您的位置: 首页  >  技术问答  >  Java将密钥保存到密钥库KeyStoreException

Java将密钥保存到密钥库KeyStoreException

分类: 技术问答 2022-08-29 20:35:06
问题描述:

我尝试生成RSA CA密钥对和证书并将其保存到密钥库。 我的代码是:Java将密钥保存到密钥库KeyStoreException

import java.io.FileOutputStream; 
import java.math.BigInteger; 
import java.security.KeyPair; 
import java.security.KeyPairGenerator; 
import java.security.KeyStore; 
import java.security.SecureRandom; 
import java.security.Security; 
import java.security.cert.X509Certificate; 
import java.util.Date; 

import org.bouncycastle.asn1.x500.X500Name; 
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; 
import org.bouncycastle.cert.X509CertificateHolder; 
import org.bouncycastle.cert.X509v3CertificateBuilder; 
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; 
import org.bouncycastle.jce.provider.BouncyCastleProvider; 
import org.bouncycastle.operator.ContentSigner; 
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; 

    private static final String storeType = "PKCS12"; 
     private static final String storePassword = "password"; 
     private static final String storePath = "/usr/lib/java/keystore.ks"; 
     private static final Date startDate = new Date(System.currentTimeMillis());           // time from which certificate is valid 
     private static final Date expiryDate = new Date(System.currentTimeMillis() + 2L * 365L * 24L * 60L * 60L * 1000L); // time after which certificate is not valid (2 years) 
     private static final BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis()); 
     private static X500Name issuer; 
     private static X500Name subject; 
     private static KeyPair pair; 

     public static void saveKeys() throws Exception{ 
      Security.addProvider(new BouncyCastleProvider()); 

      KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); 
      keyPairGen.initialize(2048, new SecureRandom()); 
      pair = keyPairGen.generateKeyPair(); 
      byte[] pub = pair.getPublic().getEncoded(); 
      byte[] priv = pair.getPrivate().getEncoded(); 
      SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfo.getInstance(pub); 

      issuer = new X500Name("CN=CA"); 
      subject = issuer; 

      X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
        issuer,  //issuer (CA) 
        serialNumber, 
        startDate, expiryDate, 
        subject,  //subject 
        pubInfo); 

      //signature for sig 
      ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSA").build(pair.getPrivate()); 
      X509CertificateHolder certHolder = certBuilder.build(sigGen); 
      X509Certificate caCert = new JcaX509CertificateConverter().getCertificate(certHolder); 

      X509Certificate[] chain = new X509Certificate[3]; 
      chain[2] = caCert; 

      KeyStore store; 
      try { 
       store = KeyStore.getInstance(storeType); 
       store.load(null,null); 
      store.setKeyEntry("CA-Key", priv, chain); 
      store.store(new FileOutputStream("public.p12"), null); 

      } catch (Exception e) { 
       e.printStackTrace(); 
      }

然后我得到的错误:

java.security.KeyStoreException: Private key is not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: overrun, bytes = 1194 
    at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:687) 
    at java.security.KeyStore.setKeyEntry(KeyStore.java:1174) 
    at storeKeys.saveKeys(storeKeys.java:95) 
    at storeKeys.main(storeKeys.java:146) 
Caused by: java.io.IOException: overrun, bytes = 1194

我怎样才能加密私钥正确的格式?我在哪里可以给Keystore保存密钥的路径?

如果您看到该方法的Java文档,它说:

Assigns the given key (that has already been protected) to the given alias.

If the protected key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key. If the underlying keystore implementation is of type jks, key must be encoded as an EncryptedPrivateKeyInfo as defined in the PKCS #8 standard.

它说JKS,但看起来像它期待为PKCS12加密的私有密钥格式也。所以你不能只传入私钥字节数组。

为了方便起见,你可以这样做:

PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(pair.getPrivate(), chain); 
store.setEntry("CA-Key", privateKeyEntry, new KeyStore.PasswordProtection(storePassword.toCharArray()));

而在你keystore.store(..)方法,第一个参数是密钥存储路径。第二个参数是密钥库的密码。

所以你可以做这样的事情:

store.store(new FileOutputStream(new File(storePath)), storePassword.toCharArray());
+0

让我在java.security.KeyStore中的$ PrivateKeyEntry在线程异常 “主” 显示java.lang.NullPointerException \t。 (KeyStore.java:532) \t at java.security.KeyStore $ PrivateKeyEntry。 (KeyStore.java:491) – nolags

+1

可能是因为你的证书链。您只有1个自签名证书,您将其存储在'chain'变量中。但是您定义的大小是3,并将自签名证书存储在数组的第3个位置。所以前两个是空的。尝试将大小更改为1,然后将自签名证书放置在第零个位置并再次给它一个镜头。 –

+0

哦,愚蠢的错误。谢谢你的作品。 – nolags

相关推荐