Package net.i2p.crypto
Class KeyStoreUtil
java.lang.Object
net.i2p.crypto.KeyStoreUtil
Keystore utilities, consolidated from various places.
- Since:
- 0.9.9
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic boolean
Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This does NOT check for revocation.static boolean
Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This DOES check for revocation, IF cs is non-null.static int
Load all X509 Certs from a directory and add them to the trusted set of certificates in the key store This DOES check for revocation.static int
countCerts
(KeyStore ks) Count all X509 Certs in a key storestatic boolean
Create a keypair and store it in the keystore at ks, creating it if necessary.static boolean
createKeys
(File ks, String ksPW, String alias, String cname, String ou, int validDays, String keyAlg, int keySize, String keyPW) Create a keypair and store it in the keystore at ks, creating it if necessary.static boolean
createKeys
(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, String keyAlg, int keySize, String keyPW) Create a keypair and store it in the keystore at ks, creating it if necessary.static boolean
Create a keypair and store it in the keystore at ks, creating it if necessary.static Object[]
createKeysAndCRL
(File ks, String ksPW, String alias, String cname, String ou, int validDays, String keyAlg, int keySize, String keyPW) New way - Native Java, does not call out to keytool.static Object[]
createKeysAndCRL
(File ks, String ksPW, String alias, String cname, String ou, int validDays, SigType type, String keyPW) New way - Native Java, does not call out to keytool.static Object[]
createKeysAndCRL
(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, String keyAlg, int keySize, String keyPW) New way - Native Java, does not call out to keytool.static Object[]
createKeysAndCRL
(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, SigType type, String keyPW) New way - Native Java, does not call out to keytool.static KeyStore
createKeyStore
(File ksFile, String password) Create a new KeyStore object, and load it from ksFile if it is non-null and it exists.static boolean
exportCert
(File ks, String ksPW, String alias, File certFile) Pull the cert back OUT of the keystore and save it in Base64-encoded X.509 format so the clients can get to it.static void
exportPrivateKey
(File ks, String ksPW, String alias, String keyPW, OutputStream out) Export the private key and certificate chain (if any) out of a keystore.static Certificate
Get a cert out of a keystorestatic PrivateKey
getPrivateKey
(File ks, String ksPW, String alias, String keyPW) Get a private key out of a keystorestatic String
importPrivateKey
(File ks, String ksPW, String alias, String keyPW, InputStream in) Import the private key and certificate chain to a keystore.static KeyStore
Loads certs from location of javax.net.ssl.keyStore property, else from $JAVA_HOME/lib/security/jssecacerts, else from $JAVA_HOME/lib/security/cacerts.static boolean
logCertExpiration
(File f, String ksPW, long expiresWithin) Validate expiration for all private key certs in a key store.static boolean
logCertExpiration
(KeyStore ks, String location, long expiresWithin) Validate expiration for all private key certs in a key store.static void
Usage: KeyStoreUtil system (loads from system keystore) KeyStoreUtil foo.ks (loads from system keystore, and from foo.ks keystore if exists, else creates empty) KeyStoreUtil import file.ks file.key alias keypw (imports private key from file to keystore) KeyStoreUtil export file.ks alias keypw (exports private key from keystore) KeyStoreUtil keygen file.ks alias keypw (create keypair in keystore) KeyStoreUtil keygen2 file.ks alias keypw (create keypair using I2PProvider)static String
48 char b32 string (30 bytes of entropy)static X509Certificate
renewPrivateKeyCertificate
(File ks, String ksPW, String alias, String keyPW, int validDays) Renew the the private key certificate in a keystore.static void
storePrivateKey
(File ks, String ksPW, String alias, String keyPW, PrivateKey pk, List<X509Certificate> certs) Import the private key and certificate chain to a keystore.
