Example 61 with CryptoException
use of org.kse.crypto.CryptoException in project keystore-explorer by kaikramer.
the class OpenSslPvkUtil method loadEncrypted.
/**
* Load an encrypted OpenSSL private key from the specified stream. The
* encoding of the private key will be PEM.
*
* @param is
* Stream load the encrypted private key from
* @param password
* Password to decrypt
* @return The private key
* @throws PrivateKeyUnencryptedException
* If private key is unencrypted
* @throws PrivateKeyPbeNotSupportedException
* If private key PBE algorithm is not supported
* @throws CryptoException
* Problem encountered while loading the private key
* @throws IOException
* An I/O error occurred
*/
public static PrivateKey loadEncrypted(InputStream is, Password password) throws CryptoException, IOException {
byte[] streamContents = ReadUtil.readFully(is);
EncryptionType encType = getEncryptionType(new ByteArrayInputStream(streamContents));
if (encType == null) {
throw new CryptoException(res.getString("NotValidOpenSsl.exception.message"));
}
if (encType == UNENCRYPTED) {
throw new PrivateKeyUnencryptedException(res.getString("OpenSslIsUnencrypted.exception.message"));
}
// OpenSSL must be encrypted and therefore must be PEM
PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(streamContents));
byte[] encKey = pemInfo.getContent();
PemAttributes attributes = pemInfo.getAttributes();
String dekInfo = attributes.get(DEK_INFO_ATTR_NAME).getValue();
// Split DEK-Info into encryption pbe algorithm and salt
int separator = dekInfo.indexOf(',');
if (separator == -1) {
throw new CryptoException(MessageFormat.format("OpenSslDekInfoMalformed.exception.message", dekInfo));
}
String encAlg = dekInfo.substring(0, separator);
String salt = dekInfo.substring(separator + 1);
byte[] saltBytes = hexToBytes(salt);
OpenSslPbeType pbeType = OpenSslPbeType.resolveDekInfo(encAlg);
if (pbeType == null) {
throw new PrivateKeyPbeNotSupportedException(encAlg, MessageFormat.format(res.getString("PrivateKeyWrappingAlgUnsupported.exception.message"), encAlg));
}
try {
byte[] decryptKey = deriveKeyFromPassword(password, saltBytes, pbeType.keySize());
// Create cipher - use all of the salt as the IV
Cipher cipher = createCipher(pbeType.jceCipher(), decryptKey, saltBytes, DECRYPT_MODE);
byte[] key = cipher.doFinal(encKey);
return load(new ByteArrayInputStream(key));
} catch (GeneralSecurityException ex) {
throw new CryptoException(MessageFormat.format("OpenSslDecryptionFailed.exception.message", pbeType.friendly()), ex);
}
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
PemInfo(org.kse.utilities.pem.PemInfo)
PemAttributes(org.kse.utilities.pem.PemAttributes)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Cipher(javax.crypto.Cipher)
CryptoException(org.kse.crypto.CryptoException)
Example 62 with CryptoException
use of org.kse.crypto.CryptoException in project keystore-explorer by kaikramer.
the class Pkcs8Util method getPrivateKeyAlgorithm.
private static String getPrivateKeyAlgorithm(byte[] unencPkcs8) throws IOException, CryptoException {
try (ASN1InputStream ais = new ASN1InputStream(new ByteArrayInputStream(unencPkcs8))) {
ASN1Encodable derEnc;
try {
derEnc = ais.readObject();
} catch (OutOfMemoryError err) {
// Happens with some non ASN.1 files
throw new CryptoException(res.getString("NoUnencryptedPkcs8.exception.message"));
}
if (!(derEnc instanceof ASN1Sequence)) {
throw new CryptoException(res.getString("NoUnencryptedPkcs8.exception.message"));
}
ASN1Sequence privateKeyInfoSequence = (ASN1Sequence) derEnc;
derEnc = privateKeyInfoSequence.getObjectAt(1);
if (!(derEnc instanceof ASN1Sequence)) {
throw new CryptoException(res.getString("NoUnencryptedPkcs8.exception.message"));
}
ASN1Sequence privateKeyAlgorithmSequence = (ASN1Sequence) derEnc;
derEnc = privateKeyAlgorithmSequence.getObjectAt(0);
if (!(derEnc instanceof ASN1ObjectIdentifier)) {
throw new CryptoException(res.getString("NoUnencryptedPkcs8.exception.message"));
}
ASN1ObjectIdentifier algorithmOid = (ASN1ObjectIdentifier) derEnc;
String oid = algorithmOid.getId();
if (oid.equals(RSA.oid())) {
return RSA.jce();
} else if (oid.equals(DSA.oid())) {
return DSA.jce();
} else {
// Unknown algorithm
return oid;
}
}
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
CryptoException(org.kse.crypto.CryptoException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 63 with CryptoException
use of org.kse.crypto.CryptoException in project keystore-explorer by kaikramer.
