Java BouncyCastle ECC Keys and Self Signed Certifi

2019-04-10 12:28发布

问题:

I've been scouring the internet for hours looking for a Java example for creating Elliptic Curve (EC) keys and self signed certificates. So far I've only found snippets and examples, many of which do not work.

UPDATE:

I've made some progress here, here's my code for anybody that might find it useful! Just need to work out how to self sign it now!

 import org.bouncycastle.asn1.x500.X500Name;

 import org.bouncycastle.jce.ECNamedCurveTable;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.jce.spec.ECParameterSpec;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
 import java.security.*;

 /**
  * A simple example showing generation and verification of a PKCS#10 request.
  */
 public class genECKeyExample {
     private static final String BC = BouncyCastleProvider.PROVIDER_NAME;
     public static void main(String[] args)
             throws Exception {
         Security.addProvider(new BouncyCastleProvider());


         // Create an eliptic curve key

         ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime192v1");
         KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
         g.initialize(ecSpec, new SecureRandom());
         KeyPair pair = g.generateKeyPair();
         System.out.println(pemUtils.toPem(pair.getPrivate()));
         System.out.println(pemUtils.toPem(pair.getPublic()));

         ContentSigner signer = new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(pair.getPrivate());


         PKCS10CertificationRequestBuilder reqBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name("CN=XXX"), pair.getPublic());
         PKCS10CertificationRequest req = reqBuilder.build(signer);

         ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder().setProvider(BC).build(pair.getPublic());
         // System.out.println(verifier);

         req = new PKCS10CertificationRequest(req.getEncoded());
         System.out.println(pemUtils.toPem(req));
         pemUtils.toFile("csr.pem", pemUtils.toPem(req));
         pemUtils.toFile("pkey.pem", pemUtils.toPem(pair.getPrivate()));


     }

 }

This is the closest I've got but does not create the CSR or certificate. Also, it doesn't appear to allow different key sizes (I think they are curves) to be selected. Does anybody have some woking examples they can share?

 import org.bouncycastle.openssl.PEMWriter;

 import java.io.StringWriter;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.security.spec.ECFieldFp;
 import java.security.spec.ECParameterSpec;
 import java.security.spec.ECPoint;
 import java.security.spec.EllipticCurve;

 import javax.crypto.KeyAgreement;

 public class X509CertificateGenerator {
     public static void main(String[] args) throws Exception {
         Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

         KeyPairGenerator keyGen = KeyPairGenerator.getInstance("ECDH", "BC");
         EllipticCurve curve = new EllipticCurve(new ECFieldFp(new BigInteger(
                 "fffffffffffffffffffffffffffffffeffffffffffffffff", 16)), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16));

         ECParameterSpec ecSpec = new ECParameterSpec(curve, new ECPoint(new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16)), new BigInteger(
                 "fffffffffffffffffffffffffffffffefffffffffffffffc", 16), 1);

         keyGen.initialize(ecSpec, new SecureRandom());

         KeyAgreement aKeyAgree = KeyAgreement.getInstance("ECDH", "BC");
         KeyPair aPair = keyGen.generateKeyPair();
         KeyAgreement bKeyAgree = KeyAgreement.getInstance("ECDH", "BC");
         KeyPair bPair = keyGen.generateKeyPair();

         aKeyAgree.init(aPair.getPrivate());
         bKeyAgree.init(bPair.getPrivate());

         aKeyAgree.doPhase(bPair.getPublic(), true);
         bKeyAgree.doPhase(aPair.getPublic(), true);

         MessageDigest hash = MessageDigest.getInstance("SHA1", "BC");

         System.out.println(new String(hash.digest(aKeyAgree.generateSecret())));
         System.out.println(new String(hash.digest(bKeyAgree.generateSecret())));
         System.out.println(aPair.getPrivate());

         StringWriter pemWrtPublic = new StringWriter();
         PEMWriter pubkey = new PEMWriter(pemWrtPublic);
         pubkey.writeObject(aPair.getPublic());
         pubkey.flush();
         String pemPublicKey = pemWrtPublic.toString();
         System.out.println(pemPublicKey);

         StringWriter pemWrtPrivate = new StringWriter();
         PEMWriter privkey = new PEMWriter(pemWrtPrivate);
         privkey.writeObject(aPair.getPrivate());
         privkey.flush();
         String pemPrivateKey = pemWrtPrivate.toString();
         System.out.println(pemPrivateKey);
     }
 }     

回答1:

Ive managed to create a CSR programatically following these steps (assuming you have a X509 Certificate stored in a keystore):

X509Certificate generatedCertificate = (X509Certificate)getKeystore().getCertificate(r.keystoreAlias);
PrivateKey      privateRequestKey    = (PrivateKey)getKeystore().getKey("alias", "password".toCharArray());
Signature       signature            = Signature.getInstance("MD5WithRSA");

signature.initSign(privateRequestKey);

X500NameBuilder x500NameBld = new X500NameBuilder(BCStyle.INSTANCE);

//possibly less or more of these, depending on your needs
x500NameBld.addRDN(BCStyle.C, "country");
x500NameBld.addRDN(BCStyle.O, "ORG");
x500NameBld.addRDN(BCStyle.E, "email");
x500NameBld.addRDN(BCStyle.CN, "SubjectName");
x500NameBld.addRDN(BCStyle.SN, "12345678");


X500Name                   subject = x500NameBld.build();
PKCS10CertificationRequest req     = new PKCS10CertificationRequest("MD5WithRSA",X509Name.getInstance(subject),generatedCertificate.getPublicKey(),new DERSet(),privateRequestKey);

Please note that this code works for "regular" keypairs but should work for all public/private keypairs.