[英]Return .p12 file to client without creating keystore file
Is there any way to return a file to client with .p12 extension (base64 encoded string, that is later decoded on the client side and saved with .p12 extension) without storing it to PKCS12 keystore? 有没有办法将文件以.p12扩展名(base64编码的字符串,以后在客户端解码并以.p12扩展名保存)返回给客户端,而无需将其存储到PKCS12密钥库中? I have code for creating root certificate, client certificate and setting keyentry to PKCS12 keystore bellow, but I don't want to have .p12 file on the file system, just to generate it and return it to client.
我有用于创建根证书,客户端证书以及将keyentry设置为PKCS12密钥库的代码,但是我不想在文件系统上拥有.p12文件,只是为了生成它并将其返回给客户端。 Thanks!
谢谢!
Simplified code of creating root certificate: 创建根证书的简化代码:
public static void createRootCertificate(PublicKey pubKey, PrivateKey privKey) {
certGen.setSerialNumber(...);
certGen.setIssuerDN(...);
certGen.setNotBefore(...);
certGen.setNotAfter(...);
certGen.setSubjectDN(...);
certGen.setPublicKey(pubKey);
certGen.setSignatureAlgorithm("SHA1WithRSA");
// add extensions, key identifier, etc.
X509Certificate cert = certGen.generateX509Certificate(privKey);
cert.checkValidity(new Date());
cert.verify(pubKey);
}
The root certificate and its private key is saved to the trusted store after creating. 创建后,根证书及其私钥将保存到受信任的存储中。
Than, in the service for generating client certificates, I read root certificate from trusted store and generate client ones: 然后,在用于生成客户端证书的服务中,我从受信任的存储区读取了根证书并生成了客户端证书:
public static Certificate createClientCertificate(PublicKey pubKey) {
PrivateKey rootPrivateKey = ... //read key from trusted store
X509Certificate rootCertificate = ... //read certificate from trusted store
certGen.setSerialNumber(...);
certGen.setIssuerDN(...); // rootCertificate.getIssuerDN ...
certGen.setNotBefore(...);
certGen.setNotAfter(...);
certGen.setSubjectDN(...);
certGen.setPublicKey(pubKey);
certGen.setSignatureAlgorithm("SHA1WithRSA");
// add extensions, issuer key, etc.
X509Certificate cert = certGen.generateX509Certificate(rootPrivateKey);
cert.checkValidity(new Date());
cert.verify(rootCertificate.getPublicKey(););
return cert;
}
Main class look like this: 主类如下所示:
public static void main(String[] args) {
// assume I have all needed keys generated
createRootCertificate(rootPubKey, rootPrivKey);
X509Certificate clientCertificate = createClientCertificate(client1PubKey);
KeyStore store = KeyStore.getInstance("PKCS12", "BC");
store.load(null, null);
store.setKeyEntry("Client1_Key", client1PrivKey, passwd, new Certificate[]{clientCertificate});
FileOutputStream fOut = new FileOutputStream("client1.p12");
store.store(fOut, passwd);
}
After the code above, I'm reading client1.p12 and I'm creating Base64 encoded response of that file. 在上面的代码之后,我正在读取client1.p12,并正在创建该文件的Base64编码的响应。 When I decode response on my client and save with .p12 extension everything works, I can import it to browser.
当我在客户端上解码响应并以.p12扩展名保存时,一切正常,我可以将其导入浏览器。 Can this be done without storing it to file?
无需将其存储到文件中就可以做到吗?
I have tried with: 我尝试过:
store.setKeyEntry("Client1_Key", client1PrivKey, passwd, new Certificate[]{clientCertificate});
and after that: 在那之后:
Key key = store.getKey("Client1_Key", passwd);
but when encode key variable, send to client and than decode it and save with .p12 extension, browser say invalid or corrupted file. 但是,当对密钥变量进行编码时,发送给客户端,然后对其进行解码,并以.p12扩展名保存,浏览器会说文件无效或损坏。
Thanks in advance! 提前致谢!
Simply use a ByteArrayOutputStream instead of FileOutputStream to store the p12: 只需使用ByteArrayOutputStream而不是FileOutputStream来存储p12:
ByteArrayOutputStream baos = new ByteArrayOutputStream();
store.store(baos, passwd);
byte[] p12Bytes = baos.toByteArray();
String p12Base64 = new String(Base64.encode(p12Bytes));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.