Thompson,
Really thanks for the reply. appreciate your time.
Yes it was JCE and not JCF. it was typo :)
I am working on application which has android and iPhone client. Both the
client talk to my server which is written in JAVA. I am using JCE
implementation of DH algorithm and X509EncodedkeySpec for generating
public and private key. code below
X509EncodedKeySpec x509Spec = new
X509EncodedKeySpec(this.clientPublicKey);
PublicKey pk = kf.generatePublic(x509Spec);
for the android client I am using same JCE implementation of DH algorithm
and it works fine with my server.
for iPhone client I wrote a C programme which makes use of openSSl
implementation of DH algorithm. The problem I am facing is when I generate
DH params (prime,generator,pulickey) at client and pass them to server to
calculate server's public and secret key, my server (JAVA) throws
invalidKeySpecification exception. below are steps.
Client in C
1. I am generating DH parameters (prime,generator)
//client is DH *client.
//also tried with 1024 bits and DH_GENERATOR_5
DH_generate_parameters_ex(client,512,DH_GENERATOR_2,NULL);
2. then generating DH public and private key
DH_generate_key(client)
when I pass these (prime,generator,publickey ) generated keys to server
which is written in JAVA , It won't work. server (JAVA) throws
invalidKeySpecification exception.
One more point I would like to mention here is, When I use DHPublicKeySpec
instead of X509EncodedKeySpec at server (JAVA) it won't throw
invalidKeySpecification exception. It generates public and secret key and
when I get server's public key at client and try to generate client secret
key, secret key get generated at client ('C') but both keys server's secret
key and client secret key wont' match.
Even I not sure whether I am doing it correctly in C. Please suggest or let
me know if you need more information.
Regards,
Azhar
On Sat, Mar 16, 2013 at 5:50 AM, Dave Thompson <dthomp...@prinpay.com>wrote:
> >From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti
> >Sent: Wednesday, 13 March, 2013 13:44
>
> >I was trying to implement the diffie Hellman algorithm in Java
> >which makes use of JCF and as well as in c with openssl...
>
> I assume you mean JCE, or maybe JCA. JCF is completely unrelated.
>
> >I am able to get this work in respective languages I.e Java - Java
> >and C-C works fine . Generates the DH parameters and other stuffs quit
> well.
>
> >Since my server is in Java and client is in C, I was trying to use
> >openssl generated keys with Java as other part of component which is not
> >working at all. Java keeps giving me invalid key specification
> exception...
>
>
> What exactly are you trying to do? Your client and server, or other
> parties, should NEVER share a DH privatekey; they must share parameters
> (the group definition prime P and generator G) and exchange publickeys
> that use the same parameters. There are two usual ways of doing this:
> 1: parameters are distributed in advance, each party generates keypair
> (possibly certified), and they exchange at least public values (y) and
> optionally also duplicate parameters (especially if using certificates).
> 2: one party (in SSL/TLS the server) sends publickey containing parameters
> and public value (which may be generated in advance or transient); other
> party uses parameters to generate and send public value (usually
> transient).
>
> Openssl stores DH parameters in PKCS3 format, and since 1.0.0 can
> store DH privatekey in PKCS8 clear (really privkeyinfo) or encrypted
> and DH publickey in "PUBKEY" (X509 pubkeyinfo), both of which include
> parameters. JCE as far as I can see can't handle DH parameters alone,
> but can handle PKCS8 clear as PKCS8EncodedKeySpec and X509-keyinfo
> as X509EncodedKeySpec. (JCE handles only the DER forms; converting
> DER to/from PEM isn't hard, but openssl does it easily for free.)
>
> For 2 above Java responder can simply read the peer's publickey, and
> copy the parameters to generate its "self" keypair. For 1 you can
> either (create and) use a dummy publickey to transmit the parameters
> or you can write your own code to do PKCS3 -- or some other format.
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
