常用的證書密鑰庫格式:
JKS和JCEKS是Java密鑰庫(KeyStore)的兩種比較常見類型,JKS的Provider是SUN,在每個版本的JDK中都有,JCEKS的Provider是SUNJCE,1.4後我們都能夠直接使用它。
JCEKS
在安全級別上要比JKS強,使用的Provider是JCEKS(推薦),尤其在保護KeyStore中的私鑰上(使用TripleDES)
PFX
(PKCS#12)是公鑰加密標準,它規定了可包含所有私鑰、公鑰和證書。其以二進制格式存儲,在windows中可以直接導入到密鑰區,注意,PKCS#12的密鑰庫保護密碼同時也用於保護Key。
BKS
來自BouncyCastleProvider,它使用的也是TripleDES來保護密鑰庫中的Key,它能夠防止證書庫被不小心修改(Keystore的keyentry改掉1個bit都會產生錯誤),BKS能夠跟JKS互操作。
UBER
比較特別,當密碼是通過命令行提供的時候,它只能跟keytool交互。整個keystore是通過PBE/SHA1/Twofish加密,因此 keystore能夠防止被誤改、察看以及校驗。SunJDK允許你在不提供密碼的情況下直接加載一個Keystore,類似cacerts,UBER不 允許這種情況。
/**
* PFX證書轉換爲JKS(Java Key Store) *
*
* @param pfxPassword
* * PFX證書密碼
* @param pfxFilePath
* * PFX證書路徑
* @param jksPassword
* * JKS證書密碼
* @param jksFilePath
* * JKS證書路徑
*/
public static void covertPFXtoJKS(String pfxPassword, String pfxFilePath, String jksPassword,
String jksFilePath) {
FileInputStream fis = null;
FileOutputStream out = null;
try {
// 加載PFX證書 KeyStore inputKeyStore = KeyStore.getInstance("PKCS12");
fis = new FileInputStream(pfxFilePath);
char[] inPassword = pfxPassword == null ? null : pfxPassword.toCharArray();
char[] outPassword = jksPassword == null ? null : jksPassword.toCharArray();
inputKeyStore.load(fis, inPassword);
KeyStore outputKeyStore = KeyStore.getInstance("JKS");
outputKeyStore.load(null, outPassword);
Enumeration enums = inputKeyStore.aliases();
while (enums.hasMoreElements()) {
String keyAlias = enums.nextElement();
if (inputKeyStore.isKeyEntry(keyAlias)) {
Key key = inputKeyStore.getKey(keyAlias, inPassword);
Certificate[] certChain = (Certificate[]) inputKeyStore
.getCertificateChain(keyAlias);
outputKeyStore.setKeyEntry(keyAlias, key, pfxPassword.toCharArray(),
(java.security.cert.Certificate[]) certChain);
}
}
out = new FileOutputStream(jksFilePath);
outputKeyStore.store(out, outPassword);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
if (fis != null) {
fis.close();
}
if (out != null) {
out.close();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
/**
* 從JKS格式轉換爲PKCS12格式 * @param jksFilePath * String JKS格式證書庫路徑
*
* @param jksPasswd
* * String JKS格式證書庫密碼
* @param pfxFilePath
* * String PKCS12格式證書庫保存文件夾
* @param pfxPasswd
* * String PKCS12格式證書庫密碼
*/
public void covertJSKToPFX(String jksFilePath, String jksPasswd, String pfxFolderPath,
String pfxPasswd) throws Throwable {
FileInputStream fis = null;
try {
KeyStore inputKeyStore = KeyStore.getInstance("JKS");
fis = new FileInputStream(jksFilePath);
char[] srcPwd = jksPasswd == null ? null : jksPasswd.toCharArray();
char[] destPwd = pfxPasswd == null ? null : pfxPasswd.toCharArray();
inputKeyStore.load(fis, srcPwd);
KeyStore outputKeyStore = KeyStore.getInstance("PKCS12");
Enumeration enums = inputKeyStore.aliases();
while (enums.hasMoreElements()) {
String keyAlias = (String) enums.nextElement();
System.out.println("alias=[" + keyAlias + "]");
outputKeyStore.load(null, destPwd);
if (inputKeyStore.isKeyEntry(keyAlias)) {
Key key = inputKeyStore.getKey(keyAlias, srcPwd);
java.security.cert.Certificate[] certChain = inputKeyStore
.getCertificateChain(keyAlias);
outputKeyStore.setKeyEntry(keyAlias, key, destPwd, certChain);
}
String fName = pfxFolderPath + "_" + keyAlias + ".pfx";
FileOutputStream out = new FileOutputStream(fName);
outputKeyStore.store(out, destPwd);
out.close();
outputKeyStore.deleteEntry(keyAlias);
}
} finally {
try {
if (fis != null) {
fis.close();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
/**
* 從BKS格式轉換爲PKCS12格式 *
*
* @param jksFilePath
* * String JKS格式證書庫路徑
* @param jksPasswd
* * String JKS格式證書庫密碼
* @param pfxFilePath
* * String PKCS12格式證書庫保存文件夾
* @param pfxPasswd
* * String PKCS12格式證書庫密碼
*/
public void covertBKSToPFX(String jksFilePath, String jksPasswd, String pfxFolderPath,
String pfxPasswd) throws Throwable {
FileInputStream fis = null;
try {
