1.
|
What available keystore types support the storing of symmetric keys? Of the standard Java keystore types, the JCEKS supports storing symmetric keys. The Bouncy Castle provider also supports symmetric key storage with the BKS and UBER KeyStore type.
|
2.
|
What is one important thing to do if you are relying on the integrity of the JVM's cacerts file to help secure your application? Change the default password!
|
3.
|
You have imported a PKCS #12 file into a Java
application, but there doesn't appear to be an alias for the key entry
you are looking for, or it is just appearing as some random string of
hex. What is most likely to be the issue with the PKCS #12 file? There is no "friendly name" attribute attached to the SafeBag
containing the private key. If the file does import and you see a hex
string, chances are it will be the value of the local key ID. Some
applications still insist and having the "friendly name" attribute
provided in order to successfully import a PKCS #12 file, so this can
sometimes be a cause of failure as well.
|
4.
|
You have generated a PKCS #12 file using a Java
application you have written, but you are unable to import it into
another third-party application. What are the three most likely
problems with the PKCS #12 file you have generated? The
first one is that the PKCS #12 store you are using may have been saved
as a BER file, but the application can only import DER files—you'll
need to convert the file. The second one is the PKCS #12 store you are
using may allow you to have an integrity password that is different
from the privacy password, and the application can deal only with files
that have the same password for both integrity and privacy. The third,
and last, one is that the application may expect the certificates,
other than the trust anchor, making up the validation path for the
key's certificate to have the AuthorityKeyIdentifier and SubjectKeyIdentifier extensions present, and if it cannot find them, it is unable to build the validation path and accept the key as usable.
|
5.
|
Using the keytool, the org.bouncycastle.openssl.PEMReader class, the Utils class, and the Chapter 6
examples "Try It Out: Creating a Certificate from a Certification
Request" and "Try It Out: Writing a CertPath" as helpers, show how to
create a certificate request using the keytool for a keystore key entry, create a PKCS7 encoded certificate chain in response to the request, and update the key entry with the chain. Most
of the code for this you can cut and paste, but I'll reproduce one
solution here. The first thing I'll do is provide the Java code and
then just go through the command sequence.
Here's the Java code for parsing the request and creating the certificate response. It reads the request from a file called pkcs10.req and generates the certificate path making up the response in PKCS7 format in a file called pkcs7.pth.
package chapter8;
import java.io.*;
import java.math.BigInteger;
import java.security.cert.*;
import java.util.*;
import javax.security.auth.x500.X500PrivateCredential;
import org.bouncycastle.asn1.x509.*;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.*;
/**
* Example showing the processing of a PEM encoded PKCS #10 encoded request
* in a file called "pkcs10.req". A PKCS7 certificate path is generated as a
* response in the file "pkcs7.pth".
* <p>
* The certificate and its chain will be valid for 50 seconds.
*/
public class CertReqSolution
{
public static void main(String[] args) throws Exception
{
// create the CA certificates
X500PrivateCredential rootCredential = Utils.createRootCredential();
X500PrivateCredential interCredential = Utils.createIntermediateCredential(
rootCredential.getPrivateKey(), rootCredential.getCertificate());
// parse the request
PEMReader pRd = new PEMReader(
new InputStreamReader(
new FileInputStream("pkcs10.req")));
PKCS10CertificationRequest request =
(PKCS10CertificationRequest)pRd.readObject();
// get our validation certificate
X509Certificate caCert = interCredential.getCertificate();
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(caCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
// provide some basic extensions and mark the certificate
// as appropriate for signing and encipherment
certGen.addExtension(
X509Extensions.AuthorityKeyIdentifier,
false, new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(
X509Extensions.SubjectKeyIdentifier,
false, new SubjectKeyIdentifierStructure(
request.getPublicKey("BC")));
certGen.addExtension(
X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(
X509Extensions.KeyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
// create the chain
List chain = Arrays.asList(
new Certificate[] {
certGen.generateX509Certificate(
interCredential.getPrivateKey(), "BC"),
interCredential.getCertificate(),
rootCredential.getCertificate() });
// create the CertPath
CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC");
CertPath path = fact.generateCertPath(chain);
// write it out
FileOutputStream fOut = new FileOutputStream("pkcs7.pth");
fOut.write(path.getEncoded("PKCS7"));
fOut.close();
}
}
There's nothing new in this code, although if you do
find some of it confusing, it would be worth having another look at the
examples and descriptions in Chapter 6 before going any further. Compile up the code into your class hierarchy and you're ready to proceed.
Now to use it with the keytool—I've used test.jks as the keystore file here so that the commands avoid touching your .keystore file. Remember, both the java code you are using and the keytool will be operating on the current directory.
First, generate a key to use, responding appropriately to the questions the keytool prompts you with:
keytool -genkey -alias testKey -keystore test.jks -storepass testStore -keypass
testKey
Next, generate the certification request into the file pkcs10.req:
keytool -certreq -alias testKey -keystore test.jks -storepass testStore
-keypass testKey -file pkcs10.req
Next, run the Java program to read the request and generate the response:
java -cp your_class_hierarchy chapter8.CertReqSolution
where your_class_hierarchy is wherever you compiled the class file to.
Finally, import the certificate response:
keytool -import -alias testKey -keystore test.jks -storepass testStore -keypass
testKey -file pkcs7.pth
You will be prompted to determine whether you want to trust the root certificate. Respond with a yes and you're done. Do a
keytool -list -v -keystore test.jks -storepass testStore
and you should see the certificate path has now been added to the entry.
|
No comments:
Post a Comment