将 PGP（公共）密钥存储在 java 密钥库 - Bouncycastle

Question

I am using bouncycastle (JAVA) for signing, encryption, decryption and signatures' verification in implementation of SSO. I have raw PGP public and private keys and I need to store them in Java keystore. These PGP public keys have no certificate.

I understand that for public keys (according to javadoc of Keystore: http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html ) I have to create certificate. Once certificate is created I can import it to the keystore as KeyStore.TrustedCertificateEntry. However, I am not able to create certificate entry for type org.bouncycastle.openpgp.PGPPublicKey.

I have searched through the web but could not find any valid example:

1. Bouncycastle documentation: http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation Generates certificate for X.509 keys -

2. Bouncycastle examples - org.bouncycastle.openpgp.examples.DirectKeySignature: Add certificat (object of type PGPSignature) directly to the PGPPublicKey. To conclude - I have signed (certified) PGPPublicKey but I am not able to store this type of Key into the java keystore.

    OutputStream out = new ByteArrayOutputStream(); if (armor) { out = new ArmoredOutputStream(out); } PGPPrivateKey pgpPrivKey = secretKey.extractPrivateKey(secretKeyPass.toCharArray(), "BC"); PGPSignatureGenerator sGen = new PGPSignatureGenerator(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1, "BC"); sGen.initSign(PGPSignature.DIRECT_KEY, pgpPrivKey); BCPGOutputStream bOut = new BCPGOutputStream(out); sGen.generateOnePassVersion(false).encode(bOut); PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator(); boolean isHumanReadable = true; spGen.setNotationData(true, isHumanReadable, notationName, notationValue); PGPSignatureSubpacketVector packetVector = spGen.generate(); sGen.setHashedSubpackets(packetVector); bOut.flush(); return PGPPublicKey.addCertification(keyToBeSigned, sGen.generate()).getEncoded();

I am mainly interested in programatic solution (java source code) but examples that use some tools will be helpful too.

Thanks!

Answer 1

I think you should extract a java.security.PublicKey from your PGPPublicKey and use that to construct an X509Certificate which can be stored in a keystore.

JcaPGPKeyConverter c = new JcaPGPKeyConverter();
PublicKey publicKey = c.getPublicKey(pgpPublicKey);
// ... Use Bouncy's X509V3CertificateGenerator or X509v3CertificateBuilder
// ... to construct a self-signed cert
X509Certificate x509Certificate = // ...
// ... add cert to KeyStore

To create an X509Certificate from a PublicKey see: Generate random certificates .

Answer 2

If you only want to save the public key, why cannot you just save the key content into Java keystore? Then retrieve the content and convert into a PGPPublicKey object when you need it.

Create a wrapper class first

public class PgpPublicKeyWrapper implements Key {
    private final String keyContent;
    public PgpPublicKeyWrapper(final String keyContent) {
        this.keyContent = keyContent;
    }
    @Override
    public String getAlgorithm() {
        return "PGP-PublicKey"; // you can call whatever you want
    }
    @Override
    public String getFormat() {
        return "RAW"; // has to be raw format
    }
    @Override
    public byte[] getEncoded() {
        return keyContent.getBytes();
    }
}

Then you can do this to save it

keyStore.setKeyEntry("think a name for alias", new PgpPublicKeyWrapper(key), PASSWORD, null);

When you want to retrieve it

Key key = this.keyStore.getKey(alias, PASSWORD);
InputStream is = new ByteArrayInputStream(key.getEncoded());
PGPPublicKey publicKey = readPublicKey(is); 

For readPublicKey(), you can find a lot of examples online about how to read InputStream to a PGPPublicKey object.