将.p12文件返回给客户端而不创建密钥库文件 [英] Return .p12 file to client without creating keystore file
问题描述
是否可以将文件存储到PKCS12密钥库中,而无需将文件返回给客户端(扩展名为.p12)(base64编码的字符串,该字符串随后在客户端解码并保存为.p12扩展名)?我有用于创建根证书,客户端证书以及将keyentry设置为PKCS12密钥库的代码,但是我不想在文件系统上拥有.p12文件,只是为了生成它并将其返回给客户端.谢谢!
Is there any way to return a file to client with .p12 extension (base64 encoded string, that is later decoded on the client side and saved with .p12 extension) without storing it to PKCS12 keystore? I have code for creating root certificate, client certificate and setting keyentry to PKCS12 keystore bellow, but I don't want to have .p12 file on the file system, just to generate it and return it to client. Thanks!
创建根证书的简化代码:
Simplified code of creating root certificate:
public static void createRootCertificate(PublicKey pubKey, PrivateKey privKey) {
certGen.setSerialNumber(...);
certGen.setIssuerDN(...);
certGen.setNotBefore(...);
certGen.setNotAfter(...);
certGen.setSubjectDN(...);
certGen.setPublicKey(pubKey);
certGen.setSignatureAlgorithm("SHA1WithRSA");
// add extensions, key identifier, etc.
X509Certificate cert = certGen.generateX509Certificate(privKey);
cert.checkValidity(new Date());
cert.verify(pubKey);
}
创建后,根证书及其私钥将保存到受信任的存储区.
The root certificate and its private key is saved to the trusted store after creating.
然后,在用于生成客户端证书的服务中,我从受信任的存储区读取了根证书并生成了客户端证书:
Than, in the service for generating client certificates, I read root certificate from trusted store and generate client ones:
public static Certificate createClientCertificate(PublicKey pubKey) {
PrivateKey rootPrivateKey = ... //read key from trusted store
X509Certificate rootCertificate = ... //read certificate from trusted store
certGen.setSerialNumber(...);
certGen.setIssuerDN(...); // rootCertificate.getIssuerDN ...
certGen.setNotBefore(...);
certGen.setNotAfter(...);
certGen.setSubjectDN(...);
certGen.setPublicKey(pubKey);
certGen.setSignatureAlgorithm("SHA1WithRSA");
// add extensions, issuer key, etc.
X509Certificate cert = certGen.generateX509Certificate(rootPrivateKey);
cert.checkValidity(new Date());
cert.verify(rootCertificate.getPublicKey(););
return cert;
}
主类如下:
public static void main(String[] args) {
// assume I have all needed keys generated
createRootCertificate(rootPubKey, rootPrivKey);
X509Certificate clientCertificate = createClientCertificate(client1PubKey);
KeyStore store = KeyStore.getInstance("PKCS12", "BC");
store.load(null, null);
store.setKeyEntry("Client1_Key", client1PrivKey, passwd, new Certificate[]{clientCertificate});
FileOutputStream fOut = new FileOutputStream("client1.p12");
store.store(fOut, passwd);
}
在上面的代码之后,我正在读取client1.p12,并正在创建该文件的Base64编码的响应.当我在客户端上解码响应并以.p12扩展名保存时,一切正常,我可以将其导入浏览器.可以不将其存储到文件中来完成此操作吗?
After the code above, I'm reading client1.p12 and I'm creating Base64 encoded response of that file. When I decode response on my client and save with .p12 extension everything works, I can import it to browser. Can this be done without storing it to file?
我尝试过:
store.setKeyEntry("Client1_Key", client1PrivKey, passwd, new Certificate[]{clientCertificate});
之后:
Key key = store.getKey("Client1_Key", passwd);
但是在对密钥变量进行编码时,发送给客户端,然后将其解码并以.p12扩展名保存,浏览器会说文件无效或损坏.
but when encode key variable, send to client and than decode it and save with .p12 extension, browser say invalid or corrupted file.
提前谢谢!
推荐答案
只需使用ByteArrayOutputStream而不是FileOutputStream来存储p12:
Simply use a ByteArrayOutputStream instead of FileOutputStream to store the p12:
ByteArrayOutputStream baos = new ByteArrayOutputStream();
store.store(baos, passwd);
byte[] p12Bytes = baos.toByteArray();
String p12Base64 = new String(Base64.encode(p12Bytes));
这篇关于将.p12文件返回给客户端而不创建密钥库文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!