问题描述
java.security.KeyStore使用KeyStoreSpi实现来提供不同类型的密钥库。基本的OpenJDK附带了对JKS,JCEKS和PKCS12密钥库类型的支持。前两个实现了专有的Sun / Oracle格式,而PKCS12是公共标准。
我知道JCEKS支持对称密钥,而PKCS12不支持。哪些其他KeyStoreSpi实现(例如Bouncy Castle)提供对称密钥的支持?开发人员似乎希望隐藏此类信息。例如。有弹性的城堡docs仅提及:
第四个是BCFKS密钥库,它是FIPS兼容的密钥库 它也设计用于基于ASN.1的通用密钥存储。 此密钥存储类型已加密,并支持使用SCRYPT和 一些对称密钥类型的存储。
解决方法
您为什么认为PKCS#12密钥库通常不保存秘密密钥?我正在使用Desktop OpenJDK 11.x,并且在使用PKCS#12密钥库保存和重新加载秘密密钥时没有任何问题。
但是您是对的-在某些Java实现中,这是行不通的-试试看吧!
输出:
Keystore Type PKCS12
source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
create a keystore
load the keystore and store a secret key
key after generation length: 32 data: eb6b8efafcee46880ea75b83754442efe4ee9d66ce755698cc803fd7775e4e78
load secret key from keystore
key after loading length: 32 data: eb6b8efafcee46880ea75b83754442efe4ee9d66ce755698cc803fd7775e4e78
安全警告:该代码没有任何异常处理,仅用于教育目的。
代码:
import javax.crypto.KeyGenerator;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
public class KeystoreTypePKCS12 {
public static void main(String[] args) {
System.out.println("Keystore Type PKCS12");
// https://stackoverflow.com/questions/64677544/which-keystore-implementations-can-be-used-for-storing-symmetric-keys
System.out.println("source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12");
System.out.println("create a keystore");
try {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(null,null);
keyStore.store(new FileOutputStream("keystore.p12"),"password".toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
System.out.println("load the keystore and store a secret key");
try {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("keystore.p12"),"password".toCharArray());
// generate an aes secret key
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
Key key = keyGen.generateKey();
System.out.println("key after generation length: " + key.getEncoded().length
+ " data: " + bytesToHex(key.getEncoded()));
// store it in the keystore
keyStore.setKeyEntry("secret",key,"password".toCharArray(),null);
// save the keystore
keyStore.store(new FileOutputStream("keystore.p12"),"password".toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
System.out.println("load secret key from keystore");
try{
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("keystore.p12"),"password".toCharArray());
Key keyLoad = keyStore.getKey("secret","password".toCharArray());
System.out.println("key after loading length: " + keyLoad.getEncoded().length
+ " data: " + bytesToHex(keyLoad.getEncoded()));
} catch (Exception ex){
ex.printStackTrace();
}
}
private static String bytesToHex(byte[] bytes) {
StringBuffer result = new StringBuffer();
for (byte b : bytes) result.append(Integer.toString((b & 0xff) + 0x100,16).substring(1));
return result.toString();
}
}