将.p12文件返回给客户端而不创建密钥库文件 [英] Return .p12 file to client without creating keystore file

问题描述

是否可以将文件存储到PKCS12密钥库中，而无需将文件返回给客户端(扩展名为.p12)(base64编码的字符串，该字符串随后在客户端解码并保存为.p12扩展名)?我有用于创建根证书，客户端证书以及将keyentry设置为PKCS12密钥库的代码，但是我不想在文件系统上拥有.p12文件，只是为了生成它并将其返回给客户端.谢谢！

Is there any way to return a file to client with .p12 extension (base64 encoded string, that is later decoded on the client side and saved with .p12 extension) without storing it to PKCS12 keystore? I have code for creating root certificate, client certificate and setting keyentry to PKCS12 keystore bellow, but I don't want to have .p12 file on the file system, just to generate it and return it to client. Thanks!

创建根证书的简化代码:

Simplified code of creating root certificate:

public static void createRootCertificate(PublicKey pubKey, PrivateKey privKey) {    
    certGen.setSerialNumber(...);
    certGen.setIssuerDN(...);
    certGen.setNotBefore(...);
    certGen.setNotAfter(...);
    certGen.setSubjectDN(...);
    certGen.setPublicKey(pubKey);
    certGen.setSignatureAlgorithm("SHA1WithRSA");

    // add extensions, key identifier, etc.

    X509Certificate cert = certGen.generateX509Certificate(privKey);
    cert.checkValidity(new Date());
    cert.verify(pubKey);
}

创建后，根证书及其私钥将保存到受信任的存储区.

The root certificate and its private key is saved to the trusted store after creating.

然后，在用于生成客户端证书的服务中，我从受信任的存储区读取了根证书并生成了客户端证书:

Than, in the service for generating client certificates, I read root certificate from trusted store and generate client ones:

public static Certificate createClientCertificate(PublicKey pubKey) {   

    PrivateKey rootPrivateKey = ... //read key from trusted store
    X509Certificate rootCertificate = ... //read certificate from trusted store

    certGen.setSerialNumber(...);
    certGen.setIssuerDN(...); // rootCertificate.getIssuerDN ...
    certGen.setNotBefore(...);
    certGen.setNotAfter(...);
    certGen.setSubjectDN(...);
    certGen.setPublicKey(pubKey);
    certGen.setSignatureAlgorithm("SHA1WithRSA");

    // add extensions, issuer key, etc.

    X509Certificate cert = certGen.generateX509Certificate(rootPrivateKey);
    cert.checkValidity(new Date());
    cert.verify(rootCertificate.getPublicKey(););

    return cert;
}

主类如下:

public static void main(String[] args) {        
    // assume I have all needed keys generated
    createRootCertificate(rootPubKey, rootPrivKey);
    X509Certificate clientCertificate = createClientCertificate(client1PubKey);

    KeyStore store = KeyStore.getInstance("PKCS12", "BC");

    store.load(null, null);

    store.setKeyEntry("Client1_Key", client1PrivKey, passwd, new Certificate[]{clientCertificate});    
    FileOutputStream fOut = new FileOutputStream("client1.p12");   
    store.store(fOut, passwd);
}

在上面的代码之后，我正在读取client1.p12，并正在创建该文件的Base64编码的响应.当我在客户端上解码响应并以.p12扩展名保存时，一切正常，我可以将其导入浏览器.可以不将其存储到文件中来完成此操作吗?

After the code above, I'm reading client1.p12 and I'm creating Base64 encoded response of that file. When I decode response on my client and save with .p12 extension everything works, I can import it to browser. Can this be done without storing it to file?

我尝试过:

store.setKeyEntry("Client1_Key", client1PrivKey, passwd, new Certificate[]{clientCertificate}); 

之后:

Key key = store.getKey("Client1_Key", passwd);

但是在对密钥变量进行编码时，发送给客户端，然后将其解码并以.p12扩展名保存，浏览器会说文件无效或损坏.

but when encode key variable, send to client and than decode it and save with .p12 extension, browser say invalid or corrupted file.

提前谢谢！

推荐答案

只需使用ByteArrayOutputStream而不是FileOutputStream来存储p12:

Simply use a ByteArrayOutputStream instead of FileOutputStream to store the p12:

ByteArrayOutputStream baos = new ByteArrayOutputStream();
store.store(baos, passwd);
byte[] p12Bytes = baos.toByteArray();
String p12Base64 = new String(Base64.encode(p12Bytes));

这篇关于将.p12文件返回给客户端而不创建密钥库文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！