java jks_Java密钥库的不同类型 -- JKS
现在让我们将一个私钥及其关联的证书链存储到密钥库中。注意:我们不能使用JDK将没有相关证书链的私钥存储到密钥库中。对于其他一些库或本机库,您可能能够存储私钥,而无需关联的证书链。
try{
KeyStore keyStore= KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
CertAndKeyGen gen= new CertAndKeyGen("RSA","SHA1WithRSA");
gen.generate(1024);
Key key=gen.getPrivateKey();
X509Certificate cert=gen.getSelfCertificate(new X500Name("CN=ROOT"), (long)365*24*3600);
X509Certificate[] chain= new X509Certificate[1];
chain[0]=cert;
keyStore.setKeyEntry("mykey", key, "password".toCharArray(), chain);
keyStore.store(new FileOutputStream("mytestkey.jks"), "password".toCharArray());
}catch(Exception ex){
ex.printStackTrace();
}
First, we will create a private key and a self signed certificate and then call KeyStore.setKeyEntry() with the specified alias, key, the password for the key and its associated certificate chain. Remember we need to call KeyStore.store() to store the key into the keystore.
首先,我们将创建一个私钥和一个自签名证书,然后调用KeyStore.setKeyEntry()方法(参数:别名、私钥、密码),私钥的密码和证书关联。记住我们需要调用KeyStore.store()方法把私钥保存如密钥库。
The alias is the label of the entry so that it can be found easily later.
别名是条目的标签,以便以后很容易找到它。
Store certificate
存储证书
We can store certificate on JKS keystore. The certificate to be store should be a X509Certificate. It can be stored on the keystore without associated private key. This process is similar to storing private key.
我们可以在JKS密钥库中存储证书。要存储的证书应为X509证书。它可以存储在没有相关私钥的密钥库中。这个过程类似于存储私钥。
try{
KeyStore keyStore= KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
CertAndKeyGen gen= new CertAndKeyGen("RSA","SHA1WithRSA");
gen.generate(1024);
X509Certificate cert= gen.getSelfCertificate(new X500Name("CN=SINGLE_CERTIFICATE"), (long)365*24*3600);
keyStore.setCertificateEntry("single_cert", cert);
keyStore.store(new FileOutputStream("mytestkey.jks"), "password".toCharArray());
}catch(Exception ex){
ex.printStackTrace();
}
Loading private key
加载私钥
After storing the keys, we can also load the entries inside the keystore. Here we are saying to load private key, actually it's not the case here, as we described earlier, the private key cannot be extracted from JKS using Java. Here we actually extract the certificate chain of the private key.
在存储密钥之后,我们还可以加载密钥库中的条目。这里我们说的是加载私钥,实际上这里不是这样,正如我们前面所描述的,私钥不能用Java从JKS中提取出来。这里我们实际上提取了私钥的证书链。
try{
KeyStore keyStore= KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
Key key= keyStore.getKey("mykey", "password".toCharArray());//System.out.println("Private key : "+key.toString());//You will get a NullPointerException if you uncomment this line
java.security.cert.Certificate[] chain= keyStore.getCertificateChain("mykey");for(java.security.cert.Certificate cert:chain){
System.out.println(cert.toString());
}
}catch(Exception ex){
ex.printStackTrace();
}
Note the commented line, the key will be null as expected. We can get the certificate chain as normal though.
注意注释行,键将如预期的那样为null。我们可以正常获取证书链。
[
[
Version: V3
Subject: CN=ROOT
Signature Algorithm: SHA1withRSA, OID= 1.2.840.113549.1.1.5Key: Sun RSApublic key, 1024bits
modulus:90980299845597512779139009881469177009407272139633139241921529845092210461181243924599150259446249079941561941533303439718936138867375776965995893255358889228584415558006141961051402385279285497775776996780406808976543439543789816486513982581378223575354716191394304768315366544413052547926792470794374067383
public exponent: 65537Validity: [From: Sat Sep06 09:57:28 CST 2014,
To: Sun Sep06 09:57:28 CST 2015]
Issuer: CN=ROOT
SerialNumber: [ 206b697b]
]
Algorithm: [SHA1withRSA]
Signature:0000: 53 6A FD FE E6 3A 5E 6E A6 43 C4 F4 D1 56 D4 08 Sj...:^n.C...V..0010: 7E 3B 8B 73 68 71 56 AB 96 FE 24 E7 2D DC 04 BB .;.shqV...$.-...0020: 14 B0 C6 71 8D F0 3E EC FE D8 5B BB 8C 0F 55 63 ...q..>...[...Uc0030: 2B 38 8E 45 F1 2D F0 BB 8C 6D 13 A8 11 37 E1 FA +8.E.-...m...7..0040: 77 AF C7 73 72 2B 40 4F 74 32 F6 3C 24 E6 AB ED w..sr+@Ot2..Y.0060: C0 1F 7A 70 15 AF C3 66 B3 4F C9 11 C3 45 59EF ..zp...f.O...EY.0070: 36 F4 1C C9 9B FA 5E 43 A0 28 DB 07 0D F2 53 6E 6.....^C.(....Sn
]
加载证书
Loading certificate
This is similar to loading private key, we need to pass the alias of the certificate we want to extract.
这与加载私钥类似,我们需要传递要提取的证书的别名。
try{
KeyStore keyStore= KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
java.security.cert.Certificate cert= keyStore.getCertificate("single_cert");
System.out.println(cert.toString());
}catch(Exception ex){
ex.printStackTrace();
}
The output will be:
输出将是:
[
[
Version: V3
Subject: CN=SINGLE_CERTIFICATE
Signature Algorithm: SHA1withRSA, OID= 1.2.840.113549.1.1.5Key: Sun RSApublic key, 1024bits
modulus:99756834215197288877309915243024788596281418171661241282881476656110879586349799740269767889529808199104172091786860877280382867461569439907754755558759387462421169749111354565793974372777424046360810758009149155148290676527032833774084635148674232352006810533640038723102562578516643345287042787777951043863
public exponent: 65537Validity: [From: Sat Sep06 10:14:33 CST 2014,
To: Sun Sep06 10:14:33 CST 2015]
Issuer: CN=SINGLE_CERTIFICATE
SerialNumber: [ 6943e549]
]
Algorithm: [SHA1withRSA]
Signature:0000: 35 58 70 96 F4 35 82 2A 95 9F BB 31 02 6E 7C 29 5Xp..5.*...1.n.)0010: 4A FE AF EB 2D B5 3A A7 C7 9D 4C 9A 34 2C 5C 46 J...-.:...L.4,\F0020: C2 82 A8 AC 1A C0 98 A5 67 21 74 7B 1E E2 E5 AC ........g!t.....0030: DE B2 1D 87 BE 16 45 9B D0 2A D3 2B F6 E1 4B 35 ......E..*.+..K50040: 27 8B A7 0A EF F2 07 41 90 A6 69 07 BE 87 C5 B1 '......A..i.....
0050: 54 DE DB A2 5A 41 47 3B 3F A7 74 6F 5C C8 8D B4 T...ZAG;?.to\...0060: C8 65 2B 0F 8E 94 A8 80 C7 8B B5 78 FA C2 9C ED .e+........x....0070: 8E EC 28 E4 8E 62 A1 59 6A BC 37 7B 0D FC C7 AF ..(..b.Yj.7.....
]
Import keys and certificates
导入密钥和证书
This process is actually very simple, we first need to load the keystore where the certificate to be imported. Then we also need to load another keystore where we need to import certificate to. Next, we need to get the certificate from source keystore and put it into the destination keystore.
这个过程实际上非常简单,我们首先需要加载密钥库,在那里导入证书。然后我们还需要加载另一个密钥库,我们需要将证书导入到其中。接下来,我们需要从源密钥库获取证书并将其放入目标密钥库中。
Since we cannot extract private key from JKS, so we can only import certificate to JKS. However, we can extract private keys from other types of keystore(PKCS12) and then store them in JKS keystore.
由于无法从JKS中提取私钥,所以只能将证书导入JKS。但是,我们可以从其他类型的密钥库(PKCS12)中提取私钥,然后将它们存储在JKS密钥库中。
One final piece of information. Oracle provides two versions of JKS keystore : case sensitive and case insensitive. When calling KeyStore.getInstance("JKS"), a case insensitive version of JKS instance is created, when KeyStore.getInstance("CaseExactJKS") is called, a case sensitive version of JKS instance will be created. Usually case insensitive is recommended as an user should distinguish different entries with different alias names instead of different alias name cases. For more information about case sensitivity, please refer to this post.
最后一条信息。Oracle提供了两个版本的JKS密钥库:区分大小写和不区分大小写。当调用KeyStore.getInstance("JKS")时将创建一个不区分大小写版本的JKS实例。当调用KeyStore.getInstance("CaseExactJKS")时将创建区分大小写版本的JKS实例。通常建议不区分大小写,因为用户应该区分具有不同别名的不同条目,而不是不同的别名大小写。有关区分大小写的更多信息,请参阅这篇文章。
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!