gku*_*min 4 java bouncycastle jce keytool gost3410
目前我需要为GOST 34.10-2001签名算法生成密钥对.很高兴发现充气城堡提供商支持这种算法,但我无法生成密钥对并将其保存到任何类型的任何密钥库.目前我尝试了这个命令(如果keyalg是DSA和sigalg,这个命令效果很好SHA1withDSA):
keytool -genkey -alias test1 -keyalg ECGOST3410 -keysize 512 -sigalg GOST3411withECGOST3410 \
-keypass test_1 -validity 1000 -storetype JKS -keystore test1.jks -storepass test_1 -v \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-1.46.jar"
但我有一个错误:
keytool error: java.lang.IllegalArgumentException: unknown key size.
java.lang.IllegalArgumentException: unknown key size.
at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
当我尝试操作keysize或keysize从命令中删除选项时,我可以看到完全相同的错误.但有一些特殊情况.当我设置keysize为256我有另一个错误:
keytool error: java.lang.IllegalArgumentException: key size not configurable.
java.lang.IllegalArgumentException: key size not configurable.
at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
目前我不知道如何生成密钥对以及如何将其保存到密钥库.我还有一些可以为GOST 34.10-2001算法生成密钥对的java代码:
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECGOST3410", "BC");
kpg.initialize(new ECGenParameterSpec("GostR3410-2001-CryptoPro-A"));
KeyPair kp = kpg.generateKeyPair();
这段代码示例使用ECGenParameterSpecclass来初始化一个密钥对生成器,所以我应该以某种方式提供给keytool(-providerArg provider_arg或-Jjavaoption)?
PS我认为我应该提供曲线名称作为一些参数,但我不能确定我应该使用什么参数.
您将无法使用keytool和BC创建具有GOST3410密钥的密钥库.
sun.security.x509.CertAndKeyGenkeytool使用的类不提供用参数初始化密钥生成器的选项,而BC GOST3410密钥生成器需要初始化ECParameterSpec.
您可以创建密钥对+证书并以编程方式将它们放入密钥库:
Security.addProvider( new org.bouncycastle.jce.provider.BouncyCastleProvider() );
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( "ECGOST3410", "BC" );
keyPairGenerator.initialize( new ECGenParameterSpec( "GostR3410-2001-CryptoPro-A" ) );
KeyPair keyPair = keyPairGenerator.generateKeyPair();
org.bouncycastle.asn1.x500.X500Name subject = new org.bouncycastle.asn1.x500.X500Name( "CN=Me" );
org.bouncycastle.asn1.x500.X500Name issuer = subject; // self-signed
BigInteger serial = BigInteger.ONE; // serial number for self-signed does not matter a lot
Date notBefore = new Date();
Date notAfter = new Date( notBefore.getTime() + TimeUnit.DAYS.toMillis( 365 ) );
org.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder(
issuer, serial,
notBefore, notAfter,
subject, keyPair.getPublic()
);
org.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build(
new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder( "GOST3411withECGOST3410" )
.build( keyPair.getPrivate() )
);
org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter = new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter();
X509Certificate certificate = certificateConverter.getCertificate( certificateHolder );
KeyStore keyStore = KeyStore.getInstance( "JKS" );
keyStore.load( null, null ); // initialize new keystore
keyStore.setEntry(
"alias",
new KeyStore.PrivateKeyEntry(
keyPair.getPrivate(),
new Certificate[] { certificate }
),
new KeyStore.PasswordProtection( "entryPassword".toCharArray() )
);
keyStore.store( new FileOutputStream( "test.jks" ), "keystorePassword".toCharArray() );
| 归档时间: |
|
| 查看次数: |
3256 次 |
| 最近记录: |