openssl der 文件导入 java 密钥库 [英] openssl der files importing into java keystore

问题描述

我用 openssl 创建了一个密钥对，并希望它们导入到 java-keystore 中:

I created a keypair with openssl and want them to import into the java-keystore:

1) openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out my_privatekey.pem
2) openssl rsa -pubout -outform DER -in my_privatekey.pem -out mypublic_key.der
3) openssl pkcs8 -topk8 -nocrypt -outform DER -in my_privatekey.pem -out my_privatekey.der

首先，我创建一个私钥(.pem 格式)，然后创建一个公钥，最后我将私钥转换为可在 java (pkcs8) 中使用的格式.

First, I create a private-key (in .pem-Format), then I create a public key and at the end I convert the private key into a format that can be used in java (pkcs8).

现在，我想在我的 java 应用程序中以安全的方式使用这些密钥，所以我做了一些研究，解决方案似乎是使用 java-keystore.

Now, I want to use those keys in a secure way in my java application, so I did some research and the solution seems to be by using the java-keystore.

但是，如果我是对的，您无法将公钥直接存储到密钥库中，因为您必须先创建证书:

However, if I am correct, you are not able to store the public key directly into the keystore, because you must create a certificate first:

将您的证书转换为 DER 格式:

convert your certificate in a DER format :

openssl x509 -outform der -in certificate.pem -out certificate.der

导入密钥库

keytool -import -alias your-alias -keystore cacerts -file certificate.der

这让我现在提出我的问题.是否可以在没有证书的情况下将私钥和公钥导入密钥库?我不需要证书，因为我只想安全地存储我的密钥，因此它们受密码保护.

This brings me now to my question. Is it possible to import the private and public key into the keystore without a certificate? I don't need a certificate, as I only want to store my keys securely, so they are password-protected.

如果这是不可能的，那么您可以创建并签署您自己的证书.但是，证书可能会过期，所以一段时间后我必须总是更新它还是我错了?

If this is not possible, than you could create and sign your own certificate. However, a certificate can be expired, so after some time I have to always renew it or am I wrong?

我与第三方共享此公钥(他们需要此密钥来验证我用我的私钥签名的数据)，并且我还从他们那里获得了一个公钥，以加密一些数据.所以我需要在最后存储 2 个公钥(我的密钥和我收到的公钥).

I share this public key with a third-party (they need this key to verify the data which I signed with my private key) and I also get a public key from them, to encrypt some data. So I need to store 2 public keys at the end (my key and the public key which I receive).

我该怎么做?我是否需要创建 2 个证书作为 hack，以便能够将它们存储到 java-keystore 中?

How do I do that? Do I need to create 2 certificates as a hack, in order to be able to store them into the java-keystore?

推荐答案

旁白:对于密钥对，您不需要 genpkey 然后 pkcs8 -topk8 -nocrypt -outform der;genpkey ... -outform der (without -$cipher) 将创建 PKCS8-clear DER，JCE 直接支持的格式.就此而言，即使是 PKCS8-clear PEM 也可以通过剥离头部和尾部行并解码 base64 来轻松处理.对于 2010 年 1.0.0 之前的 OpenSSL 中所需的other 命令(genrsa；gendsa；ecparam -genkey)而言，情况并非如此，这也是您会发现很多关于这一切的错误建议的部分原因在全球范围内复制.

Aside: for just the keypair you don't need genpkey and then pkcs8 -topk8 -nocrypt -outform der; genpkey ... -outform der (without -$cipher) will create PKCS8-clear DER, the format JCE supports directly. For that matter even PKCS8-clear PEM can be handled easily enough by stripping the header and trailer lines and decoding the base64. This was not the case for the other commands needed in OpenSSL before 1.0.0 in 2010 (genrsa; gendsa; ecparam -genkey) which is part of the reason you will find lots of wrong advice about it all over the World Wide Copying.

java.security.KeyStore API 仅支持将 PrivateKey 值与证书链(可以是单个证书)一起存储.它还支持存储单独的证书(以验证来自其他人的签名或向其他人加密数据)而不是单独的公钥.所以是的，您必须创建(或以其他方式获取)证书.

通常的约定，如果您不想要真实证书的安全功能，则创建一个自签名"证书——遵循标准 X.509v3 格式并包含公钥，但由其自己的 密钥(特别是与证书中的公钥匹配的私钥)而不是任何 CA 的密钥签名.OpenSSL 可以通过多种方式做到这一点，例如通常推荐的

The usual convention, if you don't want the security features of real certificate(s), is to create a 'self-signed' certificate -- one which follows the standard X.509v3 format, and contains the publickey, but is signed by its own key (specifically, the privatekey matching the publickey in the cert) rather than any CA's key. OpenSSL can do this several ways, such as the commonly recommended

openssl genpkey ... -out priv.pem 
openssl req -new -key priv.pem -x509 ... -out cert.pem

或者您可以将密钥生成和证书创建与更简单的结合起来

or you can combine key generation and cert creation with the simpler

openssl req -newkey rsa:2048 -keyout priv.pem -nodes -x509 ... -out cert.pem
# this doesn't support all the options of genpkey 
# but it does support the simple case you are using

