add methods

This commit is contained in:
Looly 2022-07-17 21:39:26 +08:00
parent 2c0194d86d
commit 700de56daa
13 changed files with 332 additions and 19 deletions

View File

@ -18,7 +18,7 @@
<properties>
<!-- versions -->
<bouncycastle.version>1.70</bouncycastle.version>
<bouncycastle.version>1.71</bouncycastle.version>
</properties>
<dependencies>
@ -29,7 +29,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15to18</artifactId>
<artifactId>bcpkix-jdk15to18</artifactId>
<version>${bouncycastle.version}</version>
<scope>compile</scope>
<optional>true</optional>

View File

@ -0,0 +1,187 @@
package cn.hutool.crypto;
import cn.hutool.core.io.IORuntimeException;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.X509TrustedCertificateBlock;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.bouncycastle.operator.InputDecryptorProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.PKCSException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.Key;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
/**
* 基于bcpkix封装的Openssl相关工具包括密钥转换Pem密钥文件读取等<br>
* 注意此工具需要引入org.bouncycastle:bcpkix-jdk15to18
*
* @author changhr2013, looly
* @since 5.8.5
*/
public class OpensslKeyUtil {
private static final JcaPEMKeyConverter pemKeyConverter = new JcaPEMKeyConverter().setProvider(GlobalBouncyCastleProvider.INSTANCE.getProvider());
/**
* 转换{@link PrivateKeyInfo}{@link PrivateKey}
*
* @param privateKeyInfo {@link PrivateKeyInfo}
* @return {@link PrivateKey}
* @throws CryptoException {@link PEMException}包装
*/
public static PrivateKey getPrivateKey(final PrivateKeyInfo privateKeyInfo) throws CryptoException {
try {
return pemKeyConverter.getPrivateKey(privateKeyInfo);
} catch (final PEMException e) {
throw new CryptoException(e);
}
}
/**
* 转换{@link SubjectPublicKeyInfo}{@link PublicKey}
*
* @param publicKeyInfo {@link SubjectPublicKeyInfo}
* @return {@link PublicKey}
* @throws CryptoException {@link PEMException}包装
*/
public static PublicKey getPublicKey(final SubjectPublicKeyInfo publicKeyInfo) throws CryptoException {
try {
return pemKeyConverter.getPublicKey(publicKeyInfo);
} catch (final PEMException e) {
throw new CryptoException(e);
}
}
/**
* 转换{@link PEMKeyPair}{@link KeyPair}
*
* @param keyPair {@link PEMKeyPair}
* @return {@link KeyPair}
* @throws CryptoException {@link PEMException}包装
*/
public static KeyPair getKeyPair(final PEMKeyPair keyPair) throws CryptoException {
try {
return pemKeyConverter.getKeyPair(keyPair);
} catch (final PEMException e) {
throw new CryptoException(e);
}
}
/**
* 从pem文件中读取公钥或私钥<br>
* 根据类型返回 {@link PublicKey} 或者 {@link PrivateKey}
*
* @param keyStream pem
* @param password 私钥密码
* @return {@link Key}null 表示无法识别的密钥类型
* @since 5.8.5
*/
public static Key readPemKey(final InputStream keyStream, final char[] password) {
try (final PEMParser pemParser = new PEMParser(new InputStreamReader(keyStream))) {
return readPemKeyFromKeyObject(pemParser.readObject(), password);
} catch (final IOException e) {
throw new CryptoException(e);
}
}
/**
* 解密{@link PKCS8EncryptedPrivateKeyInfo}{@link PrivateKeyInfo}
*
* @param pkcs8Info {@link PKCS8EncryptedPrivateKeyInfo}
* @param password 密码
* @return {@link PrivateKeyInfo}
* @throws CryptoException OperatorCreationException和PKCSException包装
*/
public static PrivateKeyInfo decrypt(final PKCS8EncryptedPrivateKeyInfo pkcs8Info, final char[] password) throws CryptoException {
final InputDecryptorProvider decryptProvider;
try {
decryptProvider = new JceOpenSSLPKCS8DecryptorProviderBuilder().setProvider(GlobalBouncyCastleProvider.INSTANCE.getProvider()).build(password);
return pkcs8Info.decryptPrivateKeyInfo(decryptProvider);
} catch (final OperatorCreationException | PKCSException e) {
throw new CryptoException(e);
}
}
/**
* 解密{@link PEMEncryptedKeyPair}{@link PEMKeyPair}
*
* @param pemEncryptedKeyPair {@link PKCS8EncryptedPrivateKeyInfo}
* @param password 密码
* @return {@link PEMKeyPair}
* @throws IORuntimeException IOException包装
*/
public static PEMKeyPair decrypt(final PEMEncryptedKeyPair pemEncryptedKeyPair, final char[] password) throws IORuntimeException {
final PEMDecryptorProvider decryptProvider;
try {
decryptProvider = new JcePEMDecryptorProviderBuilder().setProvider(GlobalBouncyCastleProvider.INSTANCE.getProvider()).build(password);
return pemEncryptedKeyPair.decryptKeyPair(decryptProvider);
} catch (final IOException e) {
throw new IORuntimeException(e);
}
}
/**
* 读取Pem文件中的密钥密钥支持包括<br>
* <ul>
* <li>{@link PrivateKeyInfo}</li>
* <li>{@link PEMKeyPair}默认读取私钥</li>
* <li>{@link PKCS8EncryptedPrivateKeyInfo}</li>
* <li>{@link PEMEncryptedKeyPair}默认读取私钥</li>
* <li>{@link X509CertificateHolder}</li>
* <li>{@link X509TrustedCertificateBlock}</li>
* <li>{@link PKCS10CertificationRequest}</li>
* </ul>
*
* @param keyObject 密钥内容对象
* @param password 密码部分加密的pem使用
* @return {@link Key}
* @throws CryptoException 读取异常或不支持的类型
*/
private static Key readPemKeyFromKeyObject(final Object keyObject, final char[] password) throws CryptoException {
if (keyObject instanceof PrivateKeyInfo) {
// PrivateKeyInfo
return getPrivateKey((PrivateKeyInfo) keyObject);
} else if (keyObject instanceof PEMKeyPair) {
// PemKeyPair
return getKeyPair((PEMKeyPair) keyObject).getPrivate();
} else if (keyObject instanceof PKCS8EncryptedPrivateKeyInfo) {
// Encrypted PrivateKeyInfo
return getPrivateKey(decrypt((PKCS8EncryptedPrivateKeyInfo) keyObject, password));
} else if (keyObject instanceof PEMEncryptedKeyPair) {
// Encrypted PemKeyPair
return getPrivateKey(decrypt((PEMEncryptedKeyPair) keyObject, password).getPrivateKeyInfo());
} else if (keyObject instanceof SubjectPublicKeyInfo) {
// SubjectPublicKeyInfo
return getPublicKey((SubjectPublicKeyInfo) keyObject);
} else if (keyObject instanceof X509CertificateHolder) {
// X509 Certificate
return getPublicKey(((X509CertificateHolder) keyObject).getSubjectPublicKeyInfo());
} else if (keyObject instanceof X509TrustedCertificateBlock) {
// X509 Trusted Certificate
return getPublicKey(((X509TrustedCertificateBlock) keyObject).getCertificateHolder().getSubjectPublicKeyInfo());
} else if (keyObject instanceof PKCS10CertificationRequest) {
// PKCS#10 CSR
return getPublicKey(((PKCS10CertificationRequest) keyObject).getSubjectPublicKeyInfo());
} else {
// 表示无法识别的密钥类型
throw new CryptoException("Unsupported key object type: {}", keyObject.getClass());
}
}
}

