我们可以使用keytool和KeyPairGenerator等java.security api来做任何事情吗
[英]Can we do whatever we do using keytool with java.security apis like KeyPairGenerator etc
问题描述
Can we do whatever we do using keytool with java.security apis like KeyPairGenerator etc. 
我们可以使用keytool和KeyPairGenerator等java.security api来做任何事情吗?
I am interested in extending the certificate with with specific validity. 我有兴趣扩展具有特定有效性的证书。
For example can the following command run be done using Java security APIs 例如,可以使用Java安全API运行以下命令吗?
keytool -genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype}
I want to use only java core security APIs and not interested in third party APIs 我只想使用Java核心安全性API,而对第三方API不感兴趣
1 个解决方案
解决方案1
0 2012-11-14 22:22:42
Most of the operations that keytool (at least those that I know) can be recreated using java.security.* classes with some aditional utilities classes, for example, to create a new pair of keys you can use: 可以使用带有一些附加实用工具类的java.security.*类来重新创建keytool大多数操作(至少我所知道的那些操作),例如,创建一对新的密钥,您可以使用:
private static final String ALGORITHM = "RSA";
private static final String PROVIDER = "BC";
private PrivateKey privateKey;
private PublicKey publicKey;
...
public void generateNewKeyPair() {
try {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(ALGORITHM, PROVIDER);
keyGen.initialize(2048, new SecureRandom());
KeyPair keypair = keyGen.genKeyPair();
privateKey = keypair.getPrivate();
publicKey = keypair.getPublic();
} catch (Exception e) {
LOG.error("Error creating keyPair", e);
}
}
Here is an example of retrieving a KeyPair from a KeyStore 这是从KeyStore 检索 KeyPair的示例
Here is an (more elaborated) example that not only creates the KeyPair , but also stores it in a file 这是一个(更详细的) 示例 ,它不仅创建KeyPair ,还将其存储在文件中
You can also serialize the KeyPair alongside a expiration timestamp as a SealedObject to simulate both the validity parameter and the storage provided by keytool 您还可以将KeyPair与到期时间戳一起序列化为SealedObject,以模拟validity参数和keytool提供的存储
EDIT: SealedObject alone won't give you the validity parameter simulation, is the timestamp stored alongside with the keypair (in a SealedObject ) that will "simulate" an expiration date (which can be seen as the validity of the key). 编辑: SealedObject本身不会给您提供validity参数模拟,而是与密钥对(在SealedObject )一起存储的时间戳,它将“模拟”失效日期(可以看作是密钥的有效性)。 For example: 例如:
class KeyWithExpiration {
private PublicKey publicKey;
private Date expirationDate;
}
public static void serializeEncrypted(File file, Serializable instance) {
// With these lines, I hope to expose some of the craft that is needed to work with the API
PBEKeySpec keySpecObj = new PBEKeySpec(PASSWORD, SALT, ITERATIONS);
Cipher ecipherObj = Cipher.getInstance(keyObj.getAlgorithm());
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(ALGORITHM);
SecretKey keyObj = secretKeyFactory.generateSecret(keySpecObj);
SealedObject sealedObject = new SealedObject(instance, ecipherObj);
ObjectOutputStream objOutputStream = new ObjectOutputStream(new FileOutputStream(file));
objOutputStream.writeObject(sealedObject);
objOutputStream.close();
}
// Generate a new KeyWithExpiration
KeyWithExpiration key = new KeyWithExpiration(keyPair, DateUtil.future().days(365));
serializeEncrypted(new File(".key"), key);
Thats why the API plus some utility classes are needed to achieve some of the functionality provided by keytool 这就是为什么需要API和一些实用程序类来实现keytool提供的某些功能的原因
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.