示例:开发密钥或密钥对生成类以自动生成密钥

可以自动创建为加密操作生成密钥的类。使用此功能,密钥管理基础结构可维护预定义密钥集合的密钥列表,并且应用程序可访问这些密钥。

可安排按预定义频率生成新的密钥。记住,密钥生成频率会影响数据的安全性。例如,对于持久数据,您可能会安排以比实时通信低的频率生成密钥,实时通信要求在密码到期时以较高的频率生成密钥。

当您开发密钥生成类时,请确实是创建共享密钥还是密钥对,这是因为这会确定您必须使用的接口。

如果要开发共享密钥,那么参考以下示例,它使用 KeyGenerator 类来实现 com.ibm.websphere.crypto.KeyGenerator 接口。该接口返回 java.security.Key 密钥,它存储为 JCEKS 密钥库类型中的 SecretKey。可使用支持存储密钥的任何其他类型的密钥库类型。

package com.ibm.test;

import java.util.*;
import com.ibm.ws.ssl.core.*;
import com.ibm.ws.ssl.config.*;
import com.ibm.websphere.crypto.KeyException;

public class KeyGenerator implements com.ibm.websphere.crypto.KeyGenerator
{
    private java.util.Properties customProperties = null;
    private java.security.Key secretKey = null;

    public KeyGenerator()
    {
    }

     /**
      * This method is called to pass any custom properties configured with
      * the KeySet to the implementation of this interface.
      *
      * @param java.util.Properties
      **/
    public void init (java.util.Properties customProps)
    {
        customProperties = customProps;
    }

     /**
      * This method is called whenever a key needs to be generated either
      * from the schedule or manually requested. The key is stored in the 
      * KeyStore referenced by the configured KeySet that contains the 
      * keyGenerationClass implementing this interface. The implementation of 
      * this interface manages the key type. The user of the KeySet 
      * must know the type that is returned by this keyGenerationClass.
      *
      * @return java.security.Key
      * @throws com.ibm.websphere.crypto.KeyException
      **/
    public java.security.Key generateKey () throws KeyException
    {
        try
        {
            // Assume generate3DESKey is there to create the key.
            byte[] tripleDESKey = generate3DESKey();
            secretKey = new javax.crypto.spec.SecretKeySpec(tripleDESKey, 0, 24, "3DES");
            
            if (secretKey != null)
            {
                return secretKey;
            }
            else
            {
                throw new com.ibm.websphere.crypto.KeyException ("Key could not be generated.");
            }
        }
        catch (Exception e)
        {
            e.printStackTrace();  // handle exception
        }
    }
}

如果要开发密钥对,那么参考以下示例,它使用 KeyPairGenerator 类来实现 com.ibm.websphere.crypto.KeyPairGenerator 接口。

package com.ibm.test;

import java.util.*;
import javax.crypto.spec.SecretKeySpec;
import com.ibm.websphere.crypto.KeyException;

/**
 * This implementation defines the method to generate a java.security.KeyPair.  
 * When a keyGeneration class implements this method, the generateKeyPair method
 * is called and a KeyPair is stored in the keystore. The isKeyPair
 * attribute is ignored since the KeyGenerationClass is an
 * implementation of KeyPairGenerator. The isKeyPair attributes is for when
 * the keys already exist in a KeyStore, and are just read (not
 * generating them).
 * 
 * @author IBM Corporation
 * @version WebSphere Application Server 6.1
 * @since WebSphere Application Server 6.1
 **/
public class KeyPairGenerator implements com.ibm.websphere.crypto.KeyPairGenerator
{
    private java.util.Properties customProperties = null;

    public KeyPairGenerator()
    {
    }

     /**
      * This method is called to pass any custom properties configured with
      * the KeySet to the implementation of this interface.
     *
      * @param java.util.Properties
      **/
    public void init (java.util.Properties customProps)
    {
        customProperties = customProps;
    }

     /**
     * This method is called whenever a key needs to be generated either
      * from the schedule or manually requested and isKeyPair=true in the KeySet
      * configuration. The key is stored in the KeyStore referenced by 
      * the configured KeySet which contains the keyGenerationClass implementing 
      * this interface. The implementation of this interface manages the 
      * type of the key. The user of the KeySet must know the type that 
      * is returned by this keyGenerationClass.
      *
      * @return com.ibm.websphere.crypto.KeyPair
      * @throws com.ibm.websphere.crypto.KeyException
      **/
    public com.ibm.websphere.crypto.KeyPair generateKeyPair () throws KeyException
    {
        try
        {
            java.security.KeyPair keyPair = generateKeyPair();
            
            // Store as SecretKeySpec
            if (keyPair != null)
            {
                java.security.PrivateKey privKey = keyPair.getPrivate();
                java.security.PublicKey pubKey = keyPair.getPublic();

                SecretKeySpec publicKeyAsSecretKey = new SecretKeySpec 
                    (pubKey.getEncoded(), "RSA_PUBLIC");
                SecretKeySpec privateKeyAsSecretKey = new SecretKeySpec 
                    (privKey.getEncoded(), "RSA_PRIVATE");

                com.ibm.websphere.crypto.KeyPair pair = new 	
				com.ibm.websphere.crypto.KeyPair(publicKeyAsSecretKey, privateKeyAsSecretKey);
                return pair;
            }
            else
            {
                throw new com.ibm.websphere.crypto.KeyException ("Key pair could 
                not be generated.");
            }
        }
        catch (Exception e)
        {
            e.printStackTrace();  // handle exception
        }
    }
}

此接口返回 com.ibm.websphere.crypto.KeyPair 密钥对,它可能包含 X509Certificate 和 PrivateKey 对象,或 PublicKey 和 PrivateKey 对象。如果 com.ibm.websphere.crypto.KeyPair 接口包含 aX509Certificate 和 PrivateKey 对象,那么证书和专用密钥将存储在密钥库中。因此,它们可使用任何密钥库类型。

如果 com.ibm.websphere.crypto.KeyPair 接口包含 PublicKey 和 PrivateKey 对象,那么必须将编码值转换为 SecretKeySpec 对象以存储它们。WebSphere® Application Server 运行时将密钥对作为私钥进行存储和检索。当服务器在握手期间检索该密钥对时,该运行时会将密钥对转换回 PublicKey 和 PrivateKey 对象。

使用下列构造函数来开发 com.ibm.websphere.crypto.KeyPair 接口:
  • 公用和专用构造函数。
    public KeyPair(java.security.Key publicKey, java.security.Key privateKey)
  • 证书和专用构造函数。
    public KeyPair(java.security.cert.Certificate[] certChain, 
    java.security.Key privateKey)

以上示例代码显示使用公用和专用构造函数的 KeyPairGenerator 类。每次调用此类将生成新的唯一密钥对,并且在 isKeyPair=true 时 KeySet 会调用此类以创建新的密钥对。每次调用密钥集时,其版本号会递增。


指示主题类型的图标 参考主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rsec_ssldevkeypairgen
文件名:rsec_ssldevkeypairgen.html