View File

@ -67,7 +67,13 @@ public class PemUtil {
if (StrUtil.isNotBlank(type)) {
//private
if (type.endsWith("EC PRIVATE KEY")) {
return KeyUtil.generatePrivateKey("EC", object.getContent());
try {
// 尝试PKCS#8
return KeyUtil.generatePrivateKey("EC", object.getContent());
} catch (final Exception e) {
// 尝试PKCS#1
return KeyUtil.generatePrivateKey("EC", ECKeyUtil.createOpenSSHPrivateKeySpec(object.getContent()));
}
}
if (type.endsWith("PRIVATE KEY")) {
return KeyUtil.generateRSAPrivateKey(object.getContent());
@ -75,7 +81,13 @@ public class PemUtil {
// public
if (type.endsWith("EC PUBLIC KEY")) {
return KeyUtil.generatePublicKey("EC", object.getContent());
try {
// 尝试DER
return KeyUtil.generatePublicKey("EC", object.getContent());
} catch (Exception e) {
// 尝试PKCS#1
return KeyUtil.generatePublicKey("EC", ECKeyUtil.createOpenSSHPublicKeySpec(object.getContent()));
}
} else if (type.endsWith("PUBLIC KEY")) {
return KeyUtil.generateRSAPublicKey(object.getContent());
} else if (type.endsWith("CERTIFICATE")) {
@ -132,20 +144,6 @@ public class PemUtil {
}
}
/**
* 读取OpenSSL生成的ANS1格式的Pem私钥文件必须为PKCS#1格式
*
* @param keyStream 私钥pem流
* @return {@link PrivateKey}
*/
public static PrivateKey readSm2PemPrivateKey(final InputStream keyStream) {
try{
return KeyUtil.generatePrivateKey("sm2", ECKeyUtil.createOpenSSHPrivateKeySpec(readPem(keyStream)));
} finally {
IoUtil.close(keyStream);
}
}
/**
* 将私钥或公钥转换为PEM格式的字符串
* @param type 密钥类型私钥公钥证书

