Java Tutorial/Security/KeyPairGenerator
Версия от 17:44, 31 мая 2010; (обсуждение)
Содержание
- 1 Adding Extensions to a Certification Request
- 2 Asymmetric Key Maker
- 3 Creating a Certificate from a Certification Request
- 4 Creating a Certification Request
- 5 Generate a 576-bit DH key pair
- 6 Generating a Public/Private Key Pair
- 7 Getting the Bytes of a Generated Key Pair
- 8 The bytes can be converted back to public and private key objects
Adding Extensions to a Certification Request
import java.io.OutputStreamWriter;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.Security;
import java.util.Vector;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;
public class MainClass {
public static PKCS10CertificationRequest generateRequest(KeyPair pair) throws Exception {
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.rfc822Name,
"test@test.test"));
Vector oids = new Vector();
Vector values = new Vector();
oids.add(X509Extensions.SubjectAlternativeName);
values.add(new X509Extension(false, new DEROctetString(subjectAltName)));
X509Extensions extensions = new X509Extensions(oids, values);
Attribute attribute = new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
new DERSet(extensions));
return new PKCS10CertificationRequest("SHA256withRSA", new X500Principal(
"CN=Requested Test Certificate"), pair.getPublic(), new DERSet(attribute), pair
.getPrivate());
}
public static void main(String[] args) throws Exception {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(1024, new SecureRandom());
KeyPair pair = kpGen.generateKeyPair();
PKCS10CertificationRequest request = generateRequest(pair);
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(request);
pemWrt.close();
}
}
/*-----BEGIN CERTIFICATE REQUEST-----
MIIBkDCB+gIBADAlMSMwIQYDVQQDExpSZXF1ZXN0ZWQgVGVzdCBDZXJ0aWZpY2F0
ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArbtf7LlFX+hg/kYX0a6dLmLW
UHHpiHH6UW4CF0X240kAsThW8xpFe+rHMDW0NlpHCotQ6NVAJqNm+y6FInvu0+fO
4tq4GKJVw0ewEL//IsD+1lBWBDSmeUq3P2ONRDft7gyW5R3NAja3ihoTJaSd3SWZ
GBdhFZdx75WsomPMmtkCAwEAAaAsMCoGCSqGSIb3DQEJDjEdMBswGQYDVR0RBBIw
EIEOdGVzdEB0ZXN0LnRlc3QwDQYJKoZIhvcNAQELBQADgYEAbDa0nbtl57NDYyc8
yxuXLrDNrcG9qaDXR9bcWsvk6dR9zg1aTr9KtBT8iKoS41xW25ndRN/xH0ft2oWN
UzD4ADDUu48Jtc9lk52ei44w4u2pQk4BhY1lgO8eZY9y4SCuT6C28mqxNZ4Jq8lb
wQzxBmdTgd8873ebGdi5ZdpIlMI=
-----END CERTIFICATE REQUEST-----
*/
Asymmetric Key Maker
import java.security.KeyPair;
import java.security.KeyPairGenerator;
public class Main {
public static void main(String[] args) throws Exception {
String algorithm = "";
KeyPair keyPair = KeyPairGenerator.getInstance(algorithm).generateKeyPair();
System.out.println(keyPair.getPublic());
System.out.println(keyPair.getPrivate());
}
}
Creating a Certificate from a Certification Request
import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V1CertificateGenerator;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
public class MainClass {
public static KeyPair generateRSAKeyPair() throws Exception {
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(1024, new SecureRandom());
return kpGen.generateKeyPair();
}
public static PKCS10CertificationRequest generateRequest(KeyPair pair) throws Exception {
return new PKCS10CertificationRequest("SHA256withRSA", new X500Principal(
"CN=Requested Test Certificate"), pair.getPublic(), null, pair.getPrivate());
}
public static X509Certificate generateV1Certificate(KeyPair pair) throws InvalidKeyException,
NoSuchProviderException, SignatureException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(new X500Principal("CN=Test Certificate"));
certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 10000));
certGen.setSubjectDN(new X500Principal("CN=Test Certificate"));
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
return certGen.generateX509Certificate(pair.getPrivate(), "BC");
}
public static X509Certificate[] buildChain() throws Exception {
KeyPair pair = generateRSAKeyPair();
PKCS10CertificationRequest request = generateRequest(pair);
KeyPair rootPair = generateRSAKeyPair();
X509Certificate rootCert = generateV1Certificate(rootPair);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 10000));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(rootCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier,
false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
| KeyUsage.keyEncipherment));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(
KeyPurposeId.id_kp_serverAuth));
ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();
for (int i = 0; i != attributes.size(); i++) {
