How in java generate analogical output of this command?
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out cert.pem
I do next
KeyPairGenerator gen = KeyPairGenerator.getInstance(keyAlgo);
SecureRandom random = new SecureRandom();
gen.initialize(keyLength, random);
keyPair = gen.genKeyPair();
PublicKey pubk = keyPair.getPublic();
PrivateKey prvk = keyPair.getPrivate();
but in result i received another length public and private keys.
Here is an example:
Date validityBeginDate = new Date(System.currentTimeMillis());
Date validityEndDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000); //1 year from now
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGenerator.initialize(4096, new SecureRandom());
KeyPair keyPair = keyPairGenerator.generateKeyPair();
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
X500Principal dnName = new X500Principal("CN=John Doe");
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setSubjectDN(dnName);
certGen.setIssuerDN(dnName);
certGen.setNotBefore(validityBeginDate);
certGen.setNotAfter(validityEndDate);
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");
Use a PEMWriter to output your PEM-file.
Related
I'm trying to store a private key in the android keystore but i keep getting an error, what am i doing wrong here ? I'm self signing the certificate because i need one to store the key but i don't need it.
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(1280);
KeyPair pair = keyPairGen.generateKeyPair();
PrivateKey privKey = pair.getPrivate();
PublicKey publicKey = pair.getPublic();
Certificate certificate = selfSign(pair, "myCer");
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
ks.setKeyEntry("MyPrivateKey", privKey, null, new Certificate[] { certificate });
Self signed certificate method :
public final static Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException, CertIOException, CertificateException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
long now = System.currentTimeMillis();
Date startDate = new Date(now);
X500Name dnName = new X500Name("CN=" + subjectDN);
BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number
Calendar calendar = Calendar.getInstance();
calendar.setTime(startDate);
calendar.add(Calendar.YEAR, 2); // <-- 1 Yr validity
Date endDate = calendar.getTime();
String signatureAlgorithm = "SHA256WithRSA"; // <-- Use appropriate signature algorithm based on your keyPair algorithm.
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic());
// Extensions --------------------------
// Basic Constraints
BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity
certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical.
// -------------------------------------
return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
}
I generated a KeyPair like this:
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256k1");
KeyPairGenerator generator = KeyPairGenerator.getInstance("EC");
generator.initialize(ecSpec, new SecureRandom());
KeyPair kp = generator.generateKeyPair();
Then I generate Strings from the KeyPair:
String privateKeyString = Base64.getEncoder().encodeToString(kp.getPrivate().getEncoded();
So my first Question is how can I generate a PrivateKey object from privateKeyString and my second question is how can I generate a PublicKey / KeyPair from the PrivateKey object?
1- Generating a Private Key, from the command line:
openssl genrsa -aes256 -out private.key 2048
from java, read it:
String privateKey = IOUtils.toString(TestJwtSecurityUtil.class.getResourceAsStream("/private.key"));
privateKey = privateKey.replace("-----BEGIN RSA PRIVATE KEY-----", "");
privateKey = privateKey.replace("-----END RSA PRIVATE KEY-----", "");
privateKey = privateKey.replaceAll("\\s+","");
byte[] encodedKey = DatatypeConverter.parseBase64Binary( privateKey );
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encodedKey);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey pKey = kf.generatePrivate(keySpec); // fails
Got exception:
Exception in thread "main" java.security.spec.InvalidKeySpecException:
java.security.InvalidKeyException: IOException :
DerInputStream.getLength(): lengthTag=58, too big.
I tried to convert to base64:
byte[] encodedKey = DatatypeConverter.parseBase64Binary( encodedString );
PrivateKey pKey = kf.generatePrivate(keySpec); // fails
got:
Exception in thread "main" java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:251)
Q: how to pass this? To make private key being read so in the end I could sing the JWT token:
final JwtBuilder builder = Jwts.builder().setId("id1")
....
