在 Java 中使用 RSA 私钥进行加密
我正在尝试使用 RSA 私钥加密某些内容.
I'm trying to encrypt some content with an RSA private key.
我正在关注这个例子:http://www.junkheap.net/content/public_key_encryption_java
但将其转换为使用私钥而不是公钥.按照那个例子,我认为我需要做的是:
I'm following this example:
http://www.junkheap.net/content/public_key_encryption_java
but converting it to use private keys rather than public. Following that example, I think what I need to do is:
- 读取 DER 格式的私钥
- 生成 PCKS8EncodedKeySpec
- 从 KeyFactory 调用 generatePrivate() 以获取私钥对象
- 使用该私钥对象和 Cipher 对象进行加密
那么,步骤:
密钥是从 openssl 生成的:
The key was generated from openssl with:
openssl genrsa -aes256 -out private.pem 2048
然后转换为DER格式:
and then was converted to DER format with:
openssl rsa -in private.pem -outform DER -out private.der
我使用以下方法生成 PKCS8EncodedKeySpec:
I generate the PKCS8EncodedKeySpec with:
byte[] encodedKey = new byte[(int)inputKeyFile.length()];
try {
new FileInputStream(inputKeyFile).read(encodedKey);
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(encodedKey);
return privateKeySpec;
然后生成私钥对象:
PrivateKey pk = null;
try {
KeyFactory kf = KeyFactory.getInstance(RSA_METHOD);
pk = kf.generatePrivate(privateKeySpec);
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeySpecException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return pk;
但是,在调用时:
pk = kf.generatePrivate(privateKeySpec);
我明白了:
java.security.spec.InvalidKeySpecException: Unknown key spec.
at com.sun.net.ssl.internal.ssl.JS_KeyFactory.engineGeneratePrivate(DashoA12275)
at com.sun.net.ssl.internal.ssl.JSA_RSAKeyFactory.engineGeneratePrivate(DashoA12275)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:237)
问题:
- 一般方法是否正确?
- PCKS8EncodedKeySpec 是否正确使用?
- 对无效密钥规范错误有何想法?
推荐答案
首先,我很困惑为什么您打算使用 Cipher
来使用私钥进行加密,而不是签名带有签名
.我不确定所有 RSA Cipher
提供程序是否会使用正确的块类型进行设置,但值得一试.
First of all, I'm confused why you are planning to use a Cipher
to encrypt with a private key, rather than signing with a Signature
. I'm not sure that all RSA Cipher
providers will use the correct block type for setup, but it's worth a try.
尽管如此,我认为您正在尝试加载非标准 OpenSSL 格式的密钥.使用 rsa
将其转换为 DER 本质上只是一个 base-64 解码;密钥的结构不是 PKCS #8.
Setting that aside, though, I think that you are trying to load a non-standard OpenSSL-format key. Converting it to DER with rsa
is essentially just a base-64 decode; the structure of the key is not PKCS #8.
改为在 genrsa
之后,使用 openssl pkcs8
命令将生成的密钥转换为未加密的 PKCS #8,DER 格式:
Instead, after genrsa
, use the openssl pkcs8
command to convert the generated key to unencrypted PKCS #8, DER format:
openssl pkcs8 -topk8 -nocrypt -in private.pem -outform der -out private.der
这将生成一个未加密的私钥,可以使用 PKCS8EncodedKeySpec
加载.
This will produce an unencrypted private key that can be loaded with a PKCS8EncodedKeySpec
.
相关文章