CODEWITHSUNDEEP
javax509certificatex509
Mike Cooper
Mike Cooper

Reputation: 1095

How to determine length of X509 Public Key

How do I determine the length (in bits) of an X509 Public Key in Java?

I'm looking to get the same value as "Public-Key" when running "openssl x509 -in cert.crt -noout -text". For example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:00:00:01:a2:41:4b:56:3e:99:ba:92:b5:00:02:00:00:01:a2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=magnicomp, CN=MagniComp Issuing CA
        Validity
            Not Before: Sep 14 17:23:18 2015 GMT
            Not After : Sep 13 17:23:18 2016 GMT
        Subject: CN=dim.magnicomp.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

I've got an X509Certificate object and I've played around with the PublicKey value returned via getPublicKey() but I can't seem to figure out how to determine the key length from this.

Upvotes: 11

Views: 11310

Answers (2)

HTKLee
HTKLee

Reputation: 231

Snippet from EJBCA source code org.ejbca.util.keystore.KeyTools#getKeyLength to calculate key length from public key of various algorithms:

/**
 * Gets the key length of supported keys
 * @param pk PublicKey used to derive the keysize
 * @return -1 if key is unsupported, otherwise a number >= 0. 0 usually means the length can not be calculated, 
 * for example if the key is an EC key and the "implicitlyCA" encoding is used.
 */
public static int getKeyLength(final PublicKey pk) {
    int len = -1;
    if (pk instanceof RSAPublicKey) {
        final RSAPublicKey rsapub = (RSAPublicKey) pk;
        len = rsapub.getModulus().bitLength();
    } else if (pk instanceof JCEECPublicKey) {
        final JCEECPublicKey ecpriv = (JCEECPublicKey) pk;
        final org.bouncycastle.jce.spec.ECParameterSpec spec = ecpriv.getParameters();
        if (spec != null) {
            len = spec.getN().bitLength();              
        } else {
            // We support the key, but we don't know the key length
            len = 0;
        }
    } else if (pk instanceof ECPublicKey) {
        final ECPublicKey ecpriv = (ECPublicKey) pk;
        final java.security.spec.ECParameterSpec spec = ecpriv.getParams();
        if (spec != null) {
            len = spec.getOrder().bitLength(); // does this really return something we expect?
        } else {
            // We support the key, but we don't know the key length
            len = 0;
        }
    } else if (pk instanceof DSAPublicKey) {
        final DSAPublicKey dsapub = (DSAPublicKey) pk;
        if ( dsapub.getParams() != null ) {
            len = dsapub.getParams().getP().bitLength();
        } else {
            len = dsapub.getY().bitLength();
        }
    } 
    return len;
}

Upvotes: 12

Tunaki
Tunaki

Reputation: 137064

If you know that the algorithm used was RSA, you can cast the public key to a RSAPublicKey and get the key length using getModulus():

FileInputStream fin = new FileInputStream("certificate.pem");
CertificateFactory f = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate) f.generateCertificate(fin);
RSAPublicKey rsaPk = (RSAPublicKey) certificate.getPublicKey();
System.out.println(rsaPk.getModulus().bitLength());

For a DSA public key, you need to check the bit length of the prime and the subprime used, obtained with getP() and getQ():

DSAPublicKey dsaPk = (DSAPublicKey) certificate.getPublicKey();
System.out.println(dsaPk.getParams().getP().bitLength());
System.out.println(dsaPk.getParams().getQ().bitLength());

Upvotes: 8

Related Questions