.signWith(signatureAlgorithm, pKey);
Yes, it is duplicate. But since I spent more than 1 h looking for it in SO site. Based on this reply, and bouncycastle's PEMParser. Thanks, #dave_thompson_085
To create a private-public keys:
openssl genrsa -out private.key 4096
openssl rsa -pubout -in private.key -out public.key
then from java
--
final PrivateKey pKey = getPrivateKey();
final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RS256; // private key to sign / public to confrim a sign
final JwtBuilder builder = Jwts.builder().setId("id1")
.setIssuedAt(now)
.setSubject(subject)
.setIssuer(issuer)
.setAudience("api")
.addClaims(Map.of(
"user_name", "test user",
"authorities", List.of("ROLE_USER"),
"scope", List.of("read", "write"),
"client_id", "test-client"
)
) .signWith(signatureAlgorithm, pKey);
String jwt = builder.compact();
where:
private static PrivateKey getPrivateKey() throws Exception {
val path = TestUtils.class.getResource("/").getPath();
final PEMParser pemParser = new PEMParser(new FileReader(path + "/private.key"));
final JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
final PEMKeyPair object = (PEMKeyPair) pemParser.readObject();
final KeyPair kp = converter.getKeyPair(object);
final PrivateKey pKey = kp.getPrivate();
return pKey;
}
Then to check, paste: generated jwt to https://jwt.io/ (or any other tool) to see/check the content.
put a public.key content there to check the signature. To see that all is green.
I have generated an RSA x509 certificate using bouncy castle in java. The code is below:
public static X509Certificate generateCert()
{
try
{
Security.addProvider(new BouncyCastleProvider());
// generate a key pair
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// build a certificate generator
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal dnName = new X500Principal("cn=example");
// add some options
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setSubjectDN(new X509Name("dc=name"));
certGen.setIssuerDN(dnName); // use the same
// yesterday
certGen.setNotBefore(new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000));
// in 2 years
certGen.setNotAfter(new Date(System.currentTimeMillis() + 2 * 365 * 24 * 60 * 60 * 1000));
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA256withRSA");
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping));
mCurrentRSAKeyPair = keyPair;
// finally, sign the certificate with the private key of the same KeyPair
X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");
return cert;
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
I want to be able to cast the X509Cerificate returned into a java.security.cert Certificate[] however it says they are incompatible. I need to use this certificate array for an android keystore:
public RSA(char[] password) throws Exception
{
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null);
Enumeration<String> aliases = ks.aliases();
if(!aliases.hasMoreElements())
{
//mCurrentCertificate is the X509Certificate
mCurrentCertificate = generateCert();
//Store the new keypair
FileInputStream fs = null;
ks.load(fs, password);
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(password);
Object cert = mCurrentCertificate.getEncoded();
java.security.cert.Certificate[] myCert = (java.security.cert.Certificate[]) cert; //CAST HERE
KeyStore.PrivateKeyEntry pkEntry =
new KeyStore.PrivateKeyEntry(mCurrentRSAKeyPair.getPrivate(),
myCert);
ks.setEntry("UserKey", pkEntry, protParam);
}
}
myCert is an array of certificates, and cert is an array of bytes (as returned by getEncoded()).
You should put your mCurrentCertificate variable inside an array:
java.security.cert.Certificate[] myCert = new java.security.cert.Certificate[] { (java.security.cert.Certificate) mCurrentCertificate};
// not sure if needs to cast mCurrentCertificate
When I use the openssl command to create a certificate, it has the option to secure the private key with a password. However, when I programmatically create a certificate and public/private key pair in Java, the Java API only has a way to set a password on the keystone but not on the private key (unlike the openssl command). So is there no way to encrypt the private key with a password like in the openssl command?
If it helps, here's how I'm creating the private key and certificate in Java:
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(KEY_SIZE, new SecureRandom());
KeyPair keyPair = keyPairGenerator.generateKeyPair();
X509CertInfo info = new X509CertInfo();
CertificateValidity validityInterval = generateValidityInterval();
BigInteger serialNumber = new BigInteger(SERIAL_NUMBER_SIZE, new SecureRandom());
X500Name owner = new X500Name(DN);
info.set(X509CertInfo.VALIDITY, validityInterval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(keyPair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId certificateAlgorithm = new AlgorithmId(CERTIFICATE_ALGORITHM);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(certificateAlgorithm));
X509CertImpl certificate = new X509CertImpl(info);
certificate.sign(keyPair.getPrivate(), new AlgorithmId(SIGNATURE_ALGORITHM).getName());
AlgorithmId x509Algorithm = (AlgorithmId) certificate.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, x509Algorithm);
certificate = new X509CertImpl(info);
certificate.sign(keyPair.getPrivate(), new AlgorithmId(SIGNATURE_ALGORITHM).getName());