英文:
How to create a create a PKCS12 keystore?
问题
我想用Java生成一个PKCS12密钥库。我知道可以使用keytool,类似于以下内容:
keytool -genkeypair -alias senderKeyPair -keyalg RSA -keysize 2048 \
-dname "CN=Baeldung" -validity 365 -storetype PKCS12 \
-keystore sender_keystore.p12 -storepass changeit
但我需要在Java内部执行此操作。我已经搜索过是否可能,但没有找到相关信息。有任何想法吗?
我非常感谢您能提供的任何帮助。
英文:
I want to generate a PKCS12 keystore with Java. I know that I can use the keytool with something like that:
keytool -genkeypair -alias senderKeyPair -keyalg RSA -keysize 2048 \
-dname "CN=Baeldung" -validity 365 -storetype PKCS12 \
-keystore sender_keystore.p12 -storepass changeit
But I need to do this stuff internally in Java. I've searched if it is possible but I didn't find anything about it. Any idea?
I really appreciate any help you can provide.
答案1
得分: 5
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
public class Main {
public static void main(String[] args) {
System.out.println("generate keystore type PKCS12 with RSA keys");
System.out.println("source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12");
String keystoreType = "PKCS12";
String keystoreFilename = "sender_keystore.p12";
String keystorePassword = "changeit";
String alias = "senderKeyPair";
String cnString = "CN=Baeldung";
int rsaKeylength = 2048;
String certificateSignatureAlgorithm = "SHA1WithRSA";
int certificateValidityDays = 365;
try {
KeyStore keyStore = KeyStore.getInstance(keystoreType);
keyStore.load(null, null);
keyStore.store(new FileOutputStream(keystoreFilename), keystorePassword.toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
try {
KeyStore keyStore = KeyStore.getInstance(keystoreType);
keyStore.load(new FileInputStream(keystoreFilename), keystorePassword.toCharArray());
CertAndKeyGen gen = new CertAndKeyGen("RSA", certificateSignatureAlgorithm);
gen.generate(rsaKeylength);
Key key = gen.getPrivateKey();
X509Certificate cert = gen.getSelfCertificate(new X500Name(cnString), (long) certificateValidityDays * 24 * 3600);
X509Certificate[] chain = new X509Certificate[1];
chain[0] = cert;
keyStore.setKeyEntry(alias, key, keystorePassword.toCharArray(), chain);
keyStore.store(new FileOutputStream(keystoreFilename), keystorePassword.toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
System.out.println("keystore generated in file: " + keystoreFilename +
" keystore password: " + keystorePassword +
" alias: " + alias);
}
}
英文:
The below code will generate a RSA keypair, generates a self signed certificate and store the private key and the cartificate in a PKCS#12 keystore with the given credentials (alias, password etc).
Please keep in mind that my program is running on Java 11 and that it is using dependencies that you should avoid to use as they can go away without any further warning in future versions (e.g. sun.security.x509.X500Name).
The "CertAndKeyGen.java" class is taken from the Alvin Alexander project and the main parts of my program are taken from an article here: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12, so all credits go to the original authors!
A more smart version is available with usage of a 3rd party library (Bouncy Castle) to avoid the sun-dependencies.
Security warning: the code does not have any exception handling and if for educational purpose only.
output:
generate keystore type PKCS12 with RSA keys
source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
keystore generated in file: sender_keystore.p12 keystore password: changeit alias: senderKeyPair
code Main.java:
import sun.security.x509.X500Name;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
public class Main {
public static void main(String[] args) {
System.out.println("generate keystore type PKCS12 with RSA keys");
System.out.println("source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12");
String keystoreType = "PKCS12";
String keystoreFilename = "sender_keystore.p12";
String keystorePassword = "changeit";
String alias = "senderKeyPair";
String cnString = "CN=Baeldung";
int rsaKeylength = 2048;
String certificateSignatureAlgorithm = "SHA1WithRSA";
int certificateValidityDays = 365;
/*
Create PKCS12 keystore
Before storing an entry into a PKCS12 keystore, the keystore has to be loaded first. This means we have to have a keystore created first.
The simplest way of creating a PKCS12 keystore is :
*/
try {
KeyStore keyStore = KeyStore.getInstance(keystoreType);
keyStore.load(null, null);
keyStore.store(new FileOutputStream(keystoreFilename), keystorePassword.toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
/*
Store private key
The private key and its associated certificate chain can be stored in PKCS12 keystore.
The keystore contains private keys and certificates can be used in SSL communications across the web.
A RSA private key is generated with the CertAndKeyGen and the associated certificate is also generated.
Then the key entry is stored in the keyStore by calling keyStore.setEntry().
Don't forget to save the keyStore by calling keyStore.store(), otherwise the entry will be lost when the program exits.