View File

@ -0,0 +1,56 @@
package cn.hutool.crypto;
import cn.hutool.core.io.resource.ResourceUtil;
import cn.hutool.core.text.StrUtil;
import cn.hutool.crypto.asymmetric.SM2;
import org.junit.Assert;
import org.junit.Test;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.List;
public class OpensslKeyUtilTest {
@Test
public void verifyPemUtilReadKey() {
// 公钥
// PKCS#10 文件读取公钥
final PublicKey csrPublicKey = (PublicKey) OpensslKeyUtil.readPemKey(ResourceUtil.getStream("test_ec_certificate_request.csr"), null);
// 证书读取公钥
final PublicKey certPublicKey = (PublicKey) OpensslKeyUtil.readPemKey(ResourceUtil.getStream("test_ec_certificate.cer"), null);
// PEM 公钥
final PublicKey plainPublicKey = (PublicKey) OpensslKeyUtil.readPemKey(ResourceUtil.getStream("test_ec_public_key.pem"), null);
// 私钥
// 加密的 PEM 私钥
final PrivateKey encPrivateKey = (PrivateKey) OpensslKeyUtil.readPemKey(ResourceUtil.getStream("test_ec_encrypted_private_key.key"), "123456".toCharArray());
// PKCS#8 私钥
final PrivateKey pkcs8PrivateKey = (PrivateKey) OpensslKeyUtil.readPemKey(ResourceUtil.getStream("test_ec_pkcs8_private_key.key"), null);
// SEC 1 私钥
final PrivateKey sec1PrivateKey = (PrivateKey) OpensslKeyUtil.readPemKey(ResourceUtil.getStream("test_ec_sec1_private_key.pem"), null);
// 组装还原后的公钥和私钥列表
final List<PublicKey> publicKeyList = Arrays.asList(csrPublicKey, certPublicKey, plainPublicKey);
final List<PrivateKey> privateKeyList = Arrays.asList(encPrivateKey, pkcs8PrivateKey, sec1PrivateKey);
// 做笛卡尔积循环验证
for (final PrivateKey privateKeyItem : privateKeyList) {
for (final PublicKey publicKeyItem : publicKeyList) {
// 校验公私钥
final SM2 genSm2 = new SM2(privateKeyItem, publicKeyItem);
genSm2.usePlainEncoding();
final String content = "我是Hanley.";
final byte[] sign = genSm2.sign(StrUtil.utf8Bytes(content));
final boolean verify = genSm2.verify(StrUtil.utf8Bytes(content), sign);
Assert.assertTrue(verify);
}
}
}
}

View File

@ -49,7 +49,21 @@ public class PemUtilTest {
@Test
public void readECPrivateKeyTest() {
final PrivateKey privateKey = PemUtil.readSm2PemPrivateKey(ResourceUtil.getStream("test_ec_private_key.pem"));
final PrivateKey privateKey = PemUtil.readPemPrivateKey(ResourceUtil.getStream("test_ec_private_key.pem"));
final SM2 sm2 = new SM2(privateKey, null);
sm2.usePlainEncoding();
//需要签名的明文,得到明文对应的字节数组
final byte[] dataBytes = "我是一段测试aaaa".getBytes(StandardCharsets.UTF_8);
final byte[] sign = sm2.sign(dataBytes, null);
// 64位签名
Assert.assertEquals(64, sign.length);
}
@Test
public void readECSec1PrivateKeyTest() {
final PrivateKey privateKey = PemUtil.readPemPrivateKey(ResourceUtil.getStream("test_ec_sec1_private_key.pem"));
final SM2 sm2 = new SM2(privateKey, null);
sm2.usePlainEncoding();

