Saving certificate chain in a pkcs12 keystore(将证书链保存在 pkcs12 密钥库中)
本文介绍了将证书链保存在 pkcs12 密钥库中的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
The following code:
//used Bouncy Castle provider for keyStore
keyStore.setKeyEntry(alias, (Key)keyPair.getPrivate(), pwd, certChain);
where certChain holds the end certificate and the issuer certificate (i.e. two certificates),
doesn't save the issuer certificate as part of the chain in the saved to the file system keystore file if the keyStore is an instance of PKCS12.
It does save both certificates if the keystore type is PKCS12-3DES-3DES.
Why is this? Doesn't a PKCS12 suppose to have both certificates are part of the chain?
EDIT: Here's an SSCCE. This works fine with "JKS", fails with "PKCS12": Only the first certificate in the chain is accessible via getCertificateChain(String). The saved file can be opened with openssl pkcs12 revealing both certificates.
public void testKeyStore() {
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
PublicKey publicKey = keyPair.getPublic();
PrivateKey privateKey = keyPair.getPrivate();
Certificate[] outChain = { createCertificate("CN=CA", publicKey, privateKey), createCertificate("CN=Client", publicKey, privateKey) };
KeyStore outStore = KeyStore.getInstance("PKCS12");
outStore.load(null, "secret".toCharArray());
outStore.setKeyEntry("mykey", privateKey, "secret".toCharArray(), outChain);
OutputStream outputStream = new FileOutputStream("c:/outstore.pkcs12");
outStore.store(outputStream, "secret".toCharArray());
outputStream.flush();
outputStream.close();
KeyStore inStore = KeyStore.getInstance("PKCS12");
inStore.load(new FileInputStream("c:/outstore.pkcs12"), "secret".toCharArray());
Key key = outStore.getKey("myKey", "secret".toCharArray());
assertEquals(privateKey, key);
Certificate[] inChain = outStore.getCertificateChain("mykey");
assertNotNull(inChain);
assertEquals(outChain.length, inChain.length);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
private static X509Certificate createCertificate(String dn, PublicKey publicKey, PrivateKey privateKey) throws Exception {
X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
certGenerator.setSerialNumber(new BigInteger("1"));
certGenerator.setIssuerDN(new X509Name(dn));
certGenerator.setSubjectDN(new X509Name(dn));
certGenerator.setNotBefore(Calendar.getInstance().getTime());
certGenerator.setNotAfter(Calendar.getInstance().getTime());
certGenerator.setPublicKey(publicKey);
certGenerator.setSignatureAlgorithm("SHA1withRSA");
X509Certificate certificate = (X509Certificate)certGenerator.generate(privateKey, "BC");
return certificate;
}
解决方案
Your code has 2 error:
first: You not set Issuer for certificate (client cert should be issued by CA to make valid chain).
second: You use wrong order when create certificate chain (should be client certs, CA last)
here is reworked SSCCE, and it works without errors.
@Test
public void testKeyStore() throws Exception{
try {
String storeName = "/home/grigory/outstore.pkcs12";
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
PublicKey publicKey = keyPair.getPublic();
PrivateKey privateKey = keyPair.getPrivate();
Certificate trustCert = createCertificate("CN=CA", "CN=CA", publicKey, privateKey);
Certificate[] outChain = { createCertificate("CN=Client", "CN=CA", publicKey, privateKey), trustCert };
KeyStore outStore = KeyStore.getInstance("PKCS12");
outStore.load(null, "secret".toCharArray());
outStore.setKeyEntry("mykey", privateKey, "secret".toCharArray(), outChain);
OutputStream outputStream = new FileOutputStream(storeName);
outStore.store(outputStream, "secret".toCharArray());
outputStream.flush();
outputStream.close();
KeyStore inStore = KeyStore.getInstance("PKCS12");
inStore.load(new FileInputStream(storeName), "secret".toCharArray());
Key key = outStore.getKey("myKey", "secret".toCharArray());
Assert.assertEquals(privateKey, key);
Certificate[] inChain = outStore.getCertificateChain("mykey");
Assert.assertNotNull(inChain);
Assert.assertEquals(outChain.length, inChain.length);
} catch (Exception e) {
e.printStackTrace();
throw new AssertionError(e.getMessage());
}
}
private static X509Certificate createCertificate(String dn, String issuer, PublicKey publicKey, PrivateKey privateKey) throws Exception {
X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
certGenerator.setSerialNumber(BigInteger.valueOf(Math.abs(new Random().nextLong())));
certGenerator.setSubjectDN(new X509Name(dn));
certGenerator.setIssuerDN(new X509Name(issuer)); // Set issuer!
certGenerator.setNotBefore(Calendar.getInstance().getTime());
certGenerator.setNotAfter(Calendar.getInstance().getTime());
certGenerator.setPublicKey(publicKey);
certGenerator.setSignatureAlgorithm("SHA1withRSA");
X509Certificate certificate = (X509Certificate)certGenerator.generate(privateKey, "BC");
return certificate;
}
这篇关于将证书链保存在 pkcs12 密钥库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
织梦狗教程
本文标题为:将证书链保存在 pkcs12 密钥库中
基础教程推荐
猜你喜欢
- Spring AOP错误无法懒惰地为此建议构建thisJoinPoin 2022-09-13
- RabbitMQ:消息保持“未确认"; 2022-01-01
- Struts2 URL 无法访问 2022-01-01
- 如何对 Java Hashmap 中的值求和 2022-01-01
- 无法复制:“比较方法违反了它的一般约定!" 2022-01-01
- 修改 void 函数的输入参数,然后读取 2022-01-01
- 存储 20 位数字的数据类型 2022-01-01
- REST Web 服务返回 415 - 不支持的媒体类型 2022-01-01
- 使用堆栈算法进行括号/括号匹配 2022-01-01
- 问题http://apache.org/xml/features/xinclude测试日志4j 2 2022-01-01
