下面列出了java.security.spec.MGF1ParameterSpec#SHA256() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
public RsaPssSha256()
{
super(AlgorithmIdentifiers.RSA_PSS_USING_SHA256, "SHA256withRSAandMGF1");
MGF1ParameterSpec mgf1pec = MGF1ParameterSpec.SHA256;
PSSParameterSpec pssSpec = new PSSParameterSpec(mgf1pec.getDigestAlgorithm(), MGF1, mgf1pec, 32, TRAILER);
setAlgorithmParameterSpec(pssSpec);
}
public void encryptAsymmetric(
String projectId,
String locationId,
String keyRingId,
String keyId,
String keyVersionId,
String plaintext)
throws IOException, GeneralSecurityException {
// Initialize client that will be used to send requests. This client only
// needs to be created once, and can be reused for multiple requests. After
// completing all of your requests, call the "close" method on the client to
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the key version name from the project, location, key ring, key,
// and key version.
CryptoKeyVersionName keyVersionName =
CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
// Get the public key.
PublicKey publicKey = client.getPublicKey(keyVersionName);
// Convert the public PEM key to a DER key (see helper below).
byte[] derKey = convertPemToDer(publicKey.getPem());
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
// Encrypt plaintext for the 'RSA_DECRYPT_OAEP_2048_SHA256' key.
// For other key algorithms:
// https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
OAEPParameterSpec oaepParams =
new OAEPParameterSpec(
"SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams);
byte[] ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8));
System.out.printf("Ciphertext: %s%n", ciphertext);
}
}
@Test
public void testDecryptAsymmetric() throws IOException, GeneralSecurityException {
String plaintext = "my message";
byte[] ciphertext;
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
CryptoKeyVersionName keyVersionName =
CryptoKeyVersionName.of(
PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_DECRYPT_KEY_ID, "1");
PublicKey publicKey = client.getPublicKey(keyVersionName);
byte[] derKey = convertPemToDer(publicKey.getPem());
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
OAEPParameterSpec oaepParams =
new OAEPParameterSpec(
"SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams);
ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8));
}
new DecryptAsymmetric()
.decryptAsymmetric(
PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_DECRYPT_KEY_ID, "1", ciphertext);
assertThat(stdOut.toString()).contains("my message");
}
@Test
public void rsaSsaPss() throws Exception {
final Algorithm algorithm = Algorithm.RSA_PSS;
final AlgorithmParameterSpec spec = new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1);
final Signer signer = new Signer(privateKey,
new Signature("some-key-1", SigningAlgorithm.HS2019, algorithm, spec, null, Arrays.asList("date")));
final Signature signature = signer.sign(method, uri, headers);
// The RSASSA-PSS signature is non-deterministic, the value of the signature will be different
// every time a signature is generated.
final Verifier verifier = new Verifier(publicKey, signature);
boolean verifies = verifier.verify(method, uri, headers);
assertTrue(verifies);
}
public static byte[] encryptSecretKey(SecretKey secretKey, PublicKey publicKey) throws CryptoException {
try {
Cipher cipher = Cipher.getInstance(ASYM_CIPHER);
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
cipher.init(Cipher.WRAP_MODE, publicKey, oaepParameterSpec);
return cipher.wrap(secretKey);
} catch (Throwable e) {
log.error("Couldn't encrypt payload", e);
throw new CryptoException("Couldn't encrypt payload");
}
}
public static SecretKey decryptSecretKey(byte[] encryptedSecretKey, PrivateKey privateKey) throws CryptoException {
try {
Cipher cipher = Cipher.getInstance(ASYM_CIPHER);
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