KeyStore inputKeyStore = KeyStore.getInstance("BKS",
new org.bouncycastle.jce.provider.BouncyCastleProvider());
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
fis = new FileInputStream(jksFilePath);
char[] srcPwd = jksPasswd == null ? null : jksPasswd.toCharArray();
char[] destPwd = pfxPasswd == null ? null : pfxPasswd.toCharArray();
inputKeyStore.load(fis, srcPwd);
KeyStore outputKeyStore = KeyStore.getInstance("PKCS12");
Enumeration enums = inputKeyStore.aliases();
while (enums.hasMoreElements()) {
String keyAlias = (String) enums.nextElement();
System.out.println("alias=[" + keyAlias + "]");
outputKeyStore.load(null, destPwd);
if (inputKeyStore.isKeyEntry(keyAlias)) {
Key key = inputKeyStore.getKey(keyAlias, srcPwd);
java.security.cert.Certificate[] certChain = inputKeyStore
.getCertificateChain(keyAlias);
outputKeyStore.setKeyEntry(keyAlias, key, destPwd, certChain);
}
String fName = pfxFolderPath + "_" + keyAlias + ".pfx";
FileOutputStream out = new FileOutputStream(fName);
outputKeyStore.store(out, destPwd);
out.close();
outputKeyStore.deleteEntry(keyAlias);
}
} finally {
try {
if (fis != null) {
fis.close();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
/**
* 列出JKS庫內所有X509證書的屬性 *
*
* @param jksFilePath
* * 證書庫路徑
* @param jksPasswd
* * 證書庫密碼
* @param algName
* * 庫類型
*/
public static void listAllCerts(String jksFilePath, String jksPasswd, String algName) {
try {
char[] srcPwd = jksPasswd == null ? null : jksPasswd.toCharArray();
FileInputStream in = new FileInputStream(jksFilePath);
KeyStore ks = KeyStore.getInstance(algName);
ks.load(in, srcPwd);
Enumeration e = ks.aliases();
while (e.hasMoreElements()) {
String alias = e.nextElement();
java.security.cert.Certificate cert = ks.getCertificate(alias);
if (cert instanceof X509Certificate) {
X509Certificate X509Cert = (X509Certificate) cert;
System.out.println("**************************************");
System.out.println("版本號:" + X509Cert.getVersion());
System.out.println("序列號:" + X509Cert.getSerialNumber().toString(16));
System.out.println("主體名:" + X509Cert.getSubjectDN());
System.out.println("簽發者:" + X509Cert.getIssuerDN());
System.out.println("有效期:" + X509Cert.getNotBefore());
System.out.println("簽名算法:" + X509Cert.getSigAlgName());
System.out.println("輸出證書信息:\n" + X509Cert.toString());
System.out.println("**************************************");
}
}
} catch (Exception e) {
e.printStackTrace();
}
}
/*
* 列出BKS庫內所有X509證書的屬性 *
*
* @param jksFilePath * 證書庫路徑
*
* @param jksPasswd * 證書庫密碼
*
* @param algName * 庫類型
*/
public static void listAllCertsBks(String jksFilePath, String jksPasswd, String algName) {
try {
char[] srcPwd = jksPasswd == null ? null : jksPasswd.toCharArray();
FileInputStream in = new FileInputStream(jksFilePath);
KeyStore ks = KeyStore.getInstance(algName,
new org.bouncycastle.jce.provider.BouncyCastleProvider());
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
ks.load(in, srcPwd);
Enumeration e = ks.aliases();
while (e.hasMoreElements()) {
String alias = e.nextElement();
java.security.cert.Certificate cert = ks.getCertificate(alias);
if (cert instanceof X509Certificate) {
X509Certificate X509Cert = (X509Certificate) cert;
System.out.println("**************************************");
System.out.println("版本號:" + X509Cert.getVersion());
System.out.println("序列號:" + X509Cert.getSerialNumber().toString(16));
System.out.println("主體名:" + X509Cert.getSubjectDN());
System.out.println("簽發者:" + X509Cert.getIssuerDN());
System.out.println("有效期:" + X509Cert.getNotBefore());
System.out.println("簽名算法:" + X509Cert.getSigAlgName());
System.out.println("輸出證書信息:\n" + X509Cert.toString());
System.out.println("**************************************");
}
}
} catch (Exception e) {
e.printStackTrace();
}
}
原文鏈接地址: https://www.chinassl.net/faq/n511.html
