如何從 PKCS12 文件為 Java 創建密鑰庫和信任庫?
[英]How to create keystore and truststore for Java from a PKCS12 file?
問題描述
我想使用 Java 調用需要相互 SSL 身份驗證的 Web 服務。
此 web 服務可通過安全且經過身份驗證的連接在服務器端和客戶端進行訪問。
我提供了一個 PKCS12 文件 (.p12) 來建立經過身份驗證的連接,該文件包含 4 個條目:
- TEST _ CAIH 時間戳(RSA 私鑰)。
- TEST _ CAIH 時間戳(驗證人:XX - Easy CA)。
- XX - 簡易 CA(驗證人:XX - 根 CA)。
- XX - 根 CA(驗證人:XX - 根 CA)。
我需要從 p12 文件創建密鑰庫和信任庫還是不需要它,如何從 p12 文件創建它? 我應該在密鑰庫和/或信任庫中添加哪些密鑰?
先感謝您。
1 個解決方案
解決方案1
0 2019-11-18 14:09:05
我是否需要從 p12 文件創建密鑰庫和信任庫
它是由你決定。 p12/pfx 是與語言無關的密鑰庫,而 JKS 是 Java 密鑰庫。 您可以使用以下代碼。
我應該在密鑰庫和/或信任庫中添加哪些密鑰?
信任庫不需要密鑰,它只存儲 CA 的受信任證書。 Keystore (JKS/ p12/ pfx) 包含證書和相應的私鑰。 它可用於針對 web 服務進行身份驗證。
嘗試加載 p12 密鑰庫並將其導出到 java 密鑰庫。
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream(<location of keystore>),"password".toCharArray());
FileOutputStream fos = null;
try {
fos = new FileOutputStream(PATH + "newKeyStore.jks");
char[] password = PASSWORD_.toCharArray();
ks.store(fos, password);
} finally {
if (fos != null) {
fos.close();
}
}
如果您擁有客戶端身份驗證證書 (cer/p7b) 和相應的私鑰,則可以使用以下代碼。
public static void loadKeyStore(){
char[] password = "changeit".toCharArray();
java.security.cert.Certificate[] certArr;
File file = new File(<location of your cer/p7b here>);
try {
byte[] buffer = new byte[(int) file.length()];
DataInputStream in = new DataInputStream(new FileInputStream(file));
in.readFully(buffer);
in.close();
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer);) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Collection<?> c = cf.generateCertificates(bais);
List<Certificate> certList = new ArrayList<Certificate>();
if (c.isEmpty()) {
// If there are no certificates found, the p7b file is probably not in binary format.
// It may be in base64 format.
// The generateCertificates method only understands raw data.
} else {
Iterator<?> i = c.iterator();
while (i.hasNext()) {
certList.add((Certificate) i.next());
}
}
certArr = new java.security.cert.Certificate[certList.size()];
int i = 0;
while(i < certList.size()){
certArr[i] = certList.get(i);
i++;
}
}
PrivateKey key = (PrivateKey) getKeyFromFile(<location of private key here>);
File f = new File("keystore.jks");
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setKeyEntry(<alias>, key, password, certArr);
FileOutputStream fos = new FileOutputStream(f);
keyStore.store(fos, password);
fos.close();
}catch (Exception e){
System.out.println("Exception "+ e);
}
}
public static Key getKeyFromFile(String fileName) throws Exception{
Key pk = null;
File f = new File(fileName);
FileInputStream fis = new FileInputStream(f);
DataInputStream dis = new DataInputStream(fis);
byte[] keyBytes = new byte[(int)f.length()];
dis.readFully(keyBytes);
dis.close();
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory kf = KeyFactory.getInstance("RSA");
pk = kf.generatePrivate(spec);
return pk;
}
對於加載信任庫,
public static void loadTrustStore() {
java.security.cert.Certificate[] certArr;
java.security.cert.Certificate[] certArr2;
char[] password = "changeit".toCharArray();
File file = new File(<root ca location>);
File file2 = new File(<intermediate ca location>);
try {
byte[] buffer = new byte[(int) file.length()];
DataInputStream in = new DataInputStream(new FileInputStream(file));
in.readFully(buffer);
in.close();
byte[] buffer2 = new byte[(int) file2.length()];
DataInputStream in2 = new DataInputStream(new FileInputStream(file2));
in2.readFully(buffer2);
in2.close();
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer);ByteArrayInputStream bais2 = new ByteArrayInputStream(buffer2);) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Collection<?> c = cf.generateCertificates(bais);
CertificateFactory cf2 = CertificateFactory.getInstance("X.509");
Collection<?> c2 = cf2.generateCertificates(bais2);
List<Certificate> certList = new ArrayList<Certificate>();
List<Certificate> certList2 = new ArrayList<Certificate>();
if (c.isEmpty()) {
// If there are now certificates found, the p7b file is probably not in binary format.
