示例:开发密钥或密钥对生成类以自动生成密钥
可以自动创建为加密操作生成密钥的类。使用此功能,密钥管理基础结构可维护预定义密钥集合的密钥列表,并且应用程序可访问这些密钥。
可安排按预定义频率生成新的密钥。记住,密钥生成频率会影响数据的安全性。例如,对于持久数据,您可能会安排以比实时通信低的频率生成密钥,实时通信要求在密码到期时以较高的频率生成密钥。
当您开发密钥生成类时,请确实是创建共享密钥还是密钥对,这是因为这会确定您必须使用的接口。
如果要开发共享密钥,那么参考以下示例,它使用 KeyGenerator 类来实现 com.ibm.websphere.crypto.KeyGenerator 接口。该接口返回 java.security.Key 密钥,它存储为 JCEKS 密钥库类型中的 SecretKey。可使用支持存储密钥的任何其他类型的密钥库类型。
package com.ibm.test;
import java.util.*;
import com.ibm.ws.ssl.core.*;
import com.ibm.ws.ssl.config.*;
import com.ibm.websphere.crypto.KeyException;
public class KeyGenerator implements com.ibm.websphere.crypto.KeyGenerator
{
private java.util.Properties customProperties = null;
private java.security.Key secretKey = null;
public KeyGenerator()
{
}
/**
* This method is called to pass any custom properties configured with
* the KeySet to the implementation of this interface.
*
* @param java.util.Properties
**/
public void init (java.util.Properties customProps)
{
customProperties = customProps;
}
/**
* This method is called whenever a key needs to be generated either
* from the schedule or manually requested. The key is stored in the
* KeyStore referenced by the configured KeySet that contains the
* keyGenerationClass implementing this interface. The implementation of
* this interface manages the key type. The user of the KeySet
* must know the type that is returned by this keyGenerationClass.
*
* @return java.security.Key
* @throws com.ibm.websphere.crypto.KeyException
**/
public java.security.Key generateKey () throws KeyException
{
try
{
// Assume generate3DESKey is there to create the key.
byte[] tripleDESKey = generate3DESKey();
secretKey = new javax.crypto.spec.SecretKeySpec(tripleDESKey, 0, 24, "3DES");
if (secretKey != null)
{
return secretKey;
}
else
{
throw new com.ibm.websphere.crypto.KeyException ("Key could not be generated.");
}
}
catch (Exception e)
{
e.printStackTrace(); // handle exception
}
}
}
如果要开发密钥对,那么参考以下示例,它使用 KeyPairGenerator 类来实现 com.ibm.websphere.crypto.KeyPairGenerator 接口。
package com.ibm.test;
import java.util.*;
import javax.crypto.spec.SecretKeySpec;
import com.ibm.websphere.crypto.KeyException;
/**
* This implementation defines the method to generate a java.security.KeyPair.
* When a keyGeneration class implements this method, the generateKeyPair method
* is called and a KeyPair is stored in the keystore. The isKeyPair
* attribute is ignored since the KeyGenerationClass is an
* implementation of KeyPairGenerator. The isKeyPair attributes is for when
* the keys already exist in a KeyStore, and are just read (not
* generating them).
*
* @author IBM Corporation
* @version WebSphere Application Server 6.1
* @since WebSphere Application Server 6.1
**/
public class KeyPairGenerator implements com.ibm.websphere.crypto.KeyPairGenerator
{
private java.util.Properties customProperties = null;
public KeyPairGenerator()
{
}
/**
* This method is called to pass any custom properties configured with
* the KeySet to the implementation of this interface.
*
* @param java.util.Properties
**/
public void init (java.util.Properties customProps)
{
customProperties = customProps;
}
/**
* This method is called whenever a key needs to be generated either
* from the schedule or manually requested and isKeyPair=true in the KeySet
* configuration. The key is stored in the KeyStore referenced by
* the configured KeySet which contains the keyGenerationClass implementing
* this interface. The implementation of this interface manages the
* type of the key. The user of the KeySet must know the type that
* is returned by this keyGenerationClass.
*
* @return com.ibm.websphere.crypto.KeyPair
* @throws com.ibm.websphere.crypto.KeyException
**/
public com.ibm.websphere.crypto.KeyPair generateKeyPair () throws KeyException
{
try
{
java.security.KeyPair keyPair = generateKeyPair();
// Store as SecretKeySpec
if (keyPair != null)
{
java.security.PrivateKey privKey = keyPair.getPrivate();
java.security.PublicKey pubKey = keyPair.getPublic();
SecretKeySpec publicKeyAsSecretKey = new SecretKeySpec
(pubKey.getEncoded(), "RSA_PUBLIC");
SecretKeySpec privateKeyAsSecretKey = new SecretKeySpec
(privKey.getEncoded(), "RSA_PRIVATE");
com.ibm.websphere.crypto.KeyPair pair = new
com.ibm.websphere.crypto.KeyPair(publicKeyAsSecretKey, privateKeyAsSecretKey);
return pair;
}
else
{
throw new com.ibm.websphere.crypto.KeyException ("Key pair could
not be generated.");
}
}
catch (Exception e)
{
e.printStackTrace(); // handle exception
}
}
}
此接口返回 com.ibm.websphere.crypto.KeyPair 密钥对,它可能包含 X509Certificate 和 PrivateKey 对象,或 PublicKey 和 PrivateKey 对象。如果 com.ibm.websphere.crypto.KeyPair 接口包含 aX509Certificate 和 PrivateKey 对象,那么证书和专用密钥将存储在密钥库中。因此,它们可使用任何密钥库类型。
如果 com.ibm.websphere.crypto.KeyPair 接口包含 PublicKey 和 PrivateKey 对象,那么必须将编码值转换为 SecretKeySpec 对象以存储它们。WebSphere® Application Server 运行时将密钥对作为私钥进行存储和检索。当服务器在握手期间检索该密钥对时,该运行时会将密钥对转换回 PublicKey 和 PrivateKey 对象。
- 公用和专用构造函数。
public KeyPair(java.security.Key publicKey, java.security.Key privateKey)
- 证书和专用构造函数。
public KeyPair(java.security.cert.Certificate[] certChain, java.security.Key privateKey)
以上示例代码显示使用公用和专用构造函数的 KeyPairGenerator 类。每次调用此类将生成新的唯一密钥对,并且在 isKeyPair=true 时 KeySet 会调用此类以创建新的密钥对。每次调用密钥集时,其版本号会递增。