cipher.init(Cipher.UNWRAP_MODE, privateKey, oaepParameterSpec);
return (SecretKey) cipher.unwrap(encryptedSecretKey, "AES", Cipher.SECRET_KEY);
} catch (Throwable e) {
// errors when trying to decrypt foreign network_messages are normal
throw new CryptoException(e);
}
}
@Override
protected void engineInit(byte[] encoded) throws IOException {
// first initialize with the DEFAULT values before
// retrieving from the encoding bytes
String mdName = DEFAULT.getDigestAlgorithm();
MGF1ParameterSpec mgfSpec = (MGF1ParameterSpec) DEFAULT.getMGFParameters();
int saltLength = DEFAULT.getSaltLength();
int trailerField = DEFAULT.getTrailerField();
DerInputStream der = new DerInputStream(encoded);
DerValue[] datum = der.getSequence(4);
for (DerValue d : datum) {
if (d.isContextSpecific((byte) 0x00)) {
// hash algid
mdName = AlgorithmId.parse
(d.data.getDerValue()).getName();
} else if (d.isContextSpecific((byte) 0x01)) {
// mgf algid
AlgorithmId val = AlgorithmId.parse(d.data.getDerValue());
if (!val.getOID().equals(AlgorithmId.mgf1_oid)) {
throw new IOException("Only MGF1 mgf is supported");
}
AlgorithmId params = AlgorithmId.parse(
new DerValue(val.getEncodedParams()));
String mgfDigestName = params.getName();
switch (mgfDigestName) {
case "SHA-1":
mgfSpec = MGF1ParameterSpec.SHA1;
break;
case "SHA-224":
mgfSpec = MGF1ParameterSpec.SHA224;
break;
case "SHA-256":
mgfSpec = MGF1ParameterSpec.SHA256;
break;
case "SHA-384":
mgfSpec = MGF1ParameterSpec.SHA384;
break;
case "SHA-512":
mgfSpec = MGF1ParameterSpec.SHA512;
break;
case "SHA-512/224":
mgfSpec = MGF1ParameterSpec.SHA512_224;
break;
case "SHA-512/256":
mgfSpec = MGF1ParameterSpec.SHA512_256;
break;
default:
throw new IOException
("Unrecognized message digest algorithm " +
mgfDigestName);
}
} else if (d.isContextSpecific((byte) 0x02)) {
// salt length
saltLength = d.data.getDerValue().getInteger();
if (saltLength < 0) {
throw new IOException("Negative value for saltLength");
}
} else if (d.isContextSpecific((byte) 0x03)) {
// trailer field
trailerField = d.data.getDerValue().getInteger();
if (trailerField != 1) {
throw new IOException("Unsupported trailerField value " +
trailerField);
}
} else {
throw new IOException("Invalid encoded PSSParameters");
}
}
this.spec = new PSSParameterSpec(mdName, "MGF1", mgfSpec,
saltLength, trailerField);
}
@Override
protected void engineInit(byte[] encoded) throws IOException {
// first initialize with the DEFAULT values before
// retrieving from the encoding bytes
String mdName = DEFAULT.getDigestAlgorithm();
MGF1ParameterSpec mgfSpec = (MGF1ParameterSpec) DEFAULT.getMGFParameters();
int saltLength = DEFAULT.getSaltLength();
int trailerField = DEFAULT.getTrailerField();
DerInputStream der = new DerInputStream(encoded);
DerValue[] datum = der.getSequence(4);
for (DerValue d : datum) {
if (d.isContextSpecific((byte) 0x00)) {
// hash algid
mdName = AlgorithmId.parse
(d.data.getDerValue()).getName();
} else if (d.isContextSpecific((byte) 0x01)) {
// mgf algid
AlgorithmId val = AlgorithmId.parse(d.data.getDerValue());
if (!val.getOID().equals(AlgorithmId.mgf1_oid)) {
throw new IOException("Only MGF1 mgf is supported");
}
AlgorithmId params = AlgorithmId.parse(
new DerValue(val.getEncodedParams()));
String mgfDigestName = params.getName();
switch (mgfDigestName) {
case "SHA-1":
mgfSpec = MGF1ParameterSpec.SHA1;
break;
case "SHA-224":
mgfSpec = MGF1ParameterSpec.SHA224;
break;
case "SHA-256":
mgfSpec = MGF1ParameterSpec.SHA256;
break;
case "SHA-384":
mgfSpec = MGF1ParameterSpec.SHA384;
break;
case "SHA-512":
mgfSpec = MGF1ParameterSpec.SHA512;
break;
case "SHA-512/224":
mgfSpec = MGF1ParameterSpec.SHA512_224;
break;
case "SHA-512/256":
mgfSpec = MGF1ParameterSpec.SHA512_256;
break;
default:
throw new IOException
("Unrecognized message digest algorithm " +
mgfDigestName);
}
} else if (d.isContextSpecific((byte) 0x02)) {
// salt length