*/
try {
KeyStore keyStore = KeyStore.getInstance(keystoreType);
keyStore.load(new FileInputStream(keystoreFilename), keystorePassword.toCharArray());
//keyStore.load(null, null);
CertAndKeyGen gen = new CertAndKeyGen("RSA", certificateSignatureAlgorithm);
gen.generate(rsaKeylength);
Key key = gen.getPrivateKey();
X509Certificate cert = gen.getSelfCertificate(new X500Name(cnString), (long) certificateValidityDays * 24 * 3600);
X509Certificate[] chain = new X509Certificate[1];
chain[0] = cert;
keyStore.setKeyEntry(alias, key, keystorePassword.toCharArray(), chain);
keyStore.store(new FileOutputStream(keystoreFilename), keystorePassword.toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
System.out.println("keystore generated in file: " + keystoreFilename +
" keystore password: " + keystorePassword +
" alias: " + alias);
}
}
code CertAndKeyGen.java:
/*
* Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// package sun.security.tools.keytool;
import sun.security.pkcs10.PKCS10;
import sun.security.x509.*;
import java.io.IOException;
import java.security.*;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
// source: https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/src/share/classes/sun/security/tools/keytool/CertAndKeyGen.java.shtml
/**
* Generate a pair of keys, and provide access to them. This class is
* provided primarily for ease of use.
*
* <P>This provides some simple certificate management functionality.
* Specifically, it allows you to create self-signed X.509 certificates
* as well as PKCS 10 based certificate signing requests.
*
* <P>Keys for some public key signature algorithms have algorithm
* parameters, such as DSS/DSA. Some sites' Certificate Authorities
* adopt fixed algorithm parameters, which speeds up some operations
* including key generation and signing. <em>At this time, this interface
* does not provide a way to provide such algorithm parameters, e.g.
* by providing the CA certificate which includes those parameters.</em>
*
* <P>Also, note that at this time only signature-capable keys may be
* acquired through this interface. Diffie-Hellman keys, used for secure
* key exchange, may be supported later.
*
* @author David Brownell
* @author Hemma Prafullchandra
* @see PKCS10
* @see X509CertImpl
*/
public final class CertAndKeyGen {
/**
* Creates a CertAndKeyGen object for a particular key type
* and signature algorithm.
*
* @param keyType type of key, e.g. "RSA", "DSA"
* @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
* "MD2WithRSA", "SHAwithDSA".
* @exception NoSuchAlgorithmException on unrecognized algorithms.
*/
public CertAndKeyGen(String keyType, String sigAlg)
throws NoSuchAlgorithmException
{
keyGen = KeyPairGenerator.getInstance(keyType);
this.sigAlg = sigAlg;
}
/**
* Creates a CertAndKeyGen object for a particular key type,
* signature algorithm, and provider.
*
* @param keyType type of key, e.g. "RSA", "DSA"
* @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
* "MD2WithRSA", "SHAwithDSA".
* @param providerName name of the provider
* @exception NoSuchAlgorithmException on unrecognized algorithms.
* @exception NoSuchProviderException on unrecognized providers.
*/
public CertAndKeyGen(String keyType, String sigAlg, String providerName)
throws NoSuchAlgorithmException, NoSuchProviderException
{
if (providerName == null) {
keyGen = KeyPairGenerator.getInstance(keyType);
} else {
try {
keyGen = KeyPairGenerator.getInstance(keyType, providerName);
} catch (Exception e) {
// try first available provider instead
keyGen = KeyPairGenerator.getInstance(keyType);
}
}
this.sigAlg = sigAlg;
}
/**
* Sets the source of random numbers used when generating keys.
* If you do not provide one, a system default facility is used.
* You may wish to provide your own source of random numbers
* to get a reproducible sequence of keys and signatures, or
* because you may be able to take advantage of strong sources
* of randomness/entropy in your environment.
*/
public void setRandom (SecureRandom generator)
{
prng = generator;
}
// want "public void generate (X509Certificate)" ... inherit DSA/D-H param
/**
* Generates a random public/private key pair, with a given key
* size. Different algorithms provide different degrees of security
* for the same key size, because of the "work factor" involved in
* brute force attacks. As computers become faster, it becomes
* easier to perform such attacks. Small keys are to be avoided.
*
* <P>Note that not all values of "keyBits" are valid for all
* algorithms, and not all public key algorithms are currently
* supported for use in X.509 certificates. If the algorithm
* you specified does not produce X.509 compatible keys, an
* invalid key exception is thrown.
*
* @param keyBits the number of bits in the keys.
* @exception InvalidKeyException if the environment does not
* provide X.509 public keys for this signature algorithm.
