[英]How to put a KeyPair into a KeyStore the right way? (programmatically in Java)
最好顯示我的問題並在之后解釋它(我正在使用 KeyStore Explorer 來查看 my.pfx 文件):
基本上,我想要右邊的結果,但我得到左邊的結果。
更准確地說:KeyStore 應該在一個條目中包含私鑰和證書鏈 (KeyPair)。
我不知何故無法讓它在 java 中工作。 這就是我試圖在左邊得到結果:下面代碼的問題是,它沒有驗證證書並將它們添加為受信任的證書。
/**
* Creates and returns a new {@link KeyStore} from the provided information.
* @param keystoreType The {@link KeyStore}s type. Recommended: "pkcs12".
* Check {@link KeyStore#getInstance(String)} for details.
* @param passwordAsCharArray Password to encrypt this {@link KeyStore} and its keys.
* @param certificateChain The certificate chain is simply an array of {@link X509Certificate}s.
* @param privateKey The {@link PrivateKey}.
* @param publicKey The {@link PublicKey}.
* @throws KeyStoreException
*/
public KeyStore buildAndGetKeystore(String keystoreType, char[] passwordAsCharArray,
X509Certificate[] certificateChain, PrivateKey privateKey, PublicKey publicKey)
throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException, EmptyStringException, EmptyCharArrayException, EmptyCertificateChainException {
// Check for null parameters
Objects.requireNonNull(keystoreType);
Objects.requireNonNull(passwordAsCharArray);
Objects.requireNonNull(certificateChain);
Objects.requireNonNull(privateKey);
Objects.requireNonNull(publicKey);
// Check for empty parameters
if (keystoreType.isEmpty()) throw new EmptyStringException("Parameter 'keystoreType' should NOT be empty!");
if (passwordAsCharArray.length==0) throw new EmptyCharArrayException("Parameter 'passwordAsCharArray' should NOT be empty!");
if (certificateChain.length==0) throw new EmptyCertificateChainException("Parameter 'certificateChain' should NOT be empty!");
// Initialise a new keystore
KeyStore keystore = KeyStore.getInstance(keystoreType);
keystore.load(null, passwordAsCharArray); // Pass null to tell java this is a new keystore
// Insert certificates
for (int i = 0; i < certificateChain.length; i++) {
keystore.setCertificateEntry(""+i, certificateChain[i]);
}
// Write private key (with password protection) to keystore.
// NOTE: I tried this before and it only writes
// the private key to the .pfx file and ignores the domain chain
//keystore.setKeyEntry("sso-signing-key", privateKey, passwordAsCharArray, certificateChain);
return keystore;
}
一些額外的細節:
右側的 KeyStore 是這樣創建的:首先在 sslforfree.com 生成證書,然后使用https://decoder.link/converter將它們轉換為 PKCS12 KeyStore
我創建了自己的證書鏈並將此結構用於證書鏈:
X509Certificate[] certificateChain = new X509Certificate[3];
certificateChain[0] = topCertificate;
certificateChain[1] = middleCertificate;
certificateChain[2] = rootCertificate;
密鑰庫創建部分就像這樣簡單(我省略了“notNull 檢查”):
KeyStore keystore = KeyStore.getInstance(keystoreType);
keystore.load(null,null);
keystore.setKeyEntry("use_your_own_alias", privateKey, passwordAsCharArray, certificateChain);
return keystore;
請注意,publicKey不是存儲過程的一部分,因為它可用於
certificateChain[0].getPublicKey()
在 KeyStoreExplorer 中檢查密鑰庫(我使用的是 PKCS12)給出了這個 output:
和鑰匙鏈:
你們不會相信這一點,但是......問題是我使用的別名'priv-key'是問題所在! 剛剛刪除了連字符“-”並將別名更改為“myKey”,就像在https://stackoverflow.com/a/67147429/13600212中一樣,瞧,它可以工作了......為這樣一個愚蠢的事情浪費了很多時間......
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.