4

目前我需要为 GOST 34.10-2001 签名算法生成一个密钥对。很高兴发现充气城堡提供者支持此算法,但我无法生成密钥对并将其保存到任何类型的任何密钥库。keyalg目前我尝试了这个命令(如果isDSA和 sigalg is ,这个命令很好用SHA1withDSA):

keytool -genkey -alias test1 -keyalg ECGOST3410 -keysize 512  -sigalg GOST3411withECGOST3410 \
-keypass test_1 -validity 1000 -storetype JKS -keystore test1.jks -storepass test_1 -v \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-1.46.jar"

但我有一个错误:

keytool error: java.lang.IllegalArgumentException: unknown key size.
java.lang.IllegalArgumentException: unknown key size.
        at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
        at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
        at sun.security.tools.KeyTool.run(KeyTool.java:172)
        at sun.security.tools.KeyTool.main(KeyTool.java:166)

keysize当我尝试从命令中操作 keysize 或删除选项时,我可以看到完全相同的错误。但是有一些特殊情况。当我设置keysize256我有另一个错误:

keytool error: java.lang.IllegalArgumentException: key size not configurable.
java.lang.IllegalArgumentException: key size not configurable.
        at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134)
        at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:786)
        at sun.security.tools.KeyTool.run(KeyTool.java:172)
        at sun.security.tools.KeyTool.main(KeyTool.java:166)

目前我不知道如何生成密钥对以及如何将其保存到密钥库。此外,我还有一些可以为 GOST 34.10-2001 算法生成密钥对的 java 代码:

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECGOST3410", "BC");
kpg.initialize(new ECGenParameterSpec("GostR3410-2001-CryptoPro-A"));

KeyPair kp = kpg.generateKeyPair();

此代码示例使用ECGenParameterSpec类来初始化密钥对生成器,所以我应该以某种方式将它提供给 keytool(-providerArg provider_arg-Jjavaoption)吗?

PS 我认为我应该提供曲线名称作为一些参数,但我无法确定我应该使用什么参数。

4

1 回答 1

8

您将无法使用 keytool 和 BC 创建带有 GOST3410 密钥的密钥库。

sun.security.x509.CertAndKeyGenkeytool 使用的类不提供使用参数初始化密钥生成器的选项,而BC GOST3410 密钥生成器需要使用ECParameterSpec.

您可以创建密钥对+证书并以编程方式将它们放入密钥库中:

Security.addProvider( new org.bouncycastle.jce.provider.BouncyCastleProvider() );

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( "ECGOST3410", "BC" );
keyPairGenerator.initialize( new ECGenParameterSpec( "GostR3410-2001-CryptoPro-A" ) );
KeyPair keyPair = keyPairGenerator.generateKeyPair();

org.bouncycastle.asn1.x500.X500Name subject = new org.bouncycastle.asn1.x500.X500Name( "CN=Me" );
org.bouncycastle.asn1.x500.X500Name issuer = subject; // self-signed
BigInteger serial = BigInteger.ONE; // serial number for self-signed does not matter a lot
Date notBefore = new Date();
Date notAfter = new Date( notBefore.getTime() + TimeUnit.DAYS.toMillis( 365 ) );

org.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder(
        issuer, serial,
        notBefore, notAfter,
        subject, keyPair.getPublic()
);
org.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build(
        new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder( "GOST3411withECGOST3410" )
                .build( keyPair.getPrivate() )
);
org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter = new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter();
X509Certificate certificate = certificateConverter.getCertificate( certificateHolder );

KeyStore keyStore = KeyStore.getInstance( "JKS" );
keyStore.load( null, null ); // initialize new keystore
keyStore.setEntry(
        "alias",
        new KeyStore.PrivateKeyEntry(
                keyPair.getPrivate(),
                new Certificate[] { certificate }
        ),
        new KeyStore.PasswordProtection( "entryPassword".toCharArray() )
);
keyStore.store( new FileOutputStream( "test.jks" ), "keystorePassword".toCharArray() );
于 2014-05-06T10:09:34.047 回答