Attribute attr = Attribute.getInstance(attributes.getObjectAt(i));
if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
X509Extension ext = extensions.getExtension(oid);
certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
}
}
}
X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate());
return new X509Certificate[] { issuedCert, rootCert };
}
public static void main(String[] args) throws Exception {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
X509Certificate[] chain = buildChain();
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(chain[0]);
pemWrt.writeObject(chain[1]);
pemWrt.close();
}
}
Creating a Certification Request
import java.io.OutputStreamWriter;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.Security;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;
public class MainClass {
public static PKCS10CertificationRequest generateRequest(KeyPair pair) throws Exception {
return new PKCS10CertificationRequest("SHA256withRSA", new X500Principal(
"CN=Requested Test Certificate"), pair.getPublic(), null, pair.getPrivate());
}
public static void main(String[] args) throws Exception {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(1024, new SecureRandom());
KeyPair pair = kpGen.generateKeyPair();
PKCS10CertificationRequest request = generateRequest(pair);
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(request);
pemWrt.close();
}
}
/*-----BEGIN CERTIFICATE REQUEST-----
MIIBYjCBzAIBADAlMSMwIQYDVQQDExpSZXF1ZXN0ZWQgVGVzdCBDZXJ0aWZpY2F0
ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnIGtHELGBMJe9LUTDfMktFOG
2mlu9QKuCqpOB3lwsOg1AK4MkD+Bez6KVSOASvbjWCqqdmHAJsGWcpUpjJqm4tfg
r9KGSjDN4LJzR6cd0RZTHWzgud9t7peUBlowVZVJen0962wx6AeYNr8RG9jbcBPe
Ma4mbA3EeWvmZCo4aQcCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCPRr5QBLH0Zfz5
j+MUO7NN+vZMu0bPxQiiZEAWiSbJ63Zp6UK6TV8SYTxjmSGS27KILY+oSHR7lSz0
XNEkLSCuJRRdtAF0GSz7MmSWFt8mwMr0i0ntbSWDVpZShH3pRi/8E+J3KnqT+Cs5
oVhUVFYBLncrinDPgDzVR98CapCI6g==
-----END CERTIFICATE REQUEST-----*/
Generate a 576-bit DH key pair
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
public class Main {
public static void main(String[] argv) throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DH");
keyGen.initialize(576);
KeyPair keypair = keyGen.genKeyPair();
PrivateKey privateKey = keypair.getPrivate();
PublicKey publicKey = keypair.getPublic();
}
}
Generating a Public/Private Key Pair
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
public class Main {
public static void main(String[] argv) throws Exception {
// Generate a 1024-bit Digital Signature Algorithm (DSA) key pair
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
keyGen.initialize(1024);
KeyPair keypair = keyGen.genKeyPair();
PrivateKey privateKey = keypair.getPrivate();
System.out.println(privateKey);
PublicKey publicKey = keypair.getPublic();
System.out.println(publicKey);
}
}
Getting the Bytes of a Generated Key Pair
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
public class Main {
public static void main(String[] argv) throws Exception {
String algorithm = "DSA"; // or RSA, DH, etc.
// Generate a 1024-bit Digital Signature Algorithm (DSA) key pair
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algorithm);
keyGen.initialize(1024);
KeyPair keypair = keyGen.genKeyPair();
PrivateKey privateKey = keypair.getPrivate();
PublicKey publicKey = keypair.getPublic();
}
}
The bytes can be converted back to public and private key objects
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.EncodedKeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
public class Main {
public static void main(String[] argv) throws Exception {
String algorithm = "DSA"; // or RSA, DH, etc.
// Generate a 1024-bit Digital Signature Algorithm (DSA) key pair
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algorithm);
keyGen.initialize(1024);
KeyPair keypair = keyGen.genKeyPair();
PrivateKey privateKey = keypair.getPrivate();
PublicKey publicKey = keypair.getPublic();
byte[] privateKeyBytes = privateKey.getEncoded();
byte[] publicKeyBytes = publicKey.getEncoded();
KeyFactory keyFactory = KeyFactory.getInstance(algorithm);
EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
PrivateKey privateKey2 = keyFactory.generatePrivate(privateKeySpec);
EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(publicKeyBytes);
PublicKey publicKey2 = keyFactory.generatePublic(publicKeySpec);
// The orginal and new keys are the same
boolean same = privateKey.equals(privateKey2);
same = publicKey.equals(publicKey2);
}
}