-
Field Details
-
DEFAULT_KEYSTORE_PASSWORD
- See Also:
-
-
Constructor Details
-
KeyStoreUtil
public KeyStoreUtil()
-
-
Method Details
-
createKeyStore
public static KeyStore createKeyStore(File ksFile, String password) throws GeneralSecurityException, IOException Create a new KeyStore object, and load it from ksFile if it is non-null and it exists. If ksFile is non-null and it does not exist, create a new empty keystore file.- Parameters:
ksFile
- may be nullpassword
- may be null- Returns:
- success
- Throws:
GeneralSecurityException
IOException
-
loadSystemKeyStore
Loads certs from location of javax.net.ssl.keyStore property, else from $JAVA_HOME/lib/security/jssecacerts, else from $JAVA_HOME/lib/security/cacerts.- Returns:
- null on catastrophic failure, returns empty KeyStore if can't load system file
- Since:
- 0.8.2, moved from SSLEepGet.initSSLContext() in 0.9.9
-
countCerts
Count all X509 Certs in a key store- Returns:
- number successfully added
- Since:
- 0.8.2, moved from SSLEepGet in 0.9.9
-
logCertExpiration
Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for Jetty keystores, where we aren't doing the loading ourselves. If a cert isn't valid, it will probably cause bigger problems later when it's used.- Parameters:
f
- keystore fileksPW
- keystore passwordexpiresWithin
- ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L- Returns:
- true if all are good, false if we logged something
- Since:
- 0.9.34
-
logCertExpiration
Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for keystores we are feeding to an SSLContext and ServerSocketFactory. We added support for self-signed certs in 0.8.3 2011-01, with a 10-year expiration. We still don't generate them by default. We don't expect anybody's certs to expire until 2021.- Parameters:
location
- the path or other identifying info, for logging onlyexpiresWithin
- ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L- Returns:
- true if all are good, false if we logged something
- Since:
- 0.9.34
-
addCerts
Load all X509 Certs from a directory and add them to the trusted set of certificates in the key store This DOES check for revocation.- Returns:
- number successfully added
- Since:
- 0.8.2, moved from SSLEepGet in 0.9.9
-
addCert
Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This does NOT check for revocation.- Returns:
- success
- Since:
- 0.8.2, moved from SSLEepGet in 0.9.9
-
addCert
Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This DOES check for revocation, IF cs is non-null.- Parameters:
cs
- may be null; if non-null, check for revocation- Returns:
- success
- Since:
- 0.9.25
-
randomString
48 char b32 string (30 bytes of entropy) -
createKeys
Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. As of 0.9.35, default algorithm and size depends on cname. If it appears to be a CA, it will use EC/256. Otherwise, it will use RSA/2048. Warning, may take a long time.- Parameters:
ks
- path to the keystorealias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.ou
- e.g. consolekeyPW
- the key password, must be at least 6 characters- Returns:
- success
- Since:
- 0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9
-
createKeys
public static boolean createKeys(File ks, String alias, String cname, Set<String> altNames, String ou, String keyPW) Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. As of 0.9.35, default algorithm and size depends on cname. If it appears to be a CA, it will use EC/256. Otherwise, it will use RSA/2048. Warning, may take a long time.- Parameters:
ks
- path to the keystorealias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.altNames
- the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.ou
- e.g. consolekeyPW
- the key password, must be at least 6 characters- Returns:
- success
- Since:
- 0.9.34 added altNames param
-
createKeys
public static boolean createKeys(File ks, String ksPW, String alias, String cname, String ou, int validDays, String keyAlg, int keySize, String keyPW) Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.- Parameters:
ks
- path to the keystoreksPW
- the keystore passwordalias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.ou
- e.g. consolevalidDays
- e.g. 3652 (10 years)keyAlg
- e.g. DSA , RSA, ECkeySize
- e.g. 1024keyPW
- the key password, must be at least 6 characters- Returns:
- success
- Since:
- 0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9
-
createKeys
public static boolean createKeys(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, String keyAlg, int keySize, String keyPW) Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.- Parameters:
ks
- path to the keystoreksPW
- the keystore passwordalias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.altNames
- the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.ou
- e.g. consolevalidDays
- e.g. 3652 (10 years)keyAlg
- e.g. DSA , RSA, ECkeySize
- e.g. 1024keyPW
- the key password, must be at least 6 characters- Returns:
- success
- Since:
- 0.9.34 added altNames param
-
createKeysAndCRL
public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, String ou, int validDays, String keyAlg, int keySize, String keyPW) throws GeneralSecurityException, IOException New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.- Parameters:
ks
- path to the keystoreksPW
- the keystore passwordalias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.ou
- e.g. consolevalidDays
- e.g. 3652 (10 years)keyAlg
- e.g. DSA , RSA, ECkeySize
- e.g. 1024keyPW