saltLength = d.data.getDerValue().getInteger();
if (saltLength < 0) {
throw new IOException("Negative value for saltLength");
}
} else if (d.isContextSpecific((byte) 0x03)) {
// trailer field
trailerField = d.data.getDerValue().getInteger();
if (trailerField != 1) {
throw new IOException("Unsupported trailerField value " +
trailerField);
}
} else {
throw new IOException("Invalid encoded PSSParameters");
}
}
this.spec = new PSSParameterSpec(mdName, "MGF1", mgfSpec,
saltLength, trailerField);
}
@Override
protected void engineInit(byte[] encoded) throws IOException {
// first initialize with the DEFAULT values before
// retrieving from the encoding bytes
String mdName = DEFAULT.getDigestAlgorithm();
MGF1ParameterSpec mgfSpec = (MGF1ParameterSpec) DEFAULT.getMGFParameters();
int saltLength = DEFAULT.getSaltLength();
int trailerField = DEFAULT.getTrailerField();
DerInputStream der = new DerInputStream(encoded);
DerValue[] datum = der.getSequence(4);
for (DerValue d : datum) {
if (d.isContextSpecific((byte) 0x00)) {
// hash algid
mdName = AlgorithmId.parse
(d.data.getDerValue()).getName();
} else if (d.isContextSpecific((byte) 0x01)) {
// mgf algid
AlgorithmId val = AlgorithmId.parse(d.data.getDerValue());
if (!val.getOID().equals(AlgorithmId.mgf1_oid)) {
throw new IOException("Only MGF1 mgf is supported");
}
AlgorithmId params = AlgorithmId.parse(
new DerValue(val.getEncodedParams()));
String mgfDigestName = params.getName();
switch (mgfDigestName) {
case "SHA-1":
mgfSpec = MGF1ParameterSpec.SHA1;
break;
case "SHA-224":
mgfSpec = MGF1ParameterSpec.SHA224;
break;
case "SHA-256":
mgfSpec = MGF1ParameterSpec.SHA256;
break;
case "SHA-384":
mgfSpec = MGF1ParameterSpec.SHA384;
break;
case "SHA-512":
mgfSpec = MGF1ParameterSpec.SHA512;
break;
case "SHA-512/224":
mgfSpec = MGF1ParameterSpec.SHA512_224;
break;
case "SHA-512/256":
mgfSpec = MGF1ParameterSpec.SHA512_256;
break;
default:
throw new IOException
("Unrecognized message digest algorithm " +
mgfDigestName);
}
} else if (d.isContextSpecific((byte) 0x02)) {
// salt length
saltLength = d.data.getDerValue().getInteger();
if (saltLength < 0) {
throw new IOException("Negative value for saltLength");
}
} else if (d.isContextSpecific((byte) 0x03)) {
// trailer field
trailerField = d.data.getDerValue().getInteger();
if (trailerField != 1) {
throw new IOException("Unsupported trailerField value " +
trailerField);
}
} else {
throw new IOException("Invalid encoded PSSParameters");
}
}
this.spec = new PSSParameterSpec(mdName, "MGF1", mgfSpec,
saltLength, trailerField);
}
RsaJceKeyCipher(PublicKey wrappingKey, PrivateKey unwrappingKey, String transformation) {
super(wrappingKey, unwrappingKey);
final Matcher matcher = SUPPORTED_TRANSFORMATIONS.matcher(transformation);
if (matcher.matches()) {
final String hashUnknownCase = matcher.group(1);
if (hashUnknownCase != null) {
// OAEP mode a.k.a PKCS #1v2
final String hash = hashUnknownCase.toUpperCase();
transformation_ = "RSA/ECB/OAEPPadding";
final MGF1ParameterSpec mgf1Spec;
switch (hash) {
case "SHA-1":
mgf1Spec = MGF1ParameterSpec.SHA1;
break;
case "SHA-224":
LOGGER.warning(transformation + " is not officially supported by the JceMasterKey");
mgf1Spec = MGF1ParameterSpec.SHA224;
break;
case "SHA-256":
mgf1Spec = MGF1ParameterSpec.SHA256;
break;
case "SHA-384":
mgf1Spec = MGF1ParameterSpec.SHA384;
break;
case "SHA-512":
mgf1Spec = MGF1ParameterSpec.SHA512;
break;
default:
throw new IllegalArgumentException("Unsupported algorithm: " + transformation);
}
parameterSpec_ = new OAEPParameterSpec(hash, "MGF1", mgf1Spec, PSource.PSpecified.DEFAULT);
} else {
// PKCS #1 v1.x
transformation_ = transformation;
parameterSpec_ = null;
}
} else {
LOGGER.warning(transformation + " is not officially supported by the JceMasterKey");
// Unsupported transformation, just use exactly what we are given
transformation_ = transformation;
parameterSpec_ = null;
}
}