1. 首頁
  2. 問答
  3. Java將密鑰保存到密鑰庫KeyStoreException

Java將密鑰保存到密鑰庫KeyStoreException

2017-05-09 161 views
1

我嘗試生成RSA CA密鑰對和證書並將其保存到密鑰庫。 我的代碼是:Java將密鑰保存到密鑰庫KeyStoreException

import java.io.FileOutputStream; 
import java.math.BigInteger; 
import java.security.KeyPair; 
import java.security.KeyPairGenerator; 
import java.security.KeyStore; 
import java.security.SecureRandom; 
import java.security.Security; 
import java.security.cert.X509Certificate; 
import java.util.Date; 

import org.bouncycastle.asn1.x500.X500Name; 
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; 
import org.bouncycastle.cert.X509CertificateHolder; 
import org.bouncycastle.cert.X509v3CertificateBuilder; 
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; 
import org.bouncycastle.jce.provider.BouncyCastleProvider; 
import org.bouncycastle.operator.ContentSigner; 
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; 

    private static final String storeType = "PKCS12"; 
     private static final String storePassword = "password"; 
     private static final String storePath = "/usr/lib/java/keystore.ks"; 
     private static final Date startDate = new Date(System.currentTimeMillis());           // time from which certificate is valid 
     private static final Date expiryDate = new Date(System.currentTimeMillis() + 2L * 365L * 24L * 60L * 60L * 1000L); // time after which certificate is not valid (2 years) 
     private static final BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis()); 
     private static X500Name issuer; 
     private static X500Name subject; 
     private static KeyPair pair; 

     public static void saveKeys() throws Exception{ 
      Security.addProvider(new BouncyCastleProvider()); 

      KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); 
      keyPairGen.initialize(2048, new SecureRandom()); 
      pair = keyPairGen.generateKeyPair(); 
      byte[] pub = pair.getPublic().getEncoded(); 
      byte[] priv = pair.getPrivate().getEncoded(); 
      SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfo.getInstance(pub); 

      issuer = new X500Name("CN=CA"); 
      subject = issuer; 

      X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
        issuer,  //issuer (CA) 
        serialNumber, 
        startDate, expiryDate, 
        subject,  //subject 
        pubInfo); 

      //signature for sig 
      ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSA").build(pair.getPrivate()); 
      X509CertificateHolder certHolder = certBuilder.build(sigGen); 
      X509Certificate caCert = new JcaX509CertificateConverter().getCertificate(certHolder); 

      X509Certificate[] chain = new X509Certificate[3]; 
      chain[2] = caCert; 

      KeyStore store; 
      try { 
       store = KeyStore.getInstance(storeType); 
       store.load(null,null); 
      store.setKeyEntry("CA-Key", priv, chain); 
      store.store(new FileOutputStream("public.p12"), null); 

      } catch (Exception e) { 
       e.printStackTrace(); 
      }

然後我得到的錯誤:

java.security.KeyStoreException: Private key is not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: overrun, bytes = 1194 
    at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:687) 
    at java.security.KeyStore.setKeyEntry(KeyStore.java:1174) 
    at storeKeys.saveKeys(storeKeys.java:95) 
    at storeKeys.main(storeKeys.java:146) 
Caused by: java.io.IOException: overrun, bytes = 1194

我怎樣才能加密私鑰正確的格式?我在哪裏可以給Keystore保存密鑰的路徑?

來源

2017-05-09 nolags

回答

2

如果您看到該方法的Java文檔,它說:

Assigns the given key (that has already been protected) to the given alias.

If the protected key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key. If the underlying keystore implementation is of type jks, key must be encoded as an EncryptedPrivateKeyInfo as defined in the PKCS #8 standard.

它說JKS,但看起來像它期待爲PKCS12加密的私有密鑰格式也。所以你不能只傳入私鑰字節數組。

爲了方便起見,你可以這樣做:

PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(pair.getPrivate(), chain); 
store.setEntry("CA-Key", privateKeyEntry, new KeyStore.PasswordProtection(storePassword.toCharArray()));

而在你keystore.store(..)方法,第一個參數是密鑰存儲路徑。第二個參數是密鑰庫的密碼。

所以你可以做這樣的事情:

store.store(new FileOutputStream(new File(storePath)), storePassword.toCharArray());

來源

2017-05-09 15:07:40

+0

讓我在java.security.KeyStore中的$ PrivateKeyEntry在線程異常 「主」 顯示java.lang.NullPointerException \t。 (KeyStore.java:532) \t at java.security.KeyStore $ PrivateKeyEntry。 (KeyStore.java:491) – nolags

+1

可能是因爲你的證書鏈。您只有1個自簽名證書,您將其存儲在'chain'變量中。但是您定義的大小是3,並將自簽名證書存儲在數組的第3個位置。所以前兩個是空的。嘗試將大小更改爲1,然後將自簽名證書放置在第零個位置並再次給它一個鏡頭。 –

+0

哦,愚蠢的錯誤。謝謝你的作品。 – nolags

相關問題

 相關問題