java.security.KeyStore使用KeyStoreSpi实现来提供不同类型的密钥库。基本的OpenJDK支持JKS、JCEKS和PKCS12密钥库类型。前两个实现了专有的Sun/Oracle格式,PKCS12是一个公共标准。
我知道JCEKS确实支持对称密钥,而PKCS12不支持。其他哪些KeyStoreSpi实现(如Bouncy Castle(提供对对称密钥的支持?看起来开发人员喜欢隐藏这样的信息。例如,Bouncy Castle文档只提到:
第四个是BCFKS密钥存储,它是符合FIPS的密钥存储它也是为通用密钥存储而设计的,并且基于ASN.1。此密钥存储类型是加密的,支持使用SCRYPT和一些对称密钥类型的存储。
为什么您认为PKCS#12密钥库通常不保存密钥?我正在使用Desktop OpenJDK 11.x,在使用PKCS#12密钥库保存和重新加载密钥时没有任何问题。
但你是对的——有些Java实现是行不通的——试一下吧!
输出:
Keystore Type PKCS12
source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
create a keystore
load the keystore and store a secret key
key after generation length: 32 data: eb6b8efafcee46880ea75b83754442efe4ee9d66ce755698cc803fd7775e4e78
load secret key from keystore
key after loading length: 32 data: eb6b8efafcee46880ea75b83754442efe4ee9d66ce755698cc803fd7775e4e78
安全警告:该代码没有任何异常处理,仅用于教育目的
代码:
import javax.crypto.KeyGenerator;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
public class KeystoreTypePKCS12 {
public static void main(String[] args) {
System.out.println("Keystore Type PKCS12");
// https://stackoverflow.com/questions/64677544/which-keystore-implementations-can-be-used-for-storing-symmetric-keys
System.out.println("source: https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12");
System.out.println("create a keystore");
try {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(null, null);
keyStore.store(new FileOutputStream("keystore.p12"), "password".toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
System.out.println("load the keystore and store a secret key");
try {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("keystore.p12"), "password".toCharArray());
// generate an aes secret key
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
Key key = keyGen.generateKey();
System.out.println("key after generation length: " + key.getEncoded().length
+ " data: " + bytesToHex(key.getEncoded()));
// store it in the keystore
keyStore.setKeyEntry("secret", key, "password".toCharArray(), null);
// save the keystore
keyStore.store(new FileOutputStream("keystore.p12"), "password".toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
System.out.println("load secret key from keystore");
try{
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("keystore.p12"), "password".toCharArray());
Key keyLoad = keyStore.getKey("secret", "password".toCharArray());
System.out.println("key after loading length: " + keyLoad.getEncoded().length
+ " data: " + bytesToHex(keyLoad.getEncoded()));
} catch (Exception ex){
ex.printStackTrace();
}
}
private static String bytesToHex(byte[] bytes) {
StringBuffer result = new StringBuffer();
for (byte b : bytes) result.append(Integer.toString((b & 0xff) + 0x100, 16).substring(1));
return result.toString();
}
}