如何为 Java 生成 2048 位 DSA 密钥对?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18889442/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to generate an 2048-bit DSA key pair for Java?
提问by Clouren
I tried the following methods to generate a DSA private (and public) key with a 2048-bit key length:
我尝试了以下方法来生成密钥长度为 2048 位的 DSA 私钥(和公钥):
Via keytool
通过钥匙工具
keytool -genkeypair -alias MyKeyPair -keyalg DSA -keysize 2048 -validity 365 -keystore MyKeyStore.ks
Resulting in:
导致:
keytool error: java.lang.IllegalArgumentException: Modulus size must range from 512 to 1024 and be a multiple of 64
keytool 错误:java.lang.IllegalArgumentException:模数大小必须在 512 到 1024 之间,并且是 64 的倍数
Via code
通过代码
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(keyAlgorithm,"BC");
keyGen.initialize(numBits);
Resulting in:
导致:
Exception in thread "main" java.security.InvalidParameterException: strength must be from 512 - 1024 and a multiple of 64
at org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi.initialize(Unknown Source)
at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:340)
Above example uses Bouncy Castle's implementation because somewhere I read it should support 2048-bit DSA keys. I also tried the default one with the same error.
上面的例子使用了 Bouncy Castle 的实现,因为我读到的地方应该支持 2048 位 DSA 密钥。我也尝试了默认的,但也有同样的错误。
I installed the (JCE) Unlimited Strength Jurisdiction Policy Files. According to this output, you would expect large keys should be possible:
我安装了 (JCE) Unlimited Strength Jurisdiction Policy Files。根据这个输出,你会期望大键应该是可能的:
System.out.println("DSA Max key length: " + Cipher.getMaxAllowedKeyLength("DSA"));
DSA Max key length: 2147483647
But if you echeck the Keysize Restrictionsin the JCE Providers Docs, 1024-bit is the max.
但是,如果您查看JCE Providers Docs 中的密钥大小限制,则最大为 1024 位。
Who can tell if 2048 bit private key simply not supported in Java 7? Or if there is another way to create a key of this size and import it into a Java Keystore?
谁能判断 Java 7 是否根本不支持 2048 位私钥?或者是否有另一种方法可以创建这种大小的密钥并将其导入 Java 密钥库?
The Java 8 APIgives away it will support bigger keys. So we might need to wait until next year.
在Java的API 8赠送它将支持更大的按键。所以我们可能需要等到明年。
回答by Zeveso
I have been through this before and all I have to say is this sucks man. Here are your basic choices if you want a higher key-size.
我以前经历过这种情况,我只能说这太糟糕了。如果您想要更高的密钥大小,这里是您的基本选择。
Go here and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File- You have to install this on each machine that uses the code.
Write your own implementation from scratch.
Give up & eat a cookie :P (I choose this one)
去这里下载 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File- 你必须在每台使用代码的机器上安装它。
从头开始编写您自己的实现。
放弃吃饼干:P(我选择了这个)
Now let me explain your problem. Java had the fantastic idea of limiting cryptography in countries where it has limits or is illegal. That file undoes what limits on the crypto systems Java set.
现在让我解释一下你的问题。Java 有一个绝妙的想法,即在有限制或非法的国家/地区限制加密。该文件取消了对 Java 设置的加密系统的限制。
Hope that helps. Also don't forget you can check to see if someone has the file on their system. All you do is something like this:
希望有帮助。另外不要忘记您可以检查是否有人在他们的系统上拥有该文件。你所做的就是这样:
boolean isUnlimitedSupported = false;
try {
KeyGenerator kgen = KeyGenerator.getInstance("AES", "SunJCE");
kgen.init(256);
isUnlimitedSupported = true;
} catch (NoSuchAlgorithmException e) {
isUnlimitedSupported = false;
} catch (NoSuchProviderException e) {
isUnlimitedSupported = false;
}
System.out.println("isUnlimitedSupported = " + isUnlimitedSupported);
You might find this helpful: http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppD
您可能会发现这很有帮助:http: //docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppD
回答by M.Veli
Because the maximum length of key allowed is 1024bits. you getting an exception "Modulus size must be between 512..1024.." which means Key Size. You can download the JCE with Unlimited Jurisdiction Policy files for your Java version (7 or 8) from oracle's link: Oracle's official site. But you should know that 1024 bits is enough for digital signature algorithms.
因为允许的密钥最大长度是 1024 位。你得到一个异常“模数大小必须在 512..1024.. 之间”,这意味着密钥大小。您可以从 Oracle 的链接:Oracle 的官方网站下载适用于您的 Java 版本(7 或 8)的 JCE with Unlimited Jurisdiction Policy 文件 。但是您应该知道,对于数字签名算法来说,1024 位就足够了。
回答by Paul Crowley
Java 8 fixes this: http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html"SUN provider: Support for 2048-bit DSA key pair generation and additional signature algorithms for 2048-bit DSA keys such as SHA224withDSA and SHA256withDSA."
Java 8 修复了这个问题:http: //docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html“SUN 提供者:支持 2048 位 DSA 密钥对生成和附加签名算法2048 位 DSA 密钥,例如 SHA224withDSA 和 SHA256withDSA。”
