如何使用 SunMSCAPI 密钥解密 RSA-OAEP

How to use SunMSCAPI key to decrypt RSA-OAEP

我有一个带有私钥的证书存储在 windows 证书库中。如何使用此密钥解密使用 OAEP 填充的消息?我可以使用 Bouncycastle 提供程序和 pfx 文件(PKCS12 密钥库)解密消息,但不能使用 windows 存储 (SunMSCAPI)。

我基本上使用这个代码

KeyStore keyStore = java.security.KeyStore.getInstance("Windows-MY");
keyStore.load(null, null);
PrivateKey privateKey = (PrivateKey) keyStore.getKey("keyalias", null);

java.security.Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

JceKeyTransRecipient jceKeyTransEnvelopedRecipient = new JceKeyTransEnvelopedRecipient(privateKey);
CMSEnvelopedData envelopedData = new CMSEnvelopedData(Base64.getDecoder().decode(encryptedData));
RecipientInformationStore recipientInfos = envelopedData.getRecipientInfos();
RecipientInformation recipient = recipientInfos.getRecipients().iterator().next();
byte[] decrypted = recipient.getContent(jceKeyTransEnvelopedRecipient);

结果为

Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.mscapi.RSAPrivateKey
    at javax.crypto.Cipher.chooseProvider(Cipher.java:892)
    at javax.crypto.Cipher.init(Cipher.java:1248)
    at javax.crypto.Cipher.init(Cipher.java:1185)
    at org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper.generateUnwrappedKey(JceAsymmetricKeyUnwrapper.java:148)

如果我这样指定提供商:

JceKeyTransRecipient jceKeyTransEnvelopedRecipient = new JceKeyTransEnvelopedRecipient(privateKey).setProvider("SunMSCAPI");

然后我收到错误消息(不支持 OAEP)

Caused by: java.security.NoSuchAlgorithmException: No such algorithm: 1.2.840.113549.1.1.7
    at javax.crypto.Cipher.getInstance(Cipher.java:687)
    at javax.crypto.Cipher.getInstance(Cipher.java:595)
    at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:47)
    at org.bouncycastle.operator.jcajce.OperatorHelper.createAsymmetricWrapper(OperatorHelper.java:267)

不久,java 不支持 OAEP,即使 BC 支持 OAEP,也不能将其用于 "external" 键。如果是这样,还有其他选择吗?

我认为 James 是 . It is just that the SunMSCAPI bridge doesn't support OAEP,即使 Windows 平台也是如此。 SunMSCAPI不会释放私钥值,所以发生的情况是Java会搜索任何支持OAEP 私钥对象的提供者,然后找不到任何。这解释了初始异常:No installed provider supports this key: sun.security.mscapi.RSAPrivateKey.

请注意,声明 "Java doesn't support OAEP" 显然是错误的,因为 OAEP 是 even included as required algorithm。换句话说,如果没有 OAEP,您甚至不能 将其称为 Java,事实上 SunJCE 提供程序确实包含对它的支持,包括对更多散列函数和其他位大小的支持只有 1024 和 2048 位。但是,这确实需要与软件实现兼容的密钥。