机器翻译
Different types of keystore in Java -- JKS
Java密钥库的不同类型 -- JKS
JKS is Java Keystore, a proprietary keystore type designed for Java. It can be used to store private keys and certificates used for SSL communication, it cannot store secret keys however. The keytool shipped with JDKs cannot extract private keys stored on JKS. This type of keystore usually has an extension of jks.
JKS是Java密钥库,⼀种专为Java设计的密钥库类型。它可以⽤来存储⽤于SSL通信的私钥和证书,但是它不能存储密钥。JDKs附带的keytool⽆法提取JKS上存储的私钥。这种类型的密钥库通常有jks的扩展。 Next we will show how to operate the JKS keystore with pure Java code.
接下来,我们将展⽰如何使⽤纯Java代码操作JKS密钥库。
Create JKS keystore
创建JKS密钥库
The simplest method to create a JKS keystore to create an empty keystore. We can first get an instance of KeyStore and then load a null keystore. After loading the null keystore, we just need to call KeyStore.store() with the keystore name and password of the keystore.
Below is a simple demo:
创建JKS密钥库的最简单⽅法是创建空密钥库。我们可以⾸先获得KeyStore的⼀个实例,然后加载⼀个空KeyStore。加载空密钥库后,我们只需要调⽤KeyStore.store()⽅法并传递密钥库名称和密钥库的密码。
下⾯是⼀个简单的演⽰:
try{
KeyStore keyStore = Instance("JKS");
keyStore.load(null,null);
keyStore.store(new FileOutputStream("mytestkey.jks"), "password".toCharArray());
}catch(Exception ex){
ex.printStackTrace();
}
Post execution of above call, you will see a keystore named mytestkey.jks in current working directory. Now the keystore is empty without any entries.
在执⾏上述调⽤后,您将看到⼀个名为mytestkey.jks在当前⼯作⽬录中。现在密钥库是空的,没有任何条⽬
Store private key
存储私钥
Now let's store one private key and its associated certificate chain into the keystore. Note we can not store a private key without an associated certificate chain into a keystore using JDK. With some othe
r library or native libraries, you may be able to store a private key without associated certificate chain.
现在让我们将⼀个私钥及其关联的证书链存储到密钥库中。注意:我们不能使⽤JDK将没有相关证书链的私钥存储到密钥库中。对于其他⼀些库或本机库,您可能能够存储私钥,⽽⽆需关联的证书链。
try{
KeyStore keyStore = Instance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
CertAndKeyGen gen = new CertAndKeyGen("RSA","SHA1WithRSA");
Key PrivateKey();
X509Certificate SelfCertificate(new X500Name("CN=ROOT"), (long)365*24*3600);
X509Certificate[] chain = new X509Certificate[1];
chain[0]=cert;
keyStore.setKeyEntry("mykey", key, "password".toCharArray(), chain);
keyStore.store(new FileOutputStream("mytestkey.jks"), "password".toCharArray());
}catch(Exception ex){
ex.printStackTrace();
}
First, we will create a private key and a self signed certificate and then call KeyStore.setKeyEntry() with the specified alias, key, the password for the key and its associated certificate chain. Remember we need to call KeyStore.store() to store the key into the keystore.
⾸先,我们将创建⼀个私钥和⼀个⾃签名证书,然后调⽤KeyStore.setKeyEntry()⽅法(参数:别名、私钥、密码),私钥的密码和证书关联。记住我们需要调⽤KeyStore.store()⽅法把私钥保存如密钥库。
The alias is the label of the entry so that it can be found easily later.
别名是条⽬的标签,以便以后很容易到它。
Store certificate
存储证书
We can store certificate on JKS keystore. The certificate to be store should be a X509Certificate. It can be stored on the keystore without associated private key. This process is similar to storing private key.
我们可以在JKS密钥库中存储证书。要存储的证书应为X509证书。它可以存储在没有相关私钥的密钥库中。这个过程类似于存储私钥。
try{
KeyStore keyStore = Instance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
CertAndKeyGen gen = new CertAndKeyGen("RSA","SHA1WithRSA");
X509Certificate cert = SelfCertificate(new X500Name("CN=SINGLE_CERTIFICATE"), (long)365*24*3600);
keyStore.setCertificateEntry("single_cert", cert);
keyStore.store(new FileOutputStream("mytestkey.jks"), "password".toCharArray());
}catch(Exception ex){
ex.printStackTrace();
}
Loading private key
加载私钥
After storing the keys, we can also load the entries inside the keystore. Here we are saying to load private key, actually it's not the case here, as we described earlier, the private
key cannot be extracted from JKS using Java. Here we actually extract the certificate chain of the private key.
在存储密钥之后,我们还可以加载密钥库中的条⽬。这⾥我们说的是加载私钥,实际上这⾥不是这样,正如我们前⾯所描述的,私钥不能⽤Java从JKS中提取出来。这⾥我们实
际上提取了私钥的证书链。
try{
KeyStore keyStore = Instance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
Key key = Key("mykey", "password".toCharArray());
// System.out.println("Private key : "+String()); //You will get a NullPointerException if you uncomment this line
Certificate[] chain = CertificateChain("mykey");
for(Certificate cert:chain){
System.out.String());
}
}catch(Exception ex){
ex.printStackTrace();
}
Note the commented line, the key will be null as expected. We can get the certificate chain as normal though.
