我尝试生成一个 RSA CA key 对和证书并将其保存到 keystore 。 我的代码是:
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
private static final String storeType = "PKCS12";
private static final String storePassword = "password";
private static final String storePath = "/usr/lib/java/keystore.ks";
private static final Date startDate = new Date(System.currentTimeMillis()); // time from which certificate is valid
private static final Date expiryDate = new Date(System.currentTimeMillis() + 2L * 365L * 24L * 60L * 60L * 1000L); // time after which certificate is not valid (2 years)
private static final BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis());
private static X500Name issuer;
private static X500Name subject;
private static KeyPair pair;
public static void saveKeys() throws Exception{
Security.addProvider(new BouncyCastleProvider());
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(2048, new SecureRandom());
pair = keyPairGen.generateKeyPair();
byte[] pub = pair.getPublic().getEncoded();
byte[] priv = pair.getPrivate().getEncoded();
SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfo.getInstance(pub);
issuer = new X500Name("CN=CA");
subject = issuer;
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
issuer, //issuer (CA)
serialNumber,
startDate, expiryDate,
subject, //subject
pubInfo);
//signature for sig
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSA").build(pair.getPrivate());
X509CertificateHolder certHolder = certBuilder.build(sigGen);
X509Certificate caCert = new JcaX509CertificateConverter().getCertificate(certHolder);
X509Certificate[] chain = new X509Certificate[3];
chain[2] = caCert;
KeyStore store;
try {
store = KeyStore.getInstance(storeType);
store.load(null,null);
store.setKeyEntry("CA-Key", priv, chain);
store.store(new FileOutputStream("public.p12"), null);
} catch (Exception e) {
e.printStackTrace();
}
然后我得到错误:
java.security.KeyStoreException: Private key is not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: overrun, bytes = 1194
at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:687)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1174)
at storeKeys.saveKeys(storeKeys.java:95)
at storeKeys.main(storeKeys.java:146)
Caused by: java.io.IOException: overrun, bytes = 1194
如何将私钥加密为正确的格式?我可以在哪里为 keystore 提供保存 key 的路径?
最佳答案
如果您看到该方法的 java 文档,它说:
Assigns the given key (that has already been protected) to the given alias.
If the protected key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key. If the underlying keystore implementation is of type jks, key must be encoded as an EncryptedPrivateKeyInfo as defined in the PKCS #8 standard.
它说 JKS,但看起来它也期待 PKCS12 的加密私钥格式。
所以你不能只传入私钥字节数组。
为了让事情更简单,你可以这样做:
PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(pair.getPrivate(), chain);
store.setEntry("CA-Key", privateKeyEntry, new KeyStore.PasswordProtection(storePassword.toCharArray()));
在您的 keystore.store(..) 方法中,第一个参数是 keystore 路径。第二个参数是 keystore 的密码。
所以你可以这样做:
store.store(new FileOutputStream(new File(storePath)), storePassword.toCharArray());
关于Java 将 key 保存到 keystore KeyStoreException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43872861/