I am using AES Symmetric encryption of data using BouncyCastle provider, and then wrapping the key using RSA Asymmetric algorithm from Public key obtained from Windows keystore certificate using SunMSCAPI provider. Can anyone please help how to use the SunMSCAPI for RSA wrapping and unwrapping of symmetric keys appropriately with some code snippet?
[sweeping old questions]
You can just use javax.crypto.Cipher.wrap() and unwrap() using the retrieved instances of RSAPublicKey and RSAPrivateKey. For this you may need the unlimited crypto policy files from Sun/Oracle for your JDK/JRE.
Related
I am facing the following issue. I am currently working on integrating Single Sign-On (SSO) functionality into an existing application using the SAML Java toolkit. The Identity Provider (IdP) I am working with requires me to have an encryption certificate that uses the RSA-encryption schema RSA-OAEP (Rivest–Shamir–Adleman - Optimal asymmetric encryption padding). For testing purposes, It is allowed to use self signed certificates. Since I have already generated a signature certificate with the cryptographic signature scheme PSS, so I have tried to use RSA_PADDING_MODE:OAEP (by analogy to RSA_PADDING_MODE:PSS) but it did not work. I used the following command to create a private key.
openssl genpkey -algorithm RSA -out privateKey.pem -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_padding_mode:oaep
I get the following error
I have the last version of openssl (OpenSSL 1.1.1s) installed on my computer. Since I did not find any explanation for this error. I tried to read the documentation of openSSL and I found out that RSA-OAEP is only used for the encryption and decryption:
Based on the documentation of OpenSSL, It seems that I should generate a private key and a self signed certificate using RSA without padding. The IdP will pad the message using OAEP padding schema. Then it will encrypt the SAML-message with my public certificate that I have provided. On my side, I will decrypt the SAML-message using my private key. Finally, I should unpad the message using a Java library. Am I correct ?
I'm not a sercurity or a crypto expert. I want to perfrom encryption on my client to server communication in a RESTful api system.
Currently I'm using javax crypto and initializing the Ciper for AES with AES/GCM/PKCS5Padding to encrypt the data and RSA with RSA/ECB/OAEPWithSHA-256AndMGF1Padding to encrypt the iV and Symmetric key with a public key.
This works well for me.
I did some more digging on other encryption libraries and found Libsodium or NaCl.
I tried searching for any comparision between these and I'm not able to find any. Is it because I'm trying compare apples to oranges?
Should I continue with the javax crypto or should I switch to sodium? What benifits does sodium give over the default javax crypto?
I am trying to store a proxy X.509 certificate into a keystore. The certificate is generated using bouncycastle library, the problem is that I do not have the secret key for the certificate and from what I understand is that to store it in a Java key store I need the secret key. Furthermore I can't seem to convert the certificate into Java's own implementation of it.
I want to store it in a keystore so that Axis2's Rampart could attach it to SOAP messages according to our own security architecture.
IF anyone can kindly explain to me if there is a way to do this or if I am missing something important I would be thankful
from what I understand is that to store it in a Java key store I need the secret key
No. You don't need the private key to store a certificate. You only need that for your own certificate. Just use keytool -import.
I need to encrypt and sign data using PKCS7(CMS).
I am using bouncy castle provided api to achieve this using java .
Till now what i understood is i need to follow these steps
Need to generate a key pair private & public key using some algorithm say RSA
Certify it with X509 certificate
Convert it into PKCS7 key format like p7b
Generate java key store using keytool some *.jks file
Generate the Certificate Signing Request (CSR) using keytool command *.crt
Become self CA(Certificate Autority) and certify
Import key from keystore created in previous stem and encrypt sign and decrypt data
I still need to figure out what steps i need to follow to sign,encrypt,decrypt data.
My question is
Is my steps are correct ?
How do i certify key pair generated by RSA algorithm and convert into PKCS7 key format
How do i become self CA and certify
I got this to encrypt and sign, still i am confused with steps to follow and also most of them are deprecated.
What you need is not BouncyCastle.
You need OpenSSL and a guide.
OpenSSL
How to set up your own certificate authority
How to create a self-signed certificate
How to use a certificate in Java
Alternatively, to generate and store an RSA key using Java:
Generate RSA key pair and encode private as string
My friend has encrypted data with PKCS1 padding on an iPhone.
How can I decrypt that data in Java?
Java requires me to specify "algorithm/ciphermode/padding". The padding and the algorithm are known, but neither of us knows the cipher mode; it is not specified when encrypting on the iPhone.
using bouncy castle and this code should be simple
RSA doesn't really use a "mode"; modes are for block ciphers.
The built-in Sun provider will accept "RSA/ECB/PKCS1Padding" as a Cipher name. ECB is "Electronic Code Book", which doesn't mix any information from "block" to block; it is sort of "no cipher mode."
Other providers accept "None" as a cipher mode with RSA.
BouncyCastle is a good provider. I'm not sure why you would need to take the trouble to install it in this case, however. The SunJCE provider will work fine.