【问题标题】:PKCS12 - Bouncy Castle FIPS ModePKCS12 - 充气城堡 FIPS 模式
【发布时间】:2020-12-10 17:12:53
【问题描述】:

在 FIPS 模式下,PKCS#12 格式在加密文件时必须使用兼容的加密和散列算法。

当我阅读 BC -FIPS 文档时,它说在批准模式下它们不支持 PKCS#12,这意味着我们无法在 BC-FIPS 批准模式下读取 PKCS12 密钥库;我们使用 BC-FIPS 作为加密提供者,并且还使用 PKCS12 和 JKS 格式来存储密钥和证书。

BC-FIPS 声明 -“PKCS12 密钥库支持 以下变化: • PKCS12-3DES-3DES:默认值,对任何加密任务使用 Triple-DES。”所以我们可以使用任何这种机制读取 PKCS12 并声称我们符合 FIPS。

迁移到 BCFKS 是一项艰巨的任务,它可能会引入兼容性问题。

-钱德拉

【问题讨论】:

  • 请问您的问题在哪里?
  • 哦 主要是想了解在BC-FIPS审批模式下能否读取PKCS12 Key stores。

标签: bouncycastle


【解决方案1】:

您的问题“我们是否可以在 BC-FIPS 批准模式下读取 PKCS12 密钥存储”的简短回答是

四个月前,您在这里问了(几乎)相同的问题:Bouncy Castle FIPS mode for PKCS#12 KeyStore Format 和 你从@Peter Dettmann 那里得到了答案:

Quoting from the BC-FJA user guide, section "7. Key Stores":
The PKCS12 key store is **not available** in approved-mode of operation due to the algorithms required for PBE key generation in the PKCS#12 standard.
It is available only to threads that are not running in approved-mode.

您可以在下面找到 BC FIPS 示例(“KeyStr.java”)的剥离版本,该示例首先在禁用批准模式下运行,然后我启用该模式 - 您将收到一条错误消息:

Testing a PKCS12 keystore with BC FIPS in approved mode

running in approved mode: false
PKCS12 (certificate): true
running in approved mode: true
Exception in thread "main" org.bouncycastle.jcajce.provider.ProvIOException: exception decrypting data - java.security.NoSuchAlgorithmException: No such algorithm: 1.2.840.113549.1.12.1.3
...

以下代码仅用于教育目的,可能不安全

import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509v1CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCSException;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.X509Certificate;
import java.util.Date;

public class Pkcs12KeystoreFipsApprovedMode
{
     public static byte[] storeCertificatePkcs12(char[] storePassword, X509Certificate trustedCert)
        throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("PKCS12", "BCFIPS");
        keyStore.load(null, null);
        keyStore.setCertificateEntry("trustedca", trustedCert);
        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
        keyStore.store(bOut, storePassword);
        return bOut.toByteArray();
    }

    private static KeyStore rebuildStore(String storeType, char[] storePassword, byte[] encoding)
        throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(storeType, "BCFIPS");
        keyStore.load(new ByteArrayInputStream(encoding), storePassword);
        return keyStore;
    }

    public static void main(String[] args)
        throws GeneralSecurityException, OperatorCreationException, PKCSException, IOException
    {
        Security.addProvider(new BouncyCastleFipsProvider());
        System.out.println("Testing a PKCS12 keystore with BC FIPS in approved mode\n");
        System.out.println("running in approved mode: " + org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode());
        KeyPair caKeyPair = generateKeyPair();
        X509Certificate caCert = makeV1Certificate(caKeyPair.getPrivate(), caKeyPair.getPublic());

        char[] storePass = "storePassword".toCharArray();
        System.out.println("PKCS12 (certificate): " + rebuildStore("PKCS12", storePass, storeCertificatePkcs12(storePass, caCert)).isCertificateEntry("trustedca"));

        // running now in approved mode
        org.bouncycastle.crypto.CryptoServicesRegistrar.setApprovedOnlyMode(true);
        System.out.println("running in approved mode: " + org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode());
        System.out.println("PKCS12 (certificate): " + rebuildStore("PKCS12", storePass, storeCertificatePkcs12(storePass, caCert)).isCertificateEntry("trustedca2"));
    }
    public static KeyPair generateKeyPair() throws GeneralSecurityException {
        KeyPairGenerator keyPair = KeyPairGenerator.getInstance("EC", "BCFIPS");
        keyPair.initialize(384);
        return keyPair.generateKeyPair();
    }

    public static X509Certificate makeV1Certificate(PrivateKey caSignerKey, PublicKey caPublicKey)
            throws GeneralSecurityException, OperatorCreationException {
        long THIRTY_DAYS = 1000L * 60 * 60 * 24 * 30;
        X509v1CertificateBuilder v1CertBldr = new JcaX509v1CertificateBuilder(
                new X500Name("CN=Issuer CA"),
                BigInteger.valueOf(System.currentTimeMillis()),
                new Date(System.currentTimeMillis() - 1000L * 5),
                new Date(System.currentTimeMillis() + THIRTY_DAYS),
                new X500Name("CN=Issuer CA"),
                caPublicKey);
        JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA384withECDSA").setProvider("BCFIPS");
        return new JcaX509CertificateConverter().setProvider("BCFIPS").getCertificate(v1CertBldr.build(signerBuilder.build(caSignerKey)));
    }
}

【讨论】:

    猜你喜欢
    • 2022-11-07
    • 2011-06-12
    • 2013-04-20
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2014-09-19
    • 2019-12-29
    相关资源
    最近更新 更多