// It may be in base64 format.
// The generateCertificates method only understands raw data.
} else {
Iterator<?> i = c.iterator();
while (i.hasNext()) {
certList.add((Certificate) i.next());
}
}
if (c2.isEmpty()) {
// If there are no certificates found, the p7b file is probably not in binary format.
// It may be in base64 format.
// The generateCertificates method only understands raw data.
} else {
Iterator<?> i = c2.iterator();
while (i.hasNext()) {
certList2.add((Certificate) i.next());
}
}
certArr = new java.security.cert.Certificate[certList.size()];
int i = 0;
while (i < certList.size()) {
certArr[i] = certList.get(i);
i++;
}
certArr2 = new java.security.cert.Certificate[certList2.size()];
int j = 0;
while (j < certList2.size()) {
certArr2[j] = certList2.get(j);
j++;
}
}
File output = new File("truststore.keystore");
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(null, null);
ks.setCertificateEntry(<alias for root ca>, certArr[0]);
ks.setCertificateEntry(<alias for intermediate ca>, certArr2[0]);
FileOutputStream fs = new FileOutputStream(output);
ks.store(fs, password);
fs.close();
}catch (Exception e){
System.out.println("Exception "+ e);
}
}
如果您需要有關代碼的幫助,請告訴我。
如何以編程方式將java jks密鑰庫轉換為pkcs12證書?
[英]how to convert java jks keystore to pkcs12 certificate programatically?
使用keytool更改密碼時,從Java Keystore中提取PKCS12文件
[英]Extract PKCS12 file from Java Keystore while changing the password using keytool
在 Java 密鑰庫中導入 pkcs12 (.p12) 客戶端證書文件時,CertificateChain 為空
[英]CertificateChain is null when importing pkcs12 (.p12) client-certificate file in Java Keystore
keytool 是否仍然需要從 Let's Encrypt pem 文件中由 OpenSSL 創建的 PKCS12 密鑰庫創建 PKCS12 密鑰庫?
[英]Is keytool still necessary to create a PKCS12 keystore from a PKCS12 keystore created by OpenSSL from Let's Encrypt pem files?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何創建一個 PKCS12 密鑰庫?
如何以編程方式將 pkcs12 文件導入 Java 密鑰庫
來自CA的PKCS12 Java密鑰庫和java中的用戶證書
如何以編程方式將java jks密鑰庫轉換為pkcs12證書?
如何將PKCS12證書導入Java密鑰庫?
Java KeyStore- PKCS12的處理
使用keytool更改密碼時,從Java Keystore中提取PKCS12文件
在 Java 密鑰庫中導入 pkcs12 (.p12) 客戶端證書文件時,CertificateChain 為空
keytool 是否仍然需要從 Let's Encrypt pem 文件中由 OpenSSL 創建的 PKCS12 密鑰庫創建 PKCS12 密鑰庫?
如何在Java中以編程方式解析PKCS12文件?
相關標簽