.setSubjectDN(dnName); // note: same as issuer
certGen.setPublicKey(pair.getPublic());
// set the right signature-algorithm ->RSA/DSA
if (this.algorithm)
certGen.setSignatureAlgorithm("MD5withRSA");
else
certGen.setSignatureAlgorithm("SHA1withDSA");
// generate the X509-certificate
X509Certificate cert = certGen.generate(pair.getPrivate(), "BC");
What should I do to do the Migration?

Try this extracted from keycloak CertificateUtils
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
X509v1CertificateBuilder builder = new X509v1CertificateBuilder(
subjectDN,
serialNumber,
validityStartDate,
validityEndDate,
subjectDN,
subPubKeyInfo);
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
ContentSigner contentSigner =
new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
.build(PrivateKeyFactory.createKey(pair.getPrivate().getEncoded()));
X509CertificateHolder holder = builder.build(contentSigner);
X509Certificate cert = JcaX509CertificateConverter().getCertificate(holder);

Casting bouncy castle X509Certificate to Java.security.cert.Certificate[]

I have generated an RSA x509 certificate using bouncy castle in java. The code is below:
public static X509Certificate generateCert()
{
try
{
Security.addProvider(new BouncyCastleProvider());
// generate a key pair
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// build a certificate generator
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal dnName = new X500Principal("cn=example");
// add some options
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setSubjectDN(new X509Name("dc=name"));
certGen.setIssuerDN(dnName); // use the same
// yesterday
certGen.setNotBefore(new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000));
// in 2 years
certGen.setNotAfter(new Date(System.currentTimeMillis() + 2 * 365 * 24 * 60 * 60 * 1000));
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA256withRSA");
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping));
mCurrentRSAKeyPair = keyPair;
// finally, sign the certificate with the private key of the same KeyPair
X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");
return cert;
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
I want to be able to cast the X509Cerificate returned into a java.security.cert Certificate[] however it says they are incompatible. I need to use this certificate array for an android keystore:
public RSA(char[] password) throws Exception
{
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null);
Enumeration<String> aliases = ks.aliases();
if(!aliases.hasMoreElements())
{
//mCurrentCertificate is the X509Certificate
mCurrentCertificate = generateCert();
//Store the new keypair
FileInputStream fs = null;
ks.load(fs, password);
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(password);
Object cert = mCurrentCertificate.getEncoded();
java.security.cert.Certificate[] myCert = (java.security.cert.Certificate[]) cert; //CAST HERE
KeyStore.PrivateKeyEntry pkEntry =
new KeyStore.PrivateKeyEntry(mCurrentRSAKeyPair.getPrivate(),
myCert);
ks.setEntry("UserKey", pkEntry, protParam);
}
}

myCert is an array of certificates, and cert is an array of bytes (as returned by getEncoded()).
You should put your mCurrentCertificate variable inside an array:
java.security.cert.Certificate[] myCert = new java.security.cert.Certificate[] { (java.security.cert.Certificate) mCurrentCertificate};
// not sure if needs to cast mCurrentCertificate

