从现有密钥生成Java p12 [英] Java p12 Generation from a existing keys

问题描述

我正在用Java编写一个程序，该程序使用Crt参数生成RSA密钥。我可以将密钥导出到.pem文件中，但需要将其导出到pkcs12文件中。

I'm writing a program in Java that generates RSA keys using Crt parameters. I'm able to export the key in a .pem file, but I need to export it in a pkcs12 file. How can I do that in Java?

推荐答案

Java通过包含对PKCS＃12密钥存储的本机支持。 KeyStore.getInstance（ PKCS12）。但是，通常，密钥库要求您提供匹配的私钥/ 证书对。仅提供公共密钥而不是证书是不够的。您必须创建一个证书，例如一个自签名证书才能使用PKCS＃12密钥存储提供程序。

Java contains native support for PKCS#12 key stores through KeyStore.getInstance("PKCS12"). However, generally the key stores require you to offer a matching private key / certificate pair. Just providing a public key instead of a certificate is not enough. You must create a certificate, for instance a self signed certificate to be able to use the PKCS#12 key store provider.

我已经试图使用匿名类型创建我自己的 Certificate 实例，但是PKCS＃12密钥存储区似乎只允许X.509证书（但它只会告诉您 store 密钥存储，即它不是快速失败。

I've tried to create my own Certificate instance using an anonymous type, but the PKCS#12 key store only seems to allow X.509 certificates (but it will only tell you when you store the key store, i.e. it is not fail fast.

这里有一些代码可以创建自签名证书，并存储私钥和生成的自签名证书：

Here's some code to create the self signed certificate and store the private key and resulting self signed certificate:

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;

import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.util.encoders.Hex;

public class StoreRSAKeyPairInPKCS12 {

    public static void main(String[] args) throws Exception {

        // --- generate a key pair (you did this already it seems)
        KeyPairGenerator rsaGen = KeyPairGenerator.getInstance("RSA");
        final KeyPair pair = rsaGen.generateKeyPair();

        // --- create the self signed cert
        Certificate cert = createSelfSigned(pair);

        // --- create a new pkcs12 key store in memory
        KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
        pkcs12.load(null, null);

        // --- create entry in PKCS12
        pkcs12.setKeyEntry("privatekeyalias", pair.getPrivate(), "entrypassphrase".toCharArray(), new Certificate[] {cert});

        // --- store PKCS#12 as file
        try (FileOutputStream p12 = new FileOutputStream("mystore.p12")) {
            pkcs12.store(p12, "p12passphrase".toCharArray());
        }

        // --- read PKCS#12 as file
        KeyStore testp12 = KeyStore.getInstance("PKCS12");
        try (FileInputStream p12 = new FileInputStream("mystore.p12")) {
            testp12.load(p12, "p12passphrase".toCharArray());
        }

        // --- retrieve private key
        System.out.println(Hex.toHexString(testp12.getKey("privatekeyalias", "entrypassphrase".toCharArray()).getEncoded()));
    }

    private static X509Certificate createSelfSigned(KeyPair pair) throws OperatorCreationException, CertIOException, CertificateException {
        X500Name dnName = new X500Name("CN=publickeystorageonly");
        BigInteger certSerialNumber = BigInteger.ONE;

        Date startDate = new Date(); // now

        Calendar calendar = Calendar.getInstance();
        calendar.setTime(startDate);
        calendar.add(Calendar.YEAR, 1);
        Date endDate = calendar.getTime();

        ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(pair.getPrivate());
        JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, pair.getPublic());

        return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
    }

}

您至少需要PKIX库（ bcpkix-jdk15on.jar ）以及Bouncy Castle提供程序的库。不需要安装Bouncy Castle提供程序 。

You will need at least the PKIX library (bcpkix-jdk15on.jar) from Bouncy Castle and possibly the library of the Bouncy Castle provider. Installing the Bouncy Castle provider is not required.

这篇关于从现有密钥生成Java p12的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！