Embed Size (px)
Citation preview
Dôležité triedy a interface:• Cipher• MAC• SecureRandom• KeyGenerator• KeyPairGenerator• Signature• KeyStore
JAVA API JS API
JCA
JCE
AbstractionLayer
Service ProviderInterface
Provider functionality
Application code JCE/JCA API
JCE/JCA SPI Classes In Provider
Provider Internal Classes
private static Key createKey() throws Exception {
Key k = null; KeyGenerator kg = KeyGenerator.getInstance(“AES”); k = kg.generateKey(); return k;}
private static KeyPair createKeyPair() throws Exception {
KeyPair k = null; KeyGenerator kg = KeyGenerator.getInstance(“RSA”); k = kg.generateKeyPair(); return k;}
private static PublicKey getPubliceKey(KeyPair kp) throws Exception {
return kp.getPublic();}
private static PrivateKey getPrivateKey(KeyPair kp) throws Exception {
return kp.getPrivate();}
1. Vytvoríme alebo načítame inštanciu triedy Key
2. Vytvoríme inštanciu triedy Cipher v šifrovacom móde
3. Vykonáme šifrovanie
private static byte[] encrypt(String plainText, PrivateKey pk) throws Exception {
byte[] plainData = plainText.getBytes(“UTF-8”); Cipher c = Cipher.getInstance(“RSA”); c.init(Cipher.ENCRYPT_MODE, pk); byte[] cipherData = c.doFinal(plainData); return cipherData;}
1. Načítame inštanciu triedy Key2. Vytvoríme inštanciu triedy Cipher v
dešifrovacom móde3. Vykonáme dešifrovanie
private static byte[] decrypt(byte[] cipherData, PublicKey pk) throws Exception {
Cipher c = Cipher.getInstance(“RSA”); c.init(Cipher.DECRYPT_MODE, pk); byte[] plainData = c.doFinal(plainData); return plainData;}
private static Certificate getCertificate (File file) throws Exception {
Certificate certificate = null; FileInputStream is = new FileInputStream(file); CertificateFactory cf = CertificateFactory.getInstance(“X.509”); certificate = cf.generateCertificate(is); return certificate;}
public byte[] getHash(String input) throws Exception {
MessageDigest messageDigest = MessageDigest.getInstance(“SHA”); messageDigest.reset(); messageDigest.update(input.getBytes(“UTF-8”)); return messageDigest.digest();}
public static byte[] sign(String input, PrivateKey pk) throws Exception {
Signature sign = Signature.getInstance(“DSA”); signature.initSign(pk); signature.update(input.getBytes(“UTF-8”)); return signature.sign();}
public static boolean verify(byte[] input, PublicKey pk) throws Exception {
Signature sign = Signature.getInstance(“DSA”); signature.initVerify(pk); return signature.verify(input);}
keytool -genkey –alias ALIAS -keystore main.keystore -keypass KEYPASS -storepass STOREPASS -keyalg RSA
keytool -exportcert -alias ALIAS –file certificate.cer -keystore main.keystore -keypass KEYPASS -storepass STOREPASS
private static Key getKey() throws Exception{ Key k = null; KeyStore ks = KeyStore.getInstance(“jks”); ks.load(new FileInputStream(“main.keystore”),
“STOREPASS”.toCharArray()); k = ks.getKey(“ALIAS”,
“KEYPASS”.toCharArray()); return k;}
private static void saveKey() throws Exception{ Key k = null; KeyStore ks = KeyStore.getInstance(“jks”); KeyGenerator kg =
KeyGenerator.getInstance(“AES”); k = kg.generateKey(); ks.setKeyEntry(“ALIAS”, k,
“KEYPASS”.toCharArray(), null); ks.store(new FileOutputStream(“main.keystore”),
“STOREPASS”.toCharArray());}
Základný tvar príkazu: jarsigner jar-file alias
jar-file – cesta a meno súboru, ktorý chceme podpisovať
alias - alias identifikujúci súkromný kľúč, ktorý bude použitý na podpísanie .jar súboru
jarsigner –keystore main.keystore –storepass STOREPASS –keypass KEYPASS file.jar ALIAS
• vygenerovanie páru kľúčov• vytvorenie certifikátu• vytvorenie aplikácie typu klient-server komunikujúci cez
SSLServerSocket a SSLSocket
• prístup k súkromnému kľúču(dekódovanie správ)• prístup k certifikátu(musí ho poslať klientovi)• vytvoriť SSL server socket
Normálne sockety:
serverSocket = new ServerSocket(port); clientSocket = serverSocket.accept();
Štruktúra zdrojového kódu: importy public class SecureSocketServer { deklarácia premenných public static voi main(String[] args) { inicializácia SSLServerSocket sslClientSocket = (SSLSocket) SSLServerSocket.accept(); asociácia I/O streamov so socketmi Input/Output (komunikácia) zatváranie socketov a streamov } }
import java.net.*;import java.io.*;import javax.net.ssl.*;import java.security.*;
public class SecureSocketServer { static final String KEYSTORE = "myStore.ks"; static final String STOREPASSWD = "123456"; static final String ALIASPASSWD = "123456";
public static void main(String[] args) throws Exception { KeyStore ks = KeyStore.getInstance("JCEKS"); ks.load( new FileInputStream( KEYSTORE ), STOREPASSWD.toCharArray() ); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init( ks, ALIASPASSWD.toCharArray() ); SSLContext sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( kmf.getKeyManagers(), null, null ); SSLServerSocketFactory sslServerFactory = sslContext.getServerSocketFactory(); SSLServerSocket sslServerSocket = (SSLServerSocket) sslServerFactory.createServerSocket(4444); sslServerSocket.setEnabledCipherSuites( sslServerSocket.getSupportedCipherSuites());
SSLSocket sslClientSocket = (SSLSocket)sslServerSocket.accept();
PrintWriter out = new PrintWriter(sslClientSocket.getOutputStream(), true);BufferedReader in = new BufferedReader(new InputStreamReader( sslClientSocket.getInputStream()));String inputLine = in.readLine();if (inputLine.equals("Hello")) out.println("Connection established");else out.println("Connection refused");
out.close(); in.close(); sslClientSocket.close(); sslServerSocket.close(); }}
SSLContext sslContext = SSLContext.getInstance( "TLS" );KeyStore ts = KeyStore.getInstance("JCEKS");ts.load(new FileInputStream(TRUSTSTORE), TRUSTSTOREPASSWD.toCharArray());TrustManagerFactory tfm = TrustManagerFactory.getInstance("SunX509");tfm.init(ts);sslContext.init(null, tfm.getTrustManagers(), null );SSLSocketFactory sslFact = sslContext.getSocketFactory();SSLSocket client =
(SSLSocket)sslFact.createSocket("localhost",4444);client.setEnabledCipherSuites( client.getSupportedCipherSuites());
![MSc System and Network Engineering - de Laata hardware-backed Keystore service to the Android OS [15]. The Keystore consists of multiple components, two of which are [16]: 1.Keymaster](https://img.dokumen.tips/doc/110x75/5f0668217e708231d417d691/msc-system-and-network-engineering-de-laat-a-hardware-backed-keystore-service.jpg)
