问题
I am new to BouncyCastle. I have a private key generated using the below code.
final CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
keypair.generate(1024);
final PrivateKey privKey = keypair.getPrivateKey();
I would to encrypt it with a password using AES or some openssl supported algorithm using BouncyCastle. Can some one help me out how to start, where I am not able to find any good tutorial on this. Please help me out. Thanks in advance.
回答1:
If you just want to output your private key to a passphrase "12345" protected PEM formatted and file "privatekey.pem" you can use this BC code:
JceOpenSSLPKCS8EncryptorBuilder encryptorBuilder = new JceOpenSSLPKCS8EncryptorBuilder(PKCS8Generator.PBE_SHA1_3DES);
encryptorBuilder.setRandom(EntropySource.getSecureRandom());
encryptorBuilder.setPasssword("12345".toCharArray());
OutputEncryptor oe = encryptorBuilder.build();
JcaPKCS8Generator gen = new JcaPKCS8Generator(privKey,oe);
PemObject obj = gen.generate();
PEMWriter pemWrt = new PEMWriter( new FileWriter("privatekey.pem"));
pemWrt.writeObject(obj);
pemWrt.close();
then afterwards you can get at the private key with openssl with
$ openssl rsa -in privatekey.pem -check Enter pass phrase for privatekey.pem: RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY-----
The "standard" use of PEMWriter will not passphrase protect your private key:(
回答2:
If you'd prefer to protect your private keys with AES-256 instead of one of the old DES variants supported by PKCS8, this will work:
public String toPem(String password) throws IOException {
StringWriter sw = new StringWriter();
try (JcaPEMWriter pemWriter = new JcaPEMWriter(sw)) {
PEMEncryptor encryptor =
new JcePEMEncryptorBuilder("AES-256-CBC").build(password);
// privateKey is a java.security.PrivateKey
JcaMiscPEMGenerator gen = new JcaMiscPEMGenerator(privateKey, encryptor);
pemWriter.writeObject(gen);
}
return sw.toString();
}
You can verify the output with openssl. In my case the key is EC so this command is used:
$ openssl ec -in key.txt -passin pass:password -text
Adapt as required for RSA keys.
来源:https://stackoverflow.com/questions/14597371/encrypt-a-private-key-with-password-using-bouncycastle