How to determine length of X509 Public Key

java x509certificate x509
Mike Cooper picture Mike Cooper · Sep 14, 2015 · Viewed 7.6k times · Source

How do I determine the length (in bits) of an X509 Public Key in Java?

I'm looking to get the same value as "Public-Key" when running "openssl x509 -in cert.crt -noout -text". For example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:00:00:01:a2:41:4b:56:3e:99:ba:92:b5:00:02:00:00:01:a2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=magnicomp, CN=MagniComp Issuing CA
        Validity
            Not Before: Sep 14 17:23:18 2015 GMT
            Not After : Sep 13 17:23:18 2016 GMT
        Subject: CN=dim.magnicomp.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

I've got an X509Certificate object and I've played around with the PublicKey value returned via getPublicKey() but I can't seem to figure out how to determine the key length from this.

Answer

HTLee picture HTLee · May 15, 2017

Snippet from EJBCA source code org.ejbca.util.keystore.KeyTools#getKeyLength to calculate key length from public key of various algorithms:

/**
 * Gets the key length of supported keys
 * @param pk PublicKey used to derive the keysize
 * @return -1 if key is unsupported, otherwise a number >= 0. 0 usually means the length can not be calculated, 
 * for example if the key is an EC key and the "implicitlyCA" encoding is used.
 */
public static int getKeyLength(final PublicKey pk) {
    int len = -1;
    if (pk instanceof RSAPublicKey) {
        final RSAPublicKey rsapub = (RSAPublicKey) pk;
        len = rsapub.getModulus().bitLength();
    } else if (pk instanceof JCEECPublicKey) {
        final JCEECPublicKey ecpriv = (JCEECPublicKey) pk;
        final org.bouncycastle.jce.spec.ECParameterSpec spec = ecpriv.getParameters();
        if (spec != null) {
            len = spec.getN().bitLength();              
        } else {
            // We support the key, but we don't know the key length
            len = 0;
        }
    } else if (pk instanceof ECPublicKey) {
        final ECPublicKey ecpriv = (ECPublicKey) pk;
        final java.security.spec.ECParameterSpec spec = ecpriv.getParams();
        if (spec != null) {
            len = spec.getOrder().bitLength(); // does this really return something we expect?
        } else {
            // We support the key, but we don't know the key length
            len = 0;
        }
    } else if (pk instanceof DSAPublicKey) {
        final DSAPublicKey dsapub = (DSAPublicKey) pk;
        if ( dsapub.getParams() != null ) {
            len = dsapub.getParams().getP().bitLength();
        } else {
            len = dsapub.getY().bitLength();
        }
    } 
    return len;
}

Related questions

How to extract CN from X509Certificate in Java?

I am using a SslServerSocket and client certificates and want to extract the CN from the SubjectDN from the client's X509Certificate. At the moment I call cert.getSubjectX500Principal().getName() but this of course gives me the total formatted …

Read More
Validate X.509 certificate against CA in Java

Lets say I have something like this (client side code): TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } @Override public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } @Override …

Read More
Could not parse certificate: java.io.IOException: Empty input X509Certificate

I am getting the error given below when parsing the signature. Anybody has idea why the error is showing? Note that: Using the same certificate I signed my own XML and verified which is working fine. That mean there is …

Read More