问题
I am trying to write a private key and associated signed certificate to a PKCS12 (.p12) file on an Android device using BouncyCastle 1.47 (bckpix-jdk15on-147.jar and bcprov-jdk15on-147.jar) and would like to change the key encryption algorithms and other bag attributes. I am trying to implement the same control available to OpenSSL's PKCS12_create() function, where you can set:
- the private key encryption algorithm
- the certificate encryption algorithm
- the encryption iteration count
- the MAC iteration count
So far I have seen recommendations for using PKCS12BagAttributeCarrier or PKCS12SafeBagBuilder with PKCS12PfxPduBuilder, but could not figure out how to change the four attributes listed above (or use them correctly).
Does anyone know which method is currently preferred or have experience or examples with these outside of changing PKCSObjectIdentifiers.pkcs_9_at_friendlyName and PKCSObjectIdentifiers.pkcs_9_at_localKeyId? Should I be using something other than a KeyStore object as a container before writing to file?
I am able to create PKCS12 file and notice the defaults for both iteration counts are 1024, the private key algorithm is pbeWithSHA1And3-KeyTripleDES-CBC, and the certificate algorithm is pbeWithSHA1And40BitRC2-CBC.
Here is what I am using to create the PKCS12 file:
Context appContext = ...;
String p12Filename = ...;
String p12Password = ...;
String p12Alias = ...;
RSAPrivateKey privateKey = ...;
X509Certificae signedCert = ...;
KeyStore store = KeyStore.getInstance("PKCS12", "BC");
store.load(null, null);
X509Certificate[] chain = new X509Certificate[1];
chain[0] = signedCert;
store.setKeyEntry("UserCredentials", privateKey, p12Password.toCharArray(), chain);
FileOutputStream fos;
File outputDir = appContext.getFilesDir();
File pkcs12File = new File(outputDir, p12Filename);
fos = new FileOutputStream(pkcs12File);
store.store(fos, p12Password.toCharArray());
fos.flush();
fos.close();
Thanks in advance!
回答1:
Yes, the org.bouncycastle.pkcs package is the right place to look.
There's been a lot of work going on this area in preparation for 1.49. At the moment I'd recommend getting the release available at http://www.bouncycastle.org/betas You can use the test classes for the PKCS package for reference, and there is also an example program and a write up in the new guide at http://www.cryptoworkshop.com/guide
Regards,
David
来源:https://stackoverflow.com/questions/12890436/use-bouncycastle-pkcs12safebagbuilder-or-pkcs12bagattributecarrier-to-change-pkc