View File

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAUegAwIBAgIIJQJK8f5oQVQwDAYIKoEcz1UBg3UFADAjMQswCQYDVQQG
EwJDTjEUMBIGA1UEAwwLSHV0b29sIFRlc3QwHhcNMjIwNzE3MDcyMzU4WhcNMjMw
NzE3MDcyMzU4WjAjMQswCQYDVQQGEwJDTjEUMBIGA1UEAwwLSHV0b29sIFRlc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXXjbO+6vY7vdD5aXoi2EMHUq0itI8
kG6FN3cgLBFFoelyy3JxX94h7RpH4ylpNUXeRNuzv1VcPa06nsN1OjTWo2MwYTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUFHvMM9CZ
VUxWKt1+CHI5uYLpLgQwHwYDVR0jBBgwFoAUFHvMM9CZVUxWKt1+CHI5uYLpLgQw
DAYIKoEcz1UBg3UFAANIADBFAiA5p0Gh7mvuuHMVG2SmbGj5HQpWcpwCaUF90BQ9
/QEYZgIhAIXmeD2bDlOCPc3vxS4aNGxSd1wq/MT9bBJhKyiXWjx5
-----END CERTIFICATE-----

View File

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl142zvur2O73Q+Wl6IthDB1KtIrS
PJBuhTd3ICwRRaHpcstycV/eIe0aR+MpaTVF3kTbs79VXD2tOp7DdTo01g==
-----END PUBLIC KEY-----

View File

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAUegAwIBAgIIJQJK8f5oQVQwDAYIKoEcz1UBg3UFADAjMQswCQYDVQQG
EwJDTjEUMBIGA1UEAwwLSHV0b29sIFRlc3QwHhcNMjIwNzE3MDcyMzU4WhcNMjMw
NzE3MDcyMzU4WjAjMQswCQYDVQQGEwJDTjEUMBIGA1UEAwwLSHV0b29sIFRlc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXXjbO+6vY7vdD5aXoi2EMHUq0itI8
kG6FN3cgLBFFoelyy3JxX94h7RpH4ylpNUXeRNuzv1VcPa06nsN1OjTWo2MwYTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUFHvMM9CZ
VUxWKt1+CHI5uYLpLgQwHwYDVR0jBBgwFoAUFHvMM9CZVUxWKt1+CHI5uYLpLgQw
DAYIKoEcz1UBg3UFAANIADBFAiA5p0Gh7mvuuHMVG2SmbGj5HQpWcpwCaUF90BQ9
/QEYZgIhAIXmeD2bDlOCPc3vxS4aNGxSd1wq/MT9bBJhKyiXWjx5
-----END CERTIFICATE-----

View File

@ -0,0 +1,9 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBODCB3wIBADBWMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4G
A1UEBxMHQmVpamluZzEPMA0GA1UECxMGSHV0b29sMRIwEAYDVQQDEwlodXRvb2wu
Y24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXXjbO+6vY7vdD5aXoi2EMHUq0
itI8kG6FN3cgLBFFoelyy3JxX94h7RpH4ylpNUXeRNuzv1VcPa06nsN1OjTWoCcw
JQYJKoZIhvcNAQkOMRgwFjAUBgNVHREEDTALgglodXRvb2wuY24wCgYIKoZIzj0E
AwIDSAAwRQIhAIH0w1XbGnRfbM1flsqRHzfur+pEZ3wiqpChxAI39lpIAiAsNAwn
o7PsXpTXLhq1ZgqurIjFeFuvY1hszUODmO5ySQ==
-----END CERTIFICATE REQUEST-----

View File

@ -0,0 +1,8 @@
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,04b396b78c1f1172857a8b76682b63ef
NoaLaSy87gLE6C3yCi7JwiB86NSYipZmMVlLIcHaBL2ECRUcGDmXEZu6OqFyrbDc
XWXraEl3OieYduiVmuJ0GQ8oeWd5DNgHLBYTPnfgjBowbluAO9/R9AUh4R8Fz918
/zsMZJckjSv3Gs6NWZW02v9OvhTDSJBNwu/M2WTWH10=
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,6 @@
-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgEZmc6NdYu8UzpzhX
1bcRzfWBlcGgnPtqfVsRzXfXZ/6gCgYIKoZIzj0DAQehRANCAASXXjbO+6vY7vdD
5aXoi2EMHUq0itI8kG6FN3cgLBFFoelyy3JxX94h7RpH4ylpNUXeRNuzv1VcPa06
nsN1OjTW
-----END PRIVATE KEY-----

View File

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl142zvur2O73Q+Wl6IthDB1KtIrS
PJBuhTd3ICwRRaHpcstycV/eIe0aR+MpaTVF3kTbs79VXD2tOp7DdTo01g==
-----END PUBLIC KEY-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBGZnOjXWLvFM6c4V9W3Ec31gZXBoJz7an1bEc1312f+oAoGCCqGSM49
AwEHoUQDQgAEl142zvur2O73Q+Wl6IthDB1KtIrSPJBuhTd3ICwRRaHpcstycV/e
Ie0aR+MpaTVF3kTbs79VXD2tOp7DdTo01g==
-----END EC PRIVATE KEY-----