也可以拆分req"和sign"步骤:

It is also possible to split the 'req' and 'sign' steps:

openssl genpkey ... -out priv.pem
openssl req -new -key priv.pem ... -out csr.pem
openssl x509 -req -in csr.pem -signkey priv.pem ... -out cert.pem
# or
openssl req -newkey rsa:2048 -keyout priv.pem ... -out csr.pem
openssl x509 -req -in csr.pem -signkey priv.pem ... -out cert.pem

然后，您可以编写(简单的)代码来读入私钥和证书并创建一个 KeyStore 条目——如果您愿意(您可能会这样做)并坚持下去.但是 keytool 不能直接做到这一点.您可以改为使用 openssl pkcs12 -export 将两个 OpenSSL 文件合并为一个 PKCS12 文件，该文件是密码加密的，可直接用作当前支持的 Java 中的密钥库.对于非常老的 Java，您可能需要使用 keytool -importkeystore -srcstoretype PKCS12 [-deststoretype JKS] ... 将 PKCS12 文件转换为 JKS 文件，另一条建议会被广泛复制.

You can then write (simple) code to read in the privatekey and certificate and create a KeyStore entry -- and persist if you wish (which you presumably do). However keytool cannot do this directly. You can instead use openssl pkcs12 -export to combine the two OpenSSL files into a single PKCS12 file, which is password-encrypted and is usable directly as a keystore in currently supported Java. For really old Java you may need to convert the PKCS12 file to a JKS file using keytool -importkeystore -srcstoretype PKCS12 [-deststoretype JKS] ..., another piece of advice you will find widely copied.

或者，除非您需要 OpenSSL 文件用于其他用途，keytool 可以立即完成整个工作；只需根据需要执行 keytool -genkeypair -keyalg rsa -keysize 2048 -keystore $file 加上其他选项，如 -validity 和 -dname将为它生成密钥对和一个自签名证书，并将带有自签名证书的私钥存储在受密码保护的密钥库文件中.(通过 j8 默认为 JKS，但您可以指定其他方式；j9+ 默认为 PKCS12.)

Alternatively, unless you need the OpenSSL files for something else, keytool can do the whole job at once; just do keytool -genkeypair -keyalg rsa -keysize 2048 -keystore $file plus other options like -validity and -dname as desired, and it will generate the keypair and a self-signed cert for it and store the privatekey with the self-signed cert in a password-protected keystore file. (Through j8 defaults to JKS but you can specify otherwise; j9+ defaults to PKCS12.)

但是，证书可能会过期，所以一段时间后我必须总是更新它还是我错了?

However, a certificate can be expired, so after some time I have to always renew it or am I wrong?

一段时间后，是的，但那个时间可能是几千年.我怀疑到那时您和第三方都将不复存在，而且 Java 可能不再存在，因此 Java API 强加的要求将不再重要.请注意，在 32 位系统上的旧版本 OpenSSL - 今天很少见，组合很少见 - 有时会受到Y2038"问题的影响，现在只有 18 年了 - 很多em> 今天使用的系统到那时可能会过时，但不是全部.Java 使用自己的时间戳格式，从来没有出现过这个问题.

After some time, yes, but that time can be several thousand years. I suspect that both you and the third-party will be defunct by then, plus probably Java will no longer exist so the requirements imposed by Java APIs will no longer matter. Note that older versions of OpenSSL on 32-bit systems -- each rare today and the combination rarer -- sometimes were affected by the "Y2038" issue, and that is now only 18 years in the future -- many systems in use today will probably be obsolete by then, but not all. Java uses its own timestamp format and never had this problem.

CA 颁发的证书通常具有更短的生命周期，很少超过 1-2 年，有时甚至更少(例如，LetsEncrypt 为 90 天)，但这不是证书固有的规范和代码.

CA-issued certificates usually have much shorter lifetimes, rarely more than 1-2 years and sometimes much less (as a notable example, 90 days for LetsEncrypt), but that's not inherent in the certificate spec and code.

我是否需要创建 2 个证书作为 hack，以便能够将它们存储到 java-keystore 中?

Do I need to create 2 certificates as a hack, in order to be able to store them into the java-keystore?

是的.确切地说，您当然需要为您自己的密钥创建一个(虚拟)证书.对于对方的密钥，如果他们创建(虚拟)证书会更容易.您无法为他们创建自签名证书，因为您没有他们的私钥——或者至少您不应该拥有.您可以创建一个稍微复杂一些的结构，您可以在其中创建一个虚拟 CA 并使用它为他们签署证书，然后您可以导入和使用该证书.如果需要，我会扩展，但这正如我所说的更复杂，而许多常用工具都设置为允许他们非常轻松地完成.

Yes. To be exact, you certainly need to create a (dummy) cert for you own key. For the other party's key, it's easier if they create the (dummy) cert. You can't create a self-signed cert for them because you don't have their privatekey -- or at least you shouldn't. You can create a slightly more complicated structure where you create a dummy CA and use it to sign a cert for them, which you then import and use. I will expand if needed, but this is as I said more complicated, whereas many common tools are set up to allow them to do it very easily.

这篇关于openssl der 文件导入 java 密钥库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！