[英]Can we do whatever we do using keytool with java.security apis like KeyPairGenerator etc
Can we do whatever we do using keytool with java.security apis like KeyPairGenerator etc. 我们可以使用keytool和KeyPairGenerator等java.security api来做任何事情吗?
I am interested in extending the certificate with with specific validity. 我有兴趣扩展具有特定有效性的证书。
For example can the following command run be done using Java security APIs 例如,可以使用Java安全API运行以下命令吗?
keytool -genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype}
keytool -genkeypair {-alias别名} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype}
I want to use only java core security APIs and not interested in third party APIs 我只想使用Java核心安全性API,而对第三方API不感兴趣
Most of the operations that keytool
(at least those that I know) can be recreated using java.security.*
classes with some aditional utilities classes, for example, to create a new pair of keys you can use: 可以使用带有一些附加实用工具类的
java.security.*
类来重新创建keytool
大多数操作(至少我所知道的那些操作),例如,创建一对新的密钥,您可以使用:
private static final String ALGORITHM = "RSA";
private static final String PROVIDER = "BC";
private PrivateKey privateKey;
private PublicKey publicKey;
...
public void generateNewKeyPair() {
try {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(ALGORITHM, PROVIDER);
keyGen.initialize(2048, new SecureRandom());
KeyPair keypair = keyGen.genKeyPair();
privateKey = keypair.getPrivate();
publicKey = keypair.getPublic();
} catch (Exception e) {
LOG.error("Error creating keyPair", e);
}
}
Here is an example of retrieving a KeyPair
from a KeyStore
这是从
KeyStore
检索 KeyPair
的示例
Here is an (more elaborated) example that not only creates the KeyPair
, but also stores it in a file 这是一个(更详细的) 示例 ,它不仅创建
KeyPair
,还将其存储在文件中
You can also serialize the KeyPair
alongside a expiration timestamp as a SealedObject to simulate both the validity
parameter and the storage provided by keytool
您还可以将
KeyPair
与到期时间戳一起序列化为SealedObject,以模拟validity
参数和keytool
提供的存储
EDIT: SealedObject alone won't give you the validity
parameter simulation, is the timestamp stored alongside with the keypair (in a SealedObject
) that will "simulate" an expiration date (which can be seen as the validity of the key). 编辑: SealedObject本身不会给您提供
validity
参数模拟,而是与密钥对(在SealedObject
)一起存储的时间戳,它将“模拟”失效日期(可以看作是密钥的有效性)。 For example: 例如:
class KeyWithExpiration {
private PublicKey publicKey;
private Date expirationDate;
}
public static void serializeEncrypted(File file, Serializable instance) {
// With these lines, I hope to expose some of the craft that is needed to work with the API
PBEKeySpec keySpecObj = new PBEKeySpec(PASSWORD, SALT, ITERATIONS);
Cipher ecipherObj = Cipher.getInstance(keyObj.getAlgorithm());
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(ALGORITHM);
SecretKey keyObj = secretKeyFactory.generateSecret(keySpecObj);
SealedObject sealedObject = new SealedObject(instance, ecipherObj);
ObjectOutputStream objOutputStream = new ObjectOutputStream(new FileOutputStream(file));
objOutputStream.writeObject(sealedObject);
objOutputStream.close();
}
// Generate a new KeyWithExpiration
KeyWithExpiration key = new KeyWithExpiration(keyPair, DateUtil.future().days(365));
serializeEncrypted(new File(".key"), key);
Thats why the API plus some utility classes are needed to achieve some of the functionality provided by keytool
这就是为什么需要API和一些实用程序类来实现
keytool
提供的某些功能的原因
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.