- the key password, must be at least 6 characters- Returns:
- all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.25
-
createKeysAndCRL
public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, String keyAlg, int keySize, String keyPW) throws GeneralSecurityException, IOException New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.- Parameters:
ks
- path to the keystoreksPW
- the keystore passwordalias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.altNames
- the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.ou
- e.g. consolevalidDays
- e.g. 3652 (10 years)keyAlg
- e.g. DSA , RSA, ECkeySize
- e.g. 1024keyPW
- the key password, must be at least 6 characters- Returns:
- all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.34 added altNames param
-
createKeysAndCRL
public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, String ou, int validDays, SigType type, String keyPW) throws GeneralSecurityException, IOException New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.- Parameters:
ks
- path to the keystoreksPW
- the keystore passwordalias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.ou
- e.g. consolevalidDays
- e.g. 3652 (10 years)keyPW
- the key password, must be at least 6 characters- Returns:
- all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.25
-
createKeysAndCRL
public static Object[] createKeysAndCRL(File ks, String ksPW, String alias, String cname, Set<String> altNames, String ou, int validDays, SigType type, String keyPW) throws GeneralSecurityException, IOException New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.- Parameters:
ks
- path to the keystoreksPW
- the keystore passwordalias
- the name of the keycname
- e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.altNames
- the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.ou
- e.g. consolevalidDays
- e.g. 3652 (10 years)keyPW
- the key password, must be at least 6 characters- Returns:
- all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.34 added altNames param
-
getPrivateKey
public static PrivateKey getPrivateKey(File ks, String ksPW, String alias, String keyPW) throws GeneralSecurityException, IOException Get a private key out of a keystore- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the keykeyPW
- the key password, must be at least 6 characters- Returns:
- the key or null if not found
- Throws:
GeneralSecurityException
IOException
-
exportPrivateKey
public static void exportPrivateKey(File ks, String ksPW, String alias, String keyPW, OutputStream out) throws GeneralSecurityException, IOException Export the private key and certificate chain (if any) out of a keystore. Does NOT close the output stream. Throws on all errors.- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the keykeyPW
- the key password, must be at least 6 characters- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.25
-
renewPrivateKeyCertificate
public static X509Certificate renewPrivateKeyCertificate(File ks, String ksPW, String alias, String keyPW, int validDays) throws GeneralSecurityException, IOException Renew the the private key certificate in a keystore. Closes the input and output streams. Throws on all errors.- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the key, or null to get the first one in keystorekeyPW
- the key password, must be at least 6 charactersvalidDays
- new cert to expire this many days from now- Returns:
- the new certificate
- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.34
-
importPrivateKey
public static String importPrivateKey(File ks, String ksPW, String alias, String keyPW, InputStream in) throws GeneralSecurityException, IOException Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the key. If null, will be taken from the Subject CN of the first certificate in the chain.keyPW
- the key password, must be at least 6 characters- Returns:
- the alias as specified or extracted
- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.25
-
storePrivateKey
public static void storePrivateKey(File ks, String ksPW, String alias, String keyPW, PrivateKey pk, List<X509Certificate> certs) throws GeneralSecurityException, IOException Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the key, non-null.keyPW
- the key password, must be at least 6 characters- Throws:
GeneralSecurityException
IOException
- Since:
- 0.9.25
-
getCert
public static Certificate getCert(File ks, String ksPW, String alias) throws GeneralSecurityException, IOException Get a cert out of a keystore- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the key- Returns:
- the certificate or null if not found
- Throws:
GeneralSecurityException
IOException
-
exportCert
Pull the cert back OUT of the keystore and save it in Base64-encoded X.509 format so the clients can get to it.- Parameters:
ks
- path to the keystoreksPW
- the keystore password, may be nullalias
- the name of the keycertFile
- output- Returns:
- success
- Since:
- 0.8.3 moved from SSLClientListenerRunner in 0.9.9
-
main
Usage: KeyStoreUtil system (loads from system keystore) KeyStoreUtil foo.ks (loads from system keystore, and from foo.ks keystore if exists, else creates empty) KeyStoreUtil import file.ks file.key alias keypw (imports private key from file to keystore) KeyStoreUtil export file.ks alias keypw (exports private key from keystore) KeyStoreUtil keygen file.ks alias keypw (create keypair in keystore) KeyStoreUtil keygen2 file.ks alias keypw (create keypair using I2PProvider)
-