*/
public void generate (int keyBits)
throws InvalidKeyException
{
KeyPair pair;
try {
if (prng == null) {
prng = new SecureRandom();
}
keyGen.initialize(keyBits, prng);
pair = keyGen.generateKeyPair();
} catch (Exception e) {
throw new IllegalArgumentException(e.getMessage());
}
publicKey = pair.getPublic();
privateKey = pair.getPrivate();
// publicKey's format must be X.509 otherwise
// the whole CertGen part of this class is broken.
if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
throw new IllegalArgumentException("publicKey's is not X.509, but "
+ publicKey.getFormat());
}
}
/**
* Returns the public key of the generated key pair if it is of type
* <code>X509Key, or null if the public key is of a different type.
*
* XXX Note: This behaviour is needed for backwards compatibility.
* What this method really should return is the public key of the
* generated key pair, regardless of whether or not it is an instance of
* <code>X509Key. Accordingly, the return type of this method
* should be <code>PublicKey.
*/
public X509Key getPublicKey()
{
if (!(publicKey instanceof X509Key)) {
return null;
}
return (X509Key)publicKey;
}
/**
* Always returns the public key of the generated key pair. Used
* by KeyTool only.
*
* The publicKey is not necessarily to be an instance of
* X509Key in some JCA/JCE providers, for example SunPKCS11.
*/
public PublicKey getPublicKeyAnyway() {
return publicKey;
}
/**
* Returns the private key of the generated key pair.
*
* <P>Be extremely careful when handling private keys.
* When private keys are not kept secret, they lose their ability
* to securely authenticate specific entities ... that is a huge
* security risk!</em>
*/
public PrivateKey getPrivateKey ()
{
return privateKey;
}
/**
* Returns a self-signed X.509v3 certificate for the public key.
* The certificate is immediately valid. No extensions.
*
* <P>Such certificates normally are used to identify a "Certificate
* Authority" (CA). Accordingly, they will not always be accepted by
* other parties. However, such certificates are also useful when
* you are bootstrapping your security infrastructure, or deploying
* system prototypes.
*
* @param myname X.500 name of the subject (who is also the issuer)
* @param firstDate the issue time of the certificate
* @param validity how long the certificate should be valid, in seconds
* @exception CertificateException on certificate handling errors.
* @exception InvalidKeyException on key handling errors.
* @exception SignatureException on signature handling errors.
* @exception NoSuchAlgorithmException on unrecognized algorithms.
* @exception NoSuchProviderException on unrecognized providers.
*/
public X509Certificate getSelfCertificate (
X500Name myname, Date firstDate, long validity)
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
return getSelfCertificate(myname, firstDate, validity, null);
}
// Like above, plus a CertificateExtensions argument, which can be null.
public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
long validity, CertificateExtensions ext)
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
X509CertImpl cert;
Date lastDate;
try {
lastDate = new Date ();
lastDate.setTime (firstDate.getTime () + validity * 1000);
CertificateValidity interval =
new CertificateValidity(firstDate,lastDate);
X509CertInfo info = new X509CertInfo();
// Add all mandatory attributes
info.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
AlgorithmId algID = AlgorithmId.get(sigAlg);
info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(algID));
info.set(X509CertInfo.SUBJECT, myname);
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.ISSUER, myname);
if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
cert = new X509CertImpl(info);
cert.sign(privateKey, this.sigAlg);
return (X509Certificate)cert;
} catch (IOException e) {
throw new CertificateEncodingException("getSelfCert: " +
e.getMessage());
}
}
// Keep the old method
public X509Certificate getSelfCertificate (X500Name myname, long validity)
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
return getSelfCertificate(myname, new Date(), validity);
}
/**
* Returns a PKCS #10 certificate request. The caller uses either
* <code>PKCS10.print or PKCS10.toByteArray
* operations on the result, to get the request in an appropriate
* transmission format.
*
* <P>PKCS #10 certificate requests are sent, along with some proof
* of identity, to Certificate Authorities (CAs) which then issue
* X.509 public key certificates.
*
* @param myname X.500 name of the subject
* @exception InvalidKeyException on key handling errors.
* @exception SignatureException on signature handling errors.
*/
public PKCS10 getCertRequest (X500Name myname)
throws InvalidKeyException, SignatureException
{
PKCS10 req = new PKCS10 (publicKey);
try {
Signature signature = Signature.getInstance(sigAlg);
signature.initSign (privateKey);
req.encodeAndSign(myname, signature);
} catch (CertificateException e) {
throw new SignatureException (sigAlg + " CertificateException");
} catch (IOException e) {
throw new SignatureException (sigAlg + " IOException");
} catch (NoSuchAlgorithmException e) {
// "can't happen"
throw new SignatureException (sigAlg + " unavailable?");
}
return req;
}
private SecureRandom prng;
private String sigAlg;
private KeyPairGenerator keyGen;
private PublicKey publicKey;
private PrivateKey privateKey;
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论