JDK Keytool 使用及理解

windows系统的根证书放置在注册表中:KEY_LOCAL_MACHINE-SOFTWARE-Microsoft-SystemCertificate-ROOT-Certificate

 

 java信任的根证书放置位置在:

 D:\Program Files\Java\jdk1.6.0_24\jre\lib\security\cacerts

 在此目录下用 keytool -list -keystore cacerts 显示所有证书,默认密码changeit

 

 导入操作系统的证书可以通过IE将操作系统中的root证书导出成.cer格式的文件,再通过keytool工具导入JDK的证书库:

 keytool -import -file oracle.cer -alias oracle

Enter keystore password:

...

 

 导入后通过证书指纹来验证下库中的证书:

 D:\Program Files\Java\jdk1.6.0_24\jre\lib\security>keytool -list -keystore cacerts|findstr DB:23

Enter keystore password:  changeit

Certificate fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83

 

keytool可以直接在命令行输出.cer证书的内容:

 keytool -printcert -file "oracle.cer"

 

keystore中有几种Entry,其

KeyStore.Entry

|-KeyStore.PrivateKeyEntry

|-KeyStore.TrustedCertificateEntry

|-KeyStore.SecretKeyEntry

 

PrivateKeyEntry保存私钥和对应的证书链。其实就是非对称算法的公钥和私钥。

TrustedCertificateEntry保存受信任的证书。

SecretKeyEntry保存一个SecretKey,其保存的是一个对称算法的密钥。

 

KeyStore有几种类型,常用的就是JKS,JCEKS。 JKS是keystore的默认类型,但这个类型只能存储公私钥和证书,如果还需要存储secret key,只能用JCEKS:

keytool -genseckey -alias seckey -keyalg DES -storetype jceks

查询时也要强制指定类型,因为默认类型是JKS:

keytool -list -storetype JCEKS

生成公钥对:

keytool -genkeypair -alias pubKey -keyalg "RSA" -storetype JCEKS

 

 Keytool 生成keypair的源码如下,如果自己想直接定制一个可以直接参考:

private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out)
               throws Exception {
   
   
           Certificate signerCert = keyStore.getCertificate(alias);
           byte[] encoded = signerCert.getEncoded();
           X509CertImpl signerCertImpl = new X509CertImpl(encoded);
           X509CertInfo signerCertInfo =
				(X509CertInfo)signerCertImpl.get(
                X509CertImpl.NAME + "." + X509CertImpl.INFO);
           X500Name issuer =
				(X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
           
			CertificateSubjectName.DN_NAME);
   
           Date firstDate = getStartDate(startDate);
           Date lastDate = new Date();
           lastDate.setTime(firstDate.getTime() +
				validity*1000L*24L*60L*60L);
           CertificateValidity interval = new
				CertificateValidity(firstDate,
               
				lastDate);
   
           PrivateKey privateKey =
                   (PrivateKey)recoverKey(alias, storePass,
					keyPass).fst;
           if (sigAlgName == null) {
               sigAlgName =
				getCompatibleSigAlgName(privateKey.getAlgorithm());
           }
           Signature signature = Signature.getInstance(sigAlgName);
           signature.initSign(privateKey);
   
           X509CertInfo info = new X509CertInfo();
           info.set(X509CertInfo.VALIDITY, interval);
           info.set(X509CertInfo.SERIAL_NUMBER, new
				CertificateSerialNumber(
                       new java.util.Random().nextInt() & 0x7fffffff));
           info.set(X509CertInfo.VERSION,
                       new CertificateVersion(CertificateVersion.V3));
           info.set(X509CertInfo.ALGORITHM_ID,
                       new CertificateAlgorithmId(
                           AlgorithmId.getAlgorithmId(sigAlgName)));
           info.set(X509CertInfo.ISSUER, new
				CertificateIssuerName(issuer));
   
           BufferedReader reader = new BufferedReader(new
				InputStreamReader(in));
           boolean canRead = false;
           StringBuffer sb = new StringBuffer();
           while (true) {
               String s = reader.readLine();
               if (s == null) break;
               // OpenSSL does not use NEW
               //if (s.startsWith("-----BEGIN NEW CERTIFICATE

					REQUEST-----")) {
               if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST")
					>= 0) {
                   canRead = true;
               //} else if (s.startsWith("-----END NEW CERTIFICATE
					REQUEST-----")) {
               } else if (s.startsWith("-----END") &&
					s.indexOf("REQUEST") >= 0) {
                   break;
               } else if (canRead) {
                   sb.append(s);
               }
           }
           byte[] rawReq = new BASE64Decoder().decodeBuffer(new
				String(sb));
           PKCS10 req = new PKCS10(rawReq);
   
           info.set(X509CertInfo.KEY, new
				CertificateX509Key(req.getSubjectPublicKeyInfo()));
           info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
                   dname==null?req.getSubjectName():new
					X500Name(dname)));
           CertificateExtensions reqex = null;
           Iterator<PKCS10Attribute> attrs =
				req.getAttributes().getAttributes().iterator();
           while (attrs.hasNext()) {
               PKCS10Attribute attr = attrs.next();
               if
					(attr.getAttributeId().equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) {
                   reqex =
						(CertificateExtensions)attr.getAttributeValue();
               }
           }
           CertificateExtensions ext = createV3Extensions(
                   reqex,
                   null,
                   v3ext,
                   req.getSubjectPublicKeyInfo(),
                   signerCert.getPublicKey());
           info.set(X509CertInfo.EXTENSIONS, ext);
           X509CertImpl cert = new X509CertImpl(info);
           cert.sign(privateKey, sigAlgName);
           dumpCert(cert, out);
           for (Certificate ca: keyStore.getCertificateChain(alias)) {
               if (ca instanceof X509Certificate) {
                   X509Certificate xca = (X509Certificate)ca;
                   if (!isSelfSigned(xca)) {
                       dumpCert(xca, out);
                   }
               }
           }
       }

 

你可能感兴趣的:(keytool)