KeyStorepublic class KeyStore extends Object | