Class KeyStoreUtil

java.lang.Object
net.i2p.crypto.KeyStoreUtil

public final class KeyStoreUtil extends Object
Keystore utilities, consolidated from various places.
Since:
0.9.9
  • Field Details

  • Constructor Details

    • KeyStoreUtil

      public KeyStoreUtil()
  • Method Details

    • createKeyStore

      public static KeyStore createKeyStore(File ksFile, String password) throws GeneralSecurityException, IOException
      Create a new KeyStore object, and load it from ksFile if it is non-null and it exists. If ksFile is non-null and it does not exist, create a new empty keystore file.
      Parameters:
      ksFile - may be null
      password - may be null
      Returns:
      success
      Throws:
      GeneralSecurityException
      IOException
    • loadSystemKeyStore

      public static KeyStore loadSystemKeyStore()
      Loads certs from location of javax.net.ssl.keyStore property, else from $JAVA_HOME/lib/security/jssecacerts, else from $JAVA_HOME/lib/security/cacerts.
      Returns:
      null on catastrophic failure, returns empty KeyStore if can't load system file
      Since:
      0.8.2, moved from SSLEepGet.initSSLContext() in 0.9.9
    • countCerts

      public static int countCerts(KeyStore ks)
      Count all X509 Certs in a key store
      Returns:
      number successfully added
      Since:
      0.8.2, moved from SSLEepGet in 0.9.9
    • logCertExpiration

      public static boolean logCertExpiration(File f, String ksPW, long expiresWithin)
      Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for Jetty keystores, where we aren't doing the loading ourselves. If a cert isn't valid, it will probably cause bigger problems later when it's used.
      Parameters:
      f - keystore file
      ksPW - keystore password
      expiresWithin - ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L
      Returns:
      true if all are good, false if we logged something
      Since:
      0.9.34
    • logCertExpiration

      public static boolean logCertExpiration(KeyStore ks, String location, long expiresWithin)
      Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for keystores we are feeding to an SSLContext and ServerSocketFactory. We added support for self-signed certs in 0.8.3 2011-01, with a 10-year expiration. We still don't generate them by default. We don't expect anybody's certs to expire until 2021.
      Parameters:
      location - the path or other identifying info, for logging only
      expiresWithin - ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L
      Returns:
      true if all are good, false if we logged something
      Since:
      0.9.34
    • addCerts

      public static int addCerts(File dir, KeyStore ks)
      Load all X509 Certs from a directory and add them to the trusted set of certificates in the key store This DOES check for revocation.
      Returns:
      number successfully added
      Since:
      0.8.2, moved from SSLEepGet in 0.9.9
    • addCert

      public static boolean addCert(File file, String alias, KeyStore ks)
      Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This does NOT check for revocation.
      Returns:
      success
      Since:
      0.8.2, moved from SSLEepGet in 0.9.9
    • addCert

      public static boolean addCert(File file, String alias, KeyStore ks, CertStore cs)
      Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This DOES check for revocation, IF cs is non-null.
      Parameters:
      cs - may be null; if non-null, check for revocation
      Returns:
      success
      Since:
      0.9.25
    • randomString

      public static String randomString()
      48 char b32 string (30 bytes of entropy)
    • createKeys

      public static boolean createKeys(File ks, String alias, String cname, String ou, String keyPW)
      Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. As of 0.9.35, default algorithm and size depends on cname. If it appears to be a CA, it will use EC/256. Otherwise, it will use RSA/2048. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      ou - e.g. console
      keyPW - the key password, must be at least 6 characters
      Returns:
      success
      Since:
      0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9
    • createKeys

      public static boolean createKeys(File ks, String alias, String cname, Set<String> altNames, String ou, String keyPW)
      Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. As of 0.9.35, default algorithm and size depends on cname. If it appears to be a CA, it will use EC/256. Otherwise, it will use RSA/2048. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
      ou - e.g. console
      keyPW - the key password, must be at least 6 characters
      Returns:
      success
      Since:
      0.9.34 added altNames param
    • createKeys

      public static boolean createKeys(File ks, String ksPW, String alias, String cname, String ou, int validDays, String keyAlg, int keySize, String keyPW)
      Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      ou - e.g. console
      validDays - e.g. 3652 (10 years)
      keyAlg - e.g. DSA , RSA, EC
      keySize - e.g. 1024
      keyPW - the key password, must be at least 6 characters
      Returns:
      success
      Since:
      0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9
    • createKeys

      public static boolean createKeys(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, String keyAlg, int keySize, String keyPW)
      Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
      ou - e.g. console
      validDays - e.g. 3652 (10 years)
      keyAlg - e.g. DSA , RSA, EC
      keySize - e.g. 1024
      keyPW - the key password, must be at least 6 characters
      Returns:
      success
      Since:
      0.9.34 added altNames param
    • createKeysAndCRL

      public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, String ou, int validDays, String keyAlg, int keySize, String keyPW) throws GeneralSecurityException, IOException
      New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      ou - e.g. console
      validDays - e.g. 3652 (10 years)
      keyAlg - e.g. DSA , RSA, EC
      keySize - e.g. 1024
      keyPW - the key password, must be at least 6 characters
      Returns:
      all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.25
    • createKeysAndCRL

      public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, String keyAlg, int keySize, String keyPW) throws GeneralSecurityException, IOException
      New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
      ou - e.g. console
      validDays - e.g. 3652 (10 years)
      keyAlg - e.g. DSA , RSA, EC
      keySize - e.g. 1024
      keyPW - the key password, must be at least 6 characters
      Returns:
      all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.34 added altNames param
    • createKeysAndCRL

      public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, String ou, int validDays, SigType type, String keyPW) throws GeneralSecurityException, IOException
      New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      ou - e.g. console
      validDays - e.g. 3652 (10 years)
      keyPW - the key password, must be at least 6 characters
      Returns:
      all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.25
    • createKeysAndCRL

      public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, SigType type, String keyPW) throws GeneralSecurityException, IOException
      New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password
      alias - the name of the key
      cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
      altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
      ou - e.g. console
      validDays - e.g. 3652 (10 years)
      keyPW - the key password, must be at least 6 characters
      Returns:
      all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.34 added altNames param
    • getPrivateKey

      public static PrivateKey getPrivateKey(File ks, String ksPW, String alias, String keyPW) throws GeneralSecurityException, IOException
      Get a private key out of a keystore
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key
      keyPW - the key password, must be at least 6 characters
      Returns:
      the key or null if not found
      Throws:
      GeneralSecurityException
      IOException
    • exportPrivateKey

      public static void exportPrivateKey(File ks, String ksPW, String alias, String keyPW, OutputStream out) throws GeneralSecurityException, IOException
      Export the private key and certificate chain (if any) out of a keystore. Does NOT close the output stream. Throws on all errors.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key
      keyPW - the key password, must be at least 6 characters
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.25
    • renewPrivateKeyCertificate

      public static X509Certificate renewPrivateKeyCertificate(File ks, String ksPW, String alias, String keyPW, int validDays) throws GeneralSecurityException, IOException
      Renew the the private key certificate in a keystore. Closes the input and output streams. Throws on all errors.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key, or null to get the first one in keystore
      keyPW - the key password, must be at least 6 characters
      validDays - new cert to expire this many days from now
      Returns:
      the new certificate
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.34
    • importPrivateKey

      public static String importPrivateKey(File ks, String ksPW, String alias, String keyPW, InputStream in) throws GeneralSecurityException, IOException
      Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key. If null, will be taken from the Subject CN of the first certificate in the chain.
      keyPW - the key password, must be at least 6 characters
      Returns:
      the alias as specified or extracted
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.25
    • storePrivateKey

      public static void storePrivateKey(File ks, String ksPW, String alias, String keyPW, PrivateKey pk, List<X509Certificate> certs) throws GeneralSecurityException, IOException
      Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key, non-null.
      keyPW - the key password, must be at least 6 characters
      Throws:
      GeneralSecurityException
      IOException
      Since:
      0.9.25
    • getCert

      public static Certificate getCert(File ks, String ksPW, String alias) throws GeneralSecurityException, IOException
      Get a cert out of a keystore
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key
      Returns:
      the certificate or null if not found
      Throws:
      GeneralSecurityException
      IOException
    • exportCert

      public static boolean exportCert(File ks, String ksPW, String alias, File certFile)
      Pull the cert back OUT of the keystore and save it in Base64-encoded X.509 format so the clients can get to it.
      Parameters:
      ks - path to the keystore
      ksPW - the keystore password, may be null
      alias - the name of the key
      certFile - output
      Returns:
      success
      Since:
      0.8.3 moved from SSLClientListenerRunner in 0.9.9
    • main

      public static void main(String[] args)
      Usage: KeyStoreUtil system (loads from system keystore) KeyStoreUtil foo.ks (loads from system keystore, and from foo.ks keystore if exists, else creates empty) KeyStoreUtil import file.ks file.key alias keypw (imports private key from file to keystore) KeyStoreUtil export file.ks alias keypw (exports private key from keystore) KeyStoreUtil keygen file.ks alias keypw (create keypair in keystore) KeyStoreUtil keygen2 file.ks alias keypw (create keypair using I2PProvider)