具有多个密钥和不同密码的 Java 密钥库 [英] Java keystore with multiple keys and different passwords

问题描述

我创建了一个 Java JKS 密钥库:

i have created a java JKS keytore:

keytool -genkey -alias mydomain -keyalg RSA -keystore mytest.jks -keysize 2048

之后我创建了一个 P12 文件，使用服务器的 CRT 和 openssl:

after that i created a P12 file, using the server's CRT with openssl:

openssl pkcs12 -export -in server.crt -inkey server.key > server.p12

现在我将 P12 文件导入到我之前创建的 JKS 密钥库中:

now i imported the P12 file into my previously created JKS keystore:

keytool -importkeystore -srckeystore server.p12 -destkeystore mytest.jks -srcstoretype pkcs12

它有效，我可以使用这个 JKS 来初始化到服务器的 SSL 连接:

It works, i can use this JKS to initialize an SSL connection to the server:

public static SSLContext initSSLContext(String keystoreLocation, String keystorePwd, String truststorePwd, String serverCrtPwd)
SSLContext context;
context = SSLContext.getInstance("TLS");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(keystoreLocation), keystorePwd.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, serverCrtPwd.toCharArray());

KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream(keystoreLocation), truststorePwd.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);

context.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());

将导入的 CRT 文件的密钥库位置、密码和密码放入其工作参数中.

Putting the keystore location, password and the password for the imported CRT file in the parameters it works.

现在我必须将多个 P12 文件转换并导入到同一个 JKS 密钥库中，多次运行导入部分才有效，我导入了多个使用不同别名的密钥，当然还有不同的密码.我的问题是现在每个导入的密钥都有自己的密码.我只想使用给定密钥库中的每个可用别名初始化 SSL 连接一次.因为更多的服务器将使用 SSL 向我的应用程序发送数据，所以它们有不同的密码，它们被导入到我的密钥库，但我无法使用多个密码初始化我的密钥库，它只接受一个.如何使用多个导入的具有不同别名和不同密码的 P12 来初始化我的密钥库?init 方法只接受一个参数，用于从密钥库中恢复密钥".

Now i have to convert and import multiple P12 files into the same JKS keystore, running the import part multiple times it works, i have multiple keys imported with different alias names and of course with different password. My problem is that now every imported keys have it own password. I would like to initialize the SSL connection only once with every available aliases from the given keystore. Because more server will send data to my application with SSL, they have different password, they are imported to my keystore but i cannot initialize my keystore with multiple passwords it accepts only one. How can i init my keystore with multiple imported P12 with different aliases and with different passwords? The init method accepts only one parameter for the "keys recovery from keystore".

谢谢！

推荐答案

最近我遇到了同样的挑战来实现这一目标.在寻找解决方案时，我遇到了您的问题.也许我晚了 5 年，但在找到解决方案后，我想与您分享.

Recently I had the same challenge to achieve this. When searching for a solution I came across your questions. Maybe I am 5 years too late but after founding out the solution I wanted to share it with you.

所以我发现你有几个选择:

So What I have discovered is that you have couple of options:

• 所有的密钥都应该有相同的密码，或者
• 为每个键实例化一个单独的 SSLContext 和它自己的 KeyManager，或者

显然您已经知道这些选项并且您不想执行这些操作.另一种方法是仍然拥有具有不同密钥和密码的密钥库.假设您有一个密钥库，其中包含具有以下别名和密码的密钥:

Obviously you already knew these options and you didn't wanted to do these actions. An alternative would be still having a keystore with different keys and passwords. Lets assume you have a keystore containing keys with the following aliases and passwords:

• foo ->foo-password
• bar ->bar-password
• lorum-ipsum ->lorum-ipsum-password

• foo -> foo-password
• bar -> bar-password
• lorum-ipsum -> lorum-ipsum-password

以下设置可以为您解决问题:

The following setup would do the trick for you:

var sslContext = SSLContext.getInstance("TLS");
var keyStore = ... // your custom KeyStore

var keyManager = KeyManagerUtils.createKeyManager(keyStore, Map.of(
        "foo","foo-password".toCharArray(),
        "bar","bar-password".toCharArray(),
        "lorum-ipsum","lorum-ipsum-password".toCharArray()
));

sslContext.init(new KeyManager[]{keyManager}, trustManagers, null);

这个 KeyManagerUtils 在幕后所做的是为每个密钥/密码创建一个 KeyManager 并将其合并到一个基本 KeyManager 中，该基 KeyManager 能够包含多个 KeyManager 并将其作为单个返回，以便您可以在 SSLContext 中使用它.有关详细信息和用法，请参见此处:Github - SSLContext-Kickstart

What this KeyManagerUtils is doing behind the scenes is creating a KeyManager for each key/password and merging it into a base KeyManager which has the ability to contain multiple KeyManagers and returning it as a single one so you can use it within your SSLContext. See here for the details and usage: Github - SSLContext-Kickstart

这篇关于具有多个密钥和不同密码的 Java 密钥库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！