InvalidContentTypeException in JSCEP

I use the code published at https://github.com/jscep/jscep
In response to client.enrol I get :
InvalidContentTypeException: Expected [application/x-x509-ca-cert, application/x-x509-ca-ra-cert], but was null
URL url = new URL("http://212.29.229.154/certsrv/mscep/mscep.dll");
// Default Callback Mechanism
CertificateVerifier verifier = new ConsoleCertificateVerifier();
CallbackHandler handler = new DefaultCallbackHandler(verifier);
// Creating the Client
Client client = new Client(url, handler);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair requesterKeyPair = keyGen.genKeyPair();
Capabilities caps = client.getCaCapabilities();
String sigAlg = caps.getStrongestSignatureAlgorithm();
X500Principal requesterIssuer = new X500Principal("CN=jscep.org, L=Netanya, ST=Sharon, C=IL");
BigInteger serial = BigInteger.ONE;
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.DATE, -1); // yesterday
Date notBefore = calendar.getTime();
calendar.add(Calendar.DATE, +2); // tomorrow
Date notAfter = calendar.getTime();
X500Principal requesterSubject = new X500Principal("CN=jscep.org, L=Netanya, ST=Sharon, C=IL"); // doesn't need to be the same as issuer
PublicKey requesterPubKey = requesterKeyPair.getPublic(); // from generated key pair
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(requesterIssuer, serial, notBefore, notAfter, requesterSubject, requesterPubKey);
// Optional extensions
// certBuilder.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature));
// Signing
PrivateKey requesterPrivKey = requesterKeyPair.getPrivate(); // from generated key pair
JcaContentSignerBuilder certSignerBuilder = new JcaContentSignerBuilder(sigAlg); // from above
ContentSigner certSigner = certSignerBuilder.build(requesterPrivKey);
X509CertificateHolder certHolder = certBuilder.build(certSigner);
JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
X509Certificate requesterCert = converter.getCertificate(certHolder);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
KeyPair entityKeyPair = keyPairGenerator.genKeyPair();
X500Principal entitySubject = requesterSubject; // use the same subject as the self-signed certificate
PublicKey entityPubKey = entityKeyPair.getPublic();
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(entitySubject, entityPubKey);
DERPrintableString password = new DERPrintableString("password");
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);
PrivateKey entityPrivKey = entityKeyPair.getPrivate();
JcaContentSignerBuilder csrSignerBuilder = new JcaContentSignerBuilder("SHA1withRSA");
ContentSigner csrSigner = csrSignerBuilder.build(entityPrivKey);
PKCS10CertificationRequest csr = csrBuilder.build(csrSigner);
EnrollmentResponse res = client.enrol(requesterCert, requesterPrivKey, csr);

Generate certificate chain in java

The question is how to generate certificate chains programmatically in Java. In other words, I would like to perform in java the operations detailed here: http://fusesource.com/docs/broker/5.3/security/i382664.html
Besically, I can create the RSA keys for a new client:
private KeyPair genRSAKeyPair(){
// Get RSA key factory:
KeyPairGenerator kpg = null;
try {
kpg = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
log.error(e.getMessage());
e.printStackTrace();
return null;
}
// Generate RSA public/private key pair:
kpg.initialize(RSA_KEY_LEN);
KeyPair kp = kpg.genKeyPair();
return kp;
}
and I generate the corresponding certificate:
private X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
Then I generate the cert signing request and I save it to csrFile file:
public static void writeCertReq(File csrFile, String alias, String keyPass, KeyStore ks)
throws KeyStoreException,
NoSuchAlgorithmException,
InvalidKeyException,
IOException,
CertificateException,
SignatureException,
UnrecoverableKeyException {
Object objs[] = getPrivateKey(ks, alias, keyPass.toCharArray());
PrivateKey privKey = (PrivateKey) objs[0];
PKCS10 request = null;
Certificate cert = ks.getCertificate(alias);
request = new PKCS10(cert.getPublicKey());
String sigAlgName = "MD5WithRSA";
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());
X500Signer signer = new X500Signer(signature, subject);
request.encodeAndSign(signer);
request.print(System.out);
FileOutputStream fos = new FileOutputStream(csrFile);
PrintStream ps = new PrintStream(fos);
request.print(ps);
fos.close();
}
where
private static Object[] getPrivateKey(KeyStore ks, String alias, char keyPass[])
throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException {
key = null;
key = ks.getKey(alias, keyPass);
return (new Object[]{ (PrivateKey) key, keyPass });
}
Now I should sign the CSR with the CA private key, but I cannot see how to achive that in java. I have "my own" CA private key in my jks.
Besides, once I manage to sign the CSR I should chain the CA cert with the signed CSR: how that can be done in java?
I would prefer not to use bc or other external libs, just "sun.security" classes.
Thank you.

I believe the code example in the post http://www.pixelstech.net/article/1406726666-Generate-certificate-in-Java----2 will show you how to generate certificate chain with pure Java. It doesn't require you to use Bouncy Castle.

Sorry, but despite your desires, and besides writing all of your crypto code and including it with your project (not recommended), I'd recommend using Bouncy Castle here.
Specifically, please refer to https://stackoverflow.com/a/7366757/751158 - which includes code for exactly what you're looking to do.

I see you've already gone over to the BouncyCastle side of the house but just in case anyone else was wondering; you can add the cert chain to the entry when putting the key into the KeyStore. For example
// build your certs
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load([keystore stream], password.toCharArray());// or null, null if it's a brand new store
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _clientCert;
chain[1] = _caCert;
keyStore.setKeyEntry("Alias", _clientCertKey, password.toCharArray(), chain);
keyStore.store([output stream], password.toCharArray());
// do other stuff

Categories