the class Pkcs8Util method getEncrypted.
/**
* PKCS #8 encode and encrypt a private key.
*
* @return The encrypted encoding
* @param privateKey
* The private key
* @param pbeType
* PBE algorithm to use for encryption
* @param password
* Encryption password
* @throws CryptoException
* Problem encountered while getting the encoded private key
* @throws IOException
* If an I/O error occurred
*/
public static byte[] getEncrypted(PrivateKey privateKey, Pkcs8PbeType pbeType, Password password) throws CryptoException, IOException {
try {
byte[] pkcs8 = get(privateKey);
// Generate PBE secret key from password
SecretKeyFactory keyFact = SecretKeyFactory.getInstance(pbeType.jce());
PBEKeySpec pbeKeySpec = new PBEKeySpec(password.toCharArray());
SecretKey pbeKey = keyFact.generateSecret(pbeKeySpec);
// Generate random salt and iteration count
byte[] salt = generateSalt();
int iterationCount = generateIterationCount();
// Store in algorithm parameters
PBEParameterSpec pbeParameterSpec = new PBEParameterSpec(salt, iterationCount);
AlgorithmParameters params = AlgorithmParameters.getInstance(pbeType.jce());
params.init(pbeParameterSpec);
// Create PBE cipher from key and params
Cipher cipher = Cipher.getInstance(pbeType.jce());
cipher.init(Cipher.ENCRYPT_MODE, pbeKey, params);
// Encrypt key
byte[] encPkcs8 = cipher.doFinal(pkcs8);
// Create and return encrypted private key information
EncryptedPrivateKeyInfo encPrivateKeyInfo = new EncryptedPrivateKeyInfo(params, encPkcs8);
return encPrivateKeyInfo.getEncoded();
} catch (GeneralSecurityException ex) {
throw new CryptoException("NoEncryptPkcs8PrivateKey.exception.message", ex);
}
}
Also used :
PBEKeySpec(javax.crypto.spec.PBEKeySpec)
SecretKey(javax.crypto.SecretKey)
GeneralSecurityException(java.security.GeneralSecurityException)
EncryptedPrivateKeyInfo(javax.crypto.EncryptedPrivateKeyInfo)
PKCS8EncryptedPrivateKeyInfo(org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo)
Cipher(javax.crypto.Cipher)
CryptoException(org.kse.crypto.CryptoException)
SecretKeyFactory(javax.crypto.SecretKeyFactory)
PBEParameterSpec(javax.crypto.spec.PBEParameterSpec)
AlgorithmParameters(java.security.AlgorithmParameters)
Example 64 with CryptoException
use of org.kse.crypto.CryptoException in project keystore-explorer by kaikramer.
the class Pkcs8Util method load.
/**
* Load an unencrypted PKCS #8 private key from the stream. The encoding of
* the private key may be PEM or DER.
*
* @param is
* Stream to load the unencrypted private key from
* @return The private key
* @throws PrivateKeyEncryptedException
* If private key is encrypted
* @throws CryptoException
* Problem encountered while loading the private key
* @throws IOException
* If an I/O error occurred
*/
public static PrivateKey load(InputStream is) throws CryptoException, IOException {
byte[] streamContents = ReadUtil.readFully(is);
// Check pkcs #8 is unencrypted
EncryptionType encType = getEncryptionType(new ByteArrayInputStream(streamContents));
if (encType == null) {
// Not a valid PKCS #8 private key
throw new CryptoException(res.getString("NotValidPkcs8.exception.message"));
}
if (encType == ENCRYPTED) {
throw new PrivateKeyEncryptedException(res.getString("Pkcs8IsEncrypted.exception.message"));
}
byte[] pvkBytes = null;
// Check if stream is PEM encoded
PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(streamContents));
if (pemInfo != null) {
// It is - get DER from PEM
pvkBytes = pemInfo.getContent();
}
/*
* If we haven't got the key bytes via PEM then just use stream
* contents directly (assume it is DER encoded)
*/
if (pvkBytes == null) {
// Read in private key bytes
pvkBytes = streamContents;
}
try {
// Determine private key algorithm from key bytes
String privateKeyAlgorithm = getPrivateKeyAlgorithm(pvkBytes);
// Convert bytes to private key
PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(pvkBytes);
KeyFactory keyFactory = KeyFactory.getInstance(privateKeyAlgorithm);
PrivateKey pvk = keyFactory.generatePrivate(privateKeySpec);
return pvk;
} catch (NoSuchAlgorithmException ex) {
throw new CryptoException(res.getString("NoLoadPkcs8PrivateKey.exception.message"), ex);
} catch (InvalidKeySpecException ex) {
throw new CryptoException(res.getString("NoLoadPkcs8PrivateKey.exception.message"), ex);
}
}
Also used :
PrivateKey(java.security.PrivateKey)
ByteArrayInputStream(java.io.ByteArrayInputStream)
PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)
PemInfo(org.kse.utilities.pem.PemInfo)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
CryptoException(org.kse.crypto.CryptoException)
SecretKeyFactory(javax.crypto.SecretKeyFactory)
KeyFactory(java.security.KeyFactory)
Example 65 with CryptoException
use of org.kse.crypto.CryptoException in project keystore-explorer by kaikramer.
the class KeyIdentifierGenerator method generate64BitHashId.
/**
* Generate 64 bit hash key identifier.
*
* @return Key identifier
* @throws CryptoException
* If generation fails
*/
public byte[] generate64BitHashId() throws CryptoException {
try {
DERBitString publicKeyBitString = encodePublicKeyAsBitString(publicKey);
byte[] hash = DigestUtil.getMessageDigest(publicKeyBitString.getBytes(), DigestType.SHA1);
byte[] subHash = Arrays.copyOfRange(hash, 12, 20);
subHash[0] &= 0x0F;
subHash[0] |= 0x40;
return subHash;
} catch (IOException ex) {
throw new CryptoException(res.getString("NoGenerateKeyIdentifier.exception.message"), ex);
}
}
Also used :
DERBitString(org.bouncycastle.asn1.DERBitString)
IOException(java.io.IOException)
CryptoException(org.kse.crypto.CryptoException)
Aggregations
CryptoException (org.kse.crypto.CryptoException)80
GeneralSecurityException (java.security.GeneralSecurityException)22
IOException (java.io.IOException)21
X509Certificate (java.security.cert.X509Certificate)21
KeyStore (java.security.KeyStore)16
KeyStoreException (java.security.KeyStoreException)13
BigInteger (java.math.BigInteger)11
DError (org.kse.gui.error.DError)10
ByteArrayInputStream (java.io.ByteArrayInputStream)9
File (java.io.File)9
DefaultMutableTreeNode (javax.swing.tree.DefaultMutableTreeNode)9
ByteBuffer (java.nio.ByteBuffer)8
CertificateException (java.security.cert.CertificateException)8
PrivateKey (java.security.PrivateKey)7
KeyFactory (java.security.KeyFactory)6
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6
CertificateFactory (java.security.cert.CertificateFactory)6
DSAPrivateKey (java.security.interfaces.DSAPrivateKey)6
RSAPrivateCrtKey (java.security.interfaces.RSAPrivateCrtKey)6
Cipher (javax.crypto.Cipher)6