注意注释⾏,键将如预期的那样为null。我们可以正常获取证书链。
[
[
Version: V3
Subject: CN=ROOT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 9098029984559751277913900988146917700940727213963313924192152984509221046118124392459915025944624907994156194153330343971893613886737577696599589325535888922858441555800614196105140238527928549 public exponent: 65537
Validity: [From: Sat Sep 06 09:57:28 CST 2014,
To: Sun Sep 06 09:57:28 CST 2015]
Issuer: CN=ROOT
SerialNumber: [ 206b697b]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 53 6A FD FE E6 3A 5E 6E A6 43 C4 F4 D1 56 D4 08 Sj...:^V..
0010: 7E 3B 8B 73 68 71 56 AB 96 FE 24 E7 2D DC 04 BB .;.$.-...
0020: 14 B0 C6 71 8D F0 3E EC FE D8 5B BB 8C 0F 55 63 ...q..>...[...Uc
0030: 2B 38 8E 45 F1 2D F0 BB 8C 6D 13 A8 11 37 E1 FA +8.E.-...m...7..
0040: 77 AF C7 73 72 2B 40 4F 74 32 F6 3C 24 E6 AB ED w..sr+@Ot2.<$...
0050: 2C 6F 19 2E DC 58 5F CB 75 62 40 2F 3E BE 59 99 ,o...X_.ub@/>.Y.
0060: C0 1F 7A 70 15 AF C3 66 B3 4F C9 11 C3 45 59 EF ..zp...EY.
0070: 36 F4 1C C9 9B FA 5E 43 A0 28 DB 07 0D F2 53 6E 6.....^C.(....Sn
]
加载证书
Loading certificate
This is similar to loading private key, we need to pass the alias of the certificate we want to extract.
这与加载私钥类似,我们需要传递要提取的证书的别名。
try{
KeyStore keyStore = Instance("JKS");
keyStore.load(new FileInputStream("mytestkey.jks"),"password".toCharArray());
Certificate cert = Certificate("single_cert");
System.out.String());
}catch(Exception ex){
ex.printStackTrace();
}
The output will be:
输出将是:
[
[
Version: V3
Subject: CN=SINGLE_CERTIFICATE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 9975683421519728887730991524302478859628141817166124128288147665611087958634979974026976788952980819910417209178686087728038286746156943990775475555875938746242116974911135456579397437277742404 public exponent: 65537
Validity: [From: Sat Sep 06 10:14:33 CST 2014,
To: Sun Sep 06 10:14:33 CST 2015]
Issuer: CN=SINGLE_CERTIFICATE
SerialNumber: [ 6943e549]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 35 58 70 96 F4 35 82 2A 95 9F BB 31 02 6E 7C 29 5Xp..5.*...1.n.)
0010: 4A FE AF EB 2D B5 3A A7 C7 9D 4C 9A 34 2C 5C 46 J...-.:...L.4,\F
0020: C2 82 A8 AC 1A C0 98 A5 67 21 74 7B 1E E2 E5 AC ........
0030: DE B2 1D 87 BE 16 45 9B D0 2A D3 2B F6 E1 4B 35 ......E..*.+..K5
0040: 27 8B A7 0A EF F2 07 41 90 A6 69 07 BE 87 C5 B1 '......A..i.....
0050: 54 DE DB A2 5A 41 47 3B 3F A7 74 6F 5C C8 8D B4 T...ZAG;?.to\...
0060: C8 65 2B 0F 8E 94 A8 80 C7 8B B5 78 FA C2 9C ED .e+........x....
0070: 8E EC 28 E4 8E 62 A1 59 6A BC 37 7B 0D FC C7 AF ..(..b.
]
Import keys and certificates
导⼊密钥和证书
This process is actually very simple, we first need to load the keystore where the certificate to be imported. Then we also need to load another keystore where we need to import
certificate to. Next, we need to get the certificate from source keystore and put it into the destination keystore.
这个过程实际上⾮常简单,我们⾸先需要加载密钥库,在那⾥导⼊证书。然后我们还需要加载另⼀个密钥库,我们需要将证书导⼊到其中。接下来,我们需要从源密钥库获取证
书并将其放⼊⽬标密钥库中。
Since we cannot extract private key from JKS, so we can only import certificate to JKS. However, we can extract private keys from other types of keystore(PKCS12) and then
store them in JKS keystore.
由于⽆法从JKS中提取私钥,所以只能将证书导⼊JKS。但是,我们可以从其他类型的密钥库(PKCS12)中提取私钥,然后将它们存储在JKS密钥库中。
One final piece of information. Oracle provides two versions of JKS keystore : case sensitive and case insensitive. When Instance("JKS"), a case
insensitive version of JKS instance is created, Instance("CaseExactJKS") is called, a case sensitive version of JKS instance will be created. Usually case insensitive is recommended as an user should distinguish different entries with different alias names instead of different alias name cases. For more information about case sensitivity, please refer to this post.
最后⼀条信息。Oracle提供了两个版本的JKS密钥库:区分⼤⼩写和不区分⼤⼩写。当调⽤Instance("JKS")时将创建⼀个不区分⼤⼩写版本的JKS实例。当调⽤Instan
ce("CaseExactJKS")时将创建区分⼤⼩写版本的JKS实例。通常建议不区分⼤⼩写,因为⽤户应该区分具有不同别名的不同条⽬,⽽不是不同的别名⼤⼩写。有关区分⼤⼩写的更多信息,请参阅这篇⽂章。
