原文:https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
转载:https://www.cnblogs.com/yangchongxing/p/13837017.html
Different types of keystore in Java -- PKCS12
Java密钥库的不同类型 -- PKCS12
JKCS12 is an active file format for storing cryptography objects as a single file. It can be used to store secret key, private key and certificate.It is a standardized format published by RSA Laboratories which means it can be used not only in Java but also in other libraries in C, C++ or C# etc. This file format is frequently used to import and export entries from or to other keystore types.
JKCS12是一种活动文件格式,用于将加密对象存储为单个文件。它可以用来存储密钥、私钥和证书。它是RSA实验室发布的标准格式,它不仅可以用于java,而且可以用于C、C++或C等的其他库。这种文件格式经常用于从和向其他密钥存储类型导入和导出条目。
Next we will explain the operations which can be performed on PKCS12 keystore.
接下来我们将解释可以在PKCS12密钥库上执行的操作。
Create PKCS12 keystore
创建PKCS12密钥库
Before storing an entry into a PKCS12 keystore, the keystore has to be loaded first. This means we have to have a keystore created first. The simplest way of creating a PKCS12 keystore is :
在将条目存储到PKCS12密钥库之前,必须先加载密钥库。这意味着我们必须首先创建一个密钥库。创建PKCS12密钥库的最简单方法是:
try{ KeyStore keyStore = KeyStore.getInstance("PKCS12"); keyStore.load(null, null); keyStore.store(new FileOutputStream("output.p12"), "password".toCharArray()); } catch (Exception ex){ ex.printStackTrace(); }
Note, when calling keyStore.load(null, null), two nulls are passed as the input keystore stream and password. This is because we don't have the keystore available yet. After running this program, there should be a keystore file named output.p12 in current working directory.
注意,当调用keyStore.load(null, null),传递两个null作为输入密钥库流和密码。这是因为我们还没有密钥库。运行此程序后,当前工作目录中应该有一个名为output.p12的密钥库文件。
Store secret key
存储密钥
PKCS12 allows to store secret keys on a limited base. Secret keys are frequently used to encrypt/decrypt data. To transfer the keys conveniently, they can be stored in a keystore like PKCS12 and transferred.
PKCS12允许在有限的基础上存储密钥。密钥经常用于加密/解密数据。为了方便地传输密钥,可以将它们存储在PKCS12这样的密钥库中并进行传输。
try{ KeyStore keyStore = KeyStore.getInstance("PKCS12"); keyStore.load(null, null); KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(128); Key key = keyGen.generateKey(); keyStore.setKeyEntry("secret", key, "password".toCharArray(), null); keyStore.store(new FileOutputStream("output.p12"), "password".toCharArray()); } catch (Exception ex){ ex.printStackTrace(); }
Some secret keys with algorithm AES stored on PKCS12 keystore cannot be extracted in Java. Since PKCS12 is a portable standard, other libraries may support extracting secret keys.
在Java中无法提取PKCS12密钥库中存储的具有AES算法的密钥。由于PKCS12是一个可移植的标准,其他库可能支持提取密钥。
Store private key
存储私钥
The private key and its associated certificate chain can be stored in PKCS12 keystore. The keystore contains private keys and certificates can be used in SSL communications across the web.
私钥及其关联的证书链可以存储在PKCS12密钥库中。密钥库包含私钥,证书可用于跨web的SSL通信。
try{ KeyStore keyStore = KeyStore.getInstance("PKCS12"); // keyStore.load(new FileInputStream("output.p12"),"password".toCharArray()); keyStore.load(null, null);; CertAndKeyGen gen = new CertAndKeyGen("RSA","SHA1WithRSA"); gen.generate(1024); Key key=gen.getPrivateKey(); X509Certificate cert=gen.getSelfCertificate(new X500Name("CN=ROOT"), (long)365*24*3600); X509Certificate[] chain = new X509Certificate[1]; chain[0]=cert; keyStore.setKeyEntry("private", key, "password".toCharArray(), chain); keyStore.store(new FileOutputStream("output.p12"), "password".toCharArray()); }catch(Exception ex){ ex.printStackTrace(); }
A RSA private key is generated with the CertAndKeyGen and the associated certificate is also generated. Then the key entry is stored in the keyStore by calling keyStore.setEntry(). Don't forget to save the keyStore by calling keyStore.store(), otherwise the entry will be lost when the program exits.
使用CertAndKeyGen生成RSA私钥,并生成相关证书。然后调用keyStore.setEntry()把私钥条目存入密钥库. 别忘了调用keyStore.store(),否则当程序退出时条目将丢失。
Store certificate
存储证书
PKCS12 keystore also allows to store certificate by itself without the corresponding private key stored. To store the certificate, the KeyStore.setCertificateEntry() can be called.