Create a GOST 34.10-2001 key pair and save it in some key store

Question

Create a GOST 34.10-2001 key pair and save it in some key store

Currently, I need to create a key pair for the GOST 34.10-2001 signature algorithm. It was nice to find that this reliable lock provider supports this algorithm, but I cannot create a key pair and save it in any keystore of any type. Currently, I tried this command (this command works fine if keyalg is DSA and sigalg is SHA1withDSA ):

 keytool -genkey -alias test1 -keyalg ECGOST3410 -keysize 512 -sigalg GOST3411withECGOST3410 \ -keypass test_1 -validity 1000 -storetype JKS -keystore test1.jks -storepass test_1 -v \ -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-1.46.jar"

But I have an error:

 keytool error: java.lang.IllegalArgumentException: unknown key size. java.lang.IllegalArgumentException: unknown key size. at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134) at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156) at sun.security.tools.KeyTool.doCommands(KeyTool.java:786) at sun.security.tools.KeyTool.run(KeyTool.java:172) at sun.security.tools.KeyTool.main(KeyTool.java:166)

I see the exact same error when I try to manipulate keys or remove the keysize parameter from this command. But there is a special case. When I set keysize to 256 , I got another error:

 keytool error: java.lang.IllegalArgumentException: key size not configurable. java.lang.IllegalArgumentException: key size not configurable. at sun.security.x509.CertAndKeyGen.generate(CertAndKeyGen.java:134) at sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1156) at sun.security.tools.KeyTool.doCommands(KeyTool.java:786) at sun.security.tools.KeyTool.run(KeyTool.java:172) at sun.security.tools.KeyTool.main(KeyTool.java:166)

Currently, I have no idea how to create a key pair and how to store it in a keystore. I also have Java code that can generate a key pair for the GOST 34.10-2001 algorithm:

 Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECGOST3410", "BC"); kpg.initialize(new ECGenParameterSpec("GostR3410-2001-CryptoPro-A")); KeyPair kp = kpg.generateKeyPair();

This code example uses the ECGenParameterSpec class to initialize a key pair generator, so maybe I should somehow specify it in keytool ( -providerArg provider_arg or -Jjavaoption )?

PS I think that I should indicate the name of the curve as some parameter, but I cannot determine which parameter I should use.

+4

java bouncycastle jce keytool gost3410

gkuzmin Jan 29 '13 at 10:09

source share

1 answer

Oleg Estekhin · Accepted Answer · 2014-05-06T10:09:34+0000

You cannot use keytool and BC to create a keystore with GOST3410 keys.

sun.security.x509.CertAndKeyGen class used by the key does not provide the ability to initialize the key generator with parameters, and the BC GOST3410 key generator requires initialization using ECParameterSpec .

You can create a keypair + certificate and put them in the keystore:

 Security.addProvider( new org.bouncycastle.jce.provider.BouncyCastleProvider() ); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( "ECGOST3410", "BC" ); keyPairGenerator.initialize( new ECGenParameterSpec( "GostR3410-2001-CryptoPro-A" ) ); KeyPair keyPair = keyPairGenerator.generateKeyPair(); org.bouncycastle.asn1.x500.X500Name subject = new org.bouncycastle.asn1.x500.X500Name( "CN=Me" ); org.bouncycastle.asn1.x500.X500Name issuer = subject; // self-signed BigInteger serial = BigInteger.ONE; // serial number for self-signed does not matter a lot Date notBefore = new Date(); Date notAfter = new Date( notBefore.getTime() + TimeUnit.DAYS.toMillis( 365 ) ); org.bouncycastle.cert.X509v3CertificateBuilder certificateBuilder = new org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder( issuer, serial, notBefore, notAfter, subject, keyPair.getPublic() ); org.bouncycastle.cert.X509CertificateHolder certificateHolder = certificateBuilder.build( new org.bouncycastle.operator.jcajce.JcaContentSignerBuilder( "GOST3411withECGOST3410" ) .build( keyPair.getPrivate() ) ); org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter = new org.bouncycastle.cert.jcajce.JcaX509CertificateConverter(); X509Certificate certificate = certificateConverter.getCertificate( certificateHolder ); KeyStore keyStore = KeyStore.getInstance( "JKS" ); keyStore.load( null, null ); // initialize new keystore keyStore.setEntry( "alias", new KeyStore.PrivateKeyEntry( keyPair.getPrivate(), new Certificate[] { certificate } ), new KeyStore.PasswordProtection( "entryPassword".toCharArray() ) ); keyStore.store( new FileOutputStream( "test.jks" ), "keystorePassword".toCharArray() );

Create a GOST 34.10-2001 key pair and save it in some key store

More articles: