Example 1 with PemInfo
use of org.kse.utilities.pem.PemInfo in project keystore-explorer by kaikramer.
the class OpenSslPvkUtil method getEncrypted.
/**
* OpenSSL encode and encrypt a private key. Encrypted OpenSSL private keys
* must always by PEM'd.
*
* @return The encrypted, PEM'd encoding
* @param privateKey
* The private key
* @param pbeType
* PBE algorithm to use for encryption
* @param password
* Encryption password
* @throws CryptoException
* Problem encountered while getting the encoded private key
*/
public static String getEncrypted(PrivateKey privateKey, OpenSslPbeType pbeType, Password password) throws CryptoException {
byte[] openSsl = get(privateKey);
String pemType = null;
if (privateKey instanceof RSAPrivateCrtKey) {
pemType = OPENSSL_RSA_PVK_PEM_TYPE;
} else if (privateKey instanceof ECPrivateKey) {
pemType = OPENSSL_EC_PVK_PEM_TYPE;
} else {
pemType = OPENSSL_DSA_PVK_PEM_TYPE;
}
byte[] salt = generateSalt(pbeType.saltSize() / 8);
String saltHex = bytesToHex(salt);
byte[] encOpenSsl = null;
try {
byte[] encryptKey = deriveKeyFromPassword(password, salt, pbeType.keySize());
// Create cipher - use all of the salt as the IV
Cipher cipher = createCipher(pbeType.jceCipher(), encryptKey, salt, ENCRYPT_MODE);
encOpenSsl = cipher.doFinal(openSsl);
} catch (GeneralSecurityException ex) {
throw new CryptoException(MessageFormat.format("OpenSslEncryptionFailed.exception.message", pbeType.friendly()), ex);
}
PemAttributes attributes = new PemAttributes();
attributes.add(new PemAttribute(PROC_TYPE_ATTR_NAME, PROC_TYPE_ATTR_VALUE));
String dekInfoAttrValue = MessageFormat.format(DEK_INFO_ATTR_VALUE_TEMPLATE, pbeType.dekInfo(), saltHex);
attributes.add(new PemAttribute(DEK_INFO_ATTR_NAME, dekInfoAttrValue));
PemInfo pemInfo = new PemInfo(pemType, attributes, encOpenSsl);
return PemUtil.encode(pemInfo);
}
Also used :
ECPrivateKey(java.security.interfaces.ECPrivateKey)
RSAPrivateCrtKey(java.security.interfaces.RSAPrivateCrtKey)
GeneralSecurityException(java.security.GeneralSecurityException)
PemAttributes(org.kse.utilities.pem.PemAttributes)
PemInfo(org.kse.utilities.pem.PemInfo)
PemAttribute(org.kse.utilities.pem.PemAttribute)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
Cipher(javax.crypto.Cipher)
CryptoException(org.kse.crypto.CryptoException)
Example 2 with PemInfo
use of org.kse.utilities.pem.PemInfo in project keystore-explorer by kaikramer.
the class OpenSslPvkUtil method load.
/**
* Load an unencrypted OpenSSL private key from the stream. The encoding of
* the private key may be PEM or DER.
*
* @param is
* Stream to load the unencrypted private key from
* @return The private key
* @throws PrivateKeyEncryptedException
* If private key is encrypted
* @throws CryptoException
* Problem encountered while loading the private key
* @throws IOException
* An I/O error occurred
*/
public static PrivateKey load(InputStream is) throws CryptoException, IOException {
byte[] streamContents = ReadUtil.readFully(is);
EncryptionType encType = getEncryptionType(new ByteArrayInputStream(streamContents));
if (encType == null) {
throw new CryptoException(res.getString("NotValidOpenSsl.exception.message"));
}
if (encType == ENCRYPTED) {
throw new PrivateKeyEncryptedException(res.getString("OpenSslIsEncrypted.exception.message"));
}
// Check if stream is PEM encoded
PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(streamContents));
if (pemInfo != null) {
// It is - get DER from PEM
streamContents = pemInfo.getContent();
}
try {
// Read OpenSSL DER structure
ASN1InputStream asn1InputStream = new ASN1InputStream(streamContents);
ASN1Primitive openSsl = asn1InputStream.readObject();
asn1InputStream.close();
if (openSsl instanceof ASN1Sequence) {
ASN1Sequence seq = (ASN1Sequence) openSsl;
if (seq.size() == 9) {
// RSA private key
BigInteger version = ((ASN1Integer) seq.getObjectAt(0)).getValue();
BigInteger modulus = ((ASN1Integer) seq.getObjectAt(1)).getValue();
BigInteger publicExponent = ((ASN1Integer) seq.getObjectAt(2)).getValue();
BigInteger privateExponent = ((ASN1Integer) seq.getObjectAt(3)).getValue();
BigInteger primeP = ((ASN1Integer) seq.getObjectAt(4)).getValue();
BigInteger primeQ = ((ASN1Integer) seq.getObjectAt(5)).getValue();
BigInteger primeExponentP = ((ASN1Integer) seq.getObjectAt(6)).getValue();
BigInteger primeExponenetQ = ((ASN1Integer) seq.getObjectAt(7)).getValue();
BigInteger crtCoefficient = ((ASN1Integer) seq.getObjectAt(8)).getValue();
if (!version.equals(VERSION)) {
throw new CryptoException(MessageFormat.format(res.getString("OpenSslVersionIncorrect.exception.message"), "" + VERSION.intValue(), "" + version.intValue()));
}
RSAPrivateCrtKeySpec rsaPrivateCrtKeySpec = new RSAPrivateCrtKeySpec(modulus, publicExponent, privateExponent, primeP, primeQ, primeExponentP, primeExponenetQ, crtCoefficient);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
return keyFactory.generatePrivate(rsaPrivateCrtKeySpec);
} else if (seq.size() == 6) {
// DSA private key
BigInteger version = ((ASN1Integer) seq.getObjectAt(0)).getValue();
BigInteger primeModulusP = ((ASN1Integer) seq.getObjectAt(1)).getValue();
BigInteger primeQ = ((ASN1Integer) seq.getObjectAt(2)).getValue();
BigInteger generatorG = ((ASN1Integer) seq.getObjectAt(3)).getValue();
// publicExponentY not req for pvk: sequence.getObjectAt(4);
BigInteger secretExponentX = ((ASN1Integer) seq.getObjectAt(5)).getValue();
if (!version.equals(VERSION)) {
throw new CryptoException(MessageFormat.format(res.getString("OpenSslVersionIncorrect.exception.message"), "" + VERSION.intValue(), "" + version.intValue()));
}
DSAPrivateKeySpec dsaPrivateKeySpec = new DSAPrivateKeySpec(secretExponentX, primeModulusP, primeQ, generatorG);
KeyFactory keyFactory = KeyFactory.getInstance("DSA");
return keyFactory.generatePrivate(dsaPrivateKeySpec);
} else if (seq.size() >= 2) {
// EC private key (RFC 5915)
org.bouncycastle.asn1.sec.ECPrivateKey pKey = org.bouncycastle.asn1.sec.ECPrivateKey.getInstance(seq);
AlgorithmIdentifier algId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, pKey.getParameters());
PrivateKeyInfo privInfo = new PrivateKeyInfo(algId, pKey);
return new JcaPEMKeyConverter().getPrivateKey(privInfo);
} else {
throw new CryptoException(MessageFormat.format(res.getString("OpenSslSequenceIncorrectSize.exception.message"), "" + seq.size()));
}
} else {
throw new CryptoException(res.getString("OpenSslSequenceNotFound.exception.message"));
}
} catch (Exception ex) {
throw new CryptoException(res.getString("NoLoadOpenSslPrivateKey.exception.message"), ex);
}
}
Also used :
RSAPrivateCrtKeySpec(java.security.spec.RSAPrivateCrtKeySpec)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
PemInfo(org.kse.utilities.pem.PemInfo)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
CryptoException(org.kse.crypto.CryptoException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DSAPrivateKeySpec(java.security.spec.DSAPrivateKeySpec)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ByteArrayInputStream(java.io.ByteArrayInputStream)
BigInteger(java.math.BigInteger)
CryptoException(org.kse.crypto.CryptoException)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
KeyFactory(java.security.KeyFactory)
PrivateKeyInfo(org.bouncycastle.asn1.pkcs.PrivateKeyInfo)
Example 3 with PemInfo
use of org.kse.utilities.pem.PemInfo in project keystore-explorer by kaikramer.
the class OpenSslPvkUtil method getEncryptionType.
/**
* Detect if a OpenSSL private key is encrypted or not.
*
* @param is
* Input stream containing OpenSSL private key
* @return Encryption type or null if not a valid OpenSSL private key
* @throws IOException
* If an I/O problem occurred
*/
public static EncryptionType getEncryptionType(InputStream is) throws IOException {
byte[] openSsl = ReadUtil.readFully(is);
// In PEM format?
PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(openSsl));
if (pemInfo != null) {
String pemType = pemInfo.getType();
// PEM type of OpenSSL?
if (OPENSSL_RSA_PVK_PEM_TYPE.equals(pemType) || OPENSSL_DSA_PVK_PEM_TYPE.equals(pemType) || OPENSSL_EC_PVK_PEM_TYPE.equals(pemType)) {
// Encrypted? It is if PEM contains appropriate header attributes/values
PemAttributes pemAttributes = pemInfo.getAttributes();
if ((pemAttributes != null) && (pemAttributes.get(PROC_TYPE_ATTR_NAME) != null) && (pemAttributes.get(PROC_TYPE_ATTR_NAME).getValue().equals(PROC_TYPE_ATTR_VALUE)) && (pemAttributes.get(DEK_INFO_ATTR_NAME) != null)) {
return ENCRYPTED;
} else {
return UNENCRYPTED;
}
}
}
// In ASN.1 format?
try {
// If OpenSSL will be a sequence of 9 (RSA) or 6 (DSA) integers or 2-4 mixed elements (EC)
ASN1Primitive key = ASN1Primitive.fromByteArray(openSsl);
if (key instanceof ASN1Sequence) {
ASN1Sequence seq = (ASN1Sequence) key;
// }
if ((seq.size() >= 2) && (seq.size() <= 4) && seq.getObjectAt(0) instanceof ASN1Integer) {
BigInteger version = ((ASN1Integer) seq.getObjectAt(0)).getValue();
if (version.equals(VERSION_EC)) {
if (seq.getObjectAt(1) instanceof ASN1OctetString) {
// ASN.1 OpenSSL is always unencrypted
return UNENCRYPTED;
} else {
// Not OpenSSL
return null;
}
}
}
for (int i = 0; i < seq.size(); i++) {
if (!(seq.getObjectAt(i) instanceof ASN1Integer)) {
// Not OpenSSL
return null;
}
}
if ((seq.size() == 9) || (seq.size() == 6)) {
// ASN.1 OpenSSL is always unencrypted
return UNENCRYPTED;
}
}
} catch (IOException ex) {
// Not an OpenSSL file
return null;
}
// Not an OpenSSL file
return null;
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ByteArrayInputStream(java.io.ByteArrayInputStream)
PemInfo(org.kse.utilities.pem.PemInfo)
PemAttributes(org.kse.utilities.pem.PemAttributes)
BigInteger(java.math.BigInteger)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
IOException(java.io.IOException)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
Example 4 with PemInfo
use of org.kse.utilities.pem.PemInfo in project keystore-explorer by kaikramer.
the class Pkcs8Util method loadEncrypted.
/**
* Load an encrypted PKCS #8 private key from the specified stream. The
* encoding of the private key may be PEM or DER.
*
* @param is
* Stream load the encrypted private key from
* @param password
* Password to decrypt
* @return The private key
* @throws PrivateKeyUnencryptedException
* If private key is unencrypted
* @throws PrivateKeyPbeNotSupportedException
* If private key PBE algorithm is not supported
* @throws CryptoException
* Problem encountered while loading the private key
* @throws IOException
* If an I/O error occurred
*/
public static PrivateKey loadEncrypted(InputStream is, Password password) throws CryptoException, IOException {
byte[] streamContents = ReadUtil.readFully(is);
// Check PKCS#8 is encrypted
EncryptionType encType = getEncryptionType(new ByteArrayInputStream(streamContents));
if (encType == null) {
// Not a valid PKCS #8 private key
throw new CryptoException(res.getString("NotValidPkcs8.exception.message"));
}
if (encType == UNENCRYPTED) {
throw new PrivateKeyUnencryptedException(res.getString("Pkcs8IsEncrypted.exception.message"));
}
// Check if stream is PEM encoded
PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(streamContents));
byte[] encPvk = null;
if (pemInfo != null) {
// It is - get DER from PEM
encPvk = pemInfo.getContent();
}
// If we haven't got the encrypted bytes via PEM then assume it is DER encoded
if (encPvk == null) {
encPvk = streamContents;
}
// try to read PKCS#8 info
PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = null;
try {
encryptedPrivateKeyInfo = new PKCS8EncryptedPrivateKeyInfo(org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo.getInstance(encPvk));
} catch (Exception e) {
// Not a valid PKCS #8 private key
throw new CryptoException(res.getString("NotValidPkcs8.exception.message"));
}
// decrypt and create PrivateKey object from ASN.1 structure
try {
InputDecryptorProvider decProv = new JceOpenSSLPKCS8DecryptorProviderBuilder().setProvider("BC").build(password.toCharArray());
PrivateKeyInfo privateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(decProv);
return new JcaPEMKeyConverter().getPrivateKey(privateKeyInfo);
} catch (Exception ex) {
throw new CryptoException(res.getString("NoLoadPkcs8PrivateKey.exception.message"), ex);
}
}
Also used :
InputDecryptorProvider(org.bouncycastle.operator.InputDecryptorProvider)
ByteArrayInputStream(java.io.ByteArrayInputStream)
PemInfo(org.kse.utilities.pem.PemInfo)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
JceOpenSSLPKCS8DecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder)
PKCS8EncryptedPrivateKeyInfo(org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo)
CryptoException(org.kse.crypto.CryptoException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
CryptoException(org.kse.crypto.CryptoException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
EncryptedPrivateKeyInfo(javax.crypto.EncryptedPrivateKeyInfo)
PrivateKeyInfo(org.bouncycastle.asn1.pkcs.PrivateKeyInfo)
PKCS8EncryptedPrivateKeyInfo(org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo)
Example 5 with PemInfo
use of org.kse.utilities.pem.PemInfo in project keystore-explorer by kaikramer.
the class Pkcs8Util method getEncryptionType.
/**
* Detect if a PKCS #8 private key is encrypted or not.
*
* @param is
* Input stream containing PKCS #8 private key
* @return Encryption type or null if not a valid PKCS #8 private key
* @throws IOException
* If an I/O problem occurred
*/
public static EncryptionType getEncryptionType(InputStream is) throws IOException {
byte[] pkcs8 = ReadUtil.readFully(is);
PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(pkcs8));
// PEM encoded?
if (pemInfo != null) {
String pemType = pemInfo.getType();
// Encrypted in pem format?
if (pemType.equals(Pkcs8Util.PKCS8_ENC_PVK_PEM_TYPE)) {
return ENCRYPTED;
} else // Unencrypted in pem format?
if (pemType.equals(Pkcs8Util.PKCS8_UNENC_PVK_PEM_TYPE)) {
return UNENCRYPTED;
}
}
// In ASN.1 format?
try {
// Read in an ASN.1 and check structure against the following
ASN1Primitive key = ASN1Primitive.fromByteArray(pkcs8);
if (key instanceof ASN1Sequence) {
ASN1Sequence sequence = (ASN1Sequence) key;
// May be unencrypted
if ((sequence.size() == 3) || (sequence.size() == 4)) {
// @formatter:off
/*
* Unencrypted PKCS #8 Private Key:
*
* PrivateKeyInfo ::= ASN1Sequence { version Version,
* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
* privateKey PrivateKey, attributes [0] IMPLICIT Attributes
* OPTIONAL }
*
* Version ::= ASN1Integer PrivateKeyAlgorithmIdentifier ::=
* AlgorithmIdentifier PrivateKey ::= OCTET STRING
* Attributes ::= SET OF Attribute
*/
// @formatter:on
Object obj1 = sequence.getObjectAt(0);
Object obj2 = sequence.getObjectAt(1);
Object obj3 = sequence.getObjectAt(2);
if (!(obj1 instanceof ASN1Integer)) {
return null;
}
ASN1Integer version = (ASN1Integer) obj1;
if (!version.getValue().equals(BigInteger.ZERO)) {
return null;
}
if (!(obj2 instanceof ASN1Sequence)) {
return null;
}
if (!sequenceIsAlgorithmIdentifier((ASN1Sequence) obj2)) {
return null;
}
if (!(obj3 instanceof ASN1OctetString)) {
return null;
}
return UNENCRYPTED;
} else // May be encrypted
if (sequence.size() == 2) {
// @formatter:off
/*
* Encrypted PKCS #8 Private Key:
*
* EncryptedPrivateKeyInfo ::= ASN1Sequence {
* encryptionAlgorithm EncryptionAlgorithmIdentifier,
* encryptedData EncryptedData }
*
* EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
* EncryptedData ::= OCTET STRING
*/
// @formatter:on
Object obj1 = sequence.getObjectAt(0);
Object obj2 = sequence.getObjectAt(1);
if (!(obj1 instanceof ASN1Sequence)) {
return null;
}
if (!sequenceIsAlgorithmIdentifier((ASN1Sequence) obj1)) {
return null;
}
if (!(obj2 instanceof ASN1OctetString)) {
return null;
}
return ENCRYPTED;
}
}
} catch (Exception ex) {
// Structure not as expected for PKCS #8
return null;
}
return null;
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ByteArrayInputStream(java.io.ByteArrayInputStream)
PemInfo(org.kse.utilities.pem.PemInfo)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
CryptoException(org.kse.crypto.CryptoException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Aggregations
PemInfo (org.kse.utilities.pem.PemInfo)10
ByteArrayInputStream (java.io.ByteArrayInputStream)7
CryptoException (org.kse.crypto.CryptoException)7
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)6
IOException (java.io.IOException)5
GeneralSecurityException (java.security.GeneralSecurityException)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)3
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)3
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)3
JcaPEMKeyConverter (org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)3
PemAttributes (org.kse.utilities.pem.PemAttributes)3
BigInteger (java.math.BigInteger)2
KeyFactory (java.security.KeyFactory)2
ECPrivateKey (java.security.interfaces.ECPrivateKey)2
RSAPrivateCrtKey (java.security.interfaces.RSAPrivateCrtKey)2
Cipher (javax.crypto.Cipher)2
PrivateKeyInfo (org.bouncycastle.asn1.pkcs.PrivateKeyInfo)2
PrivateKey (java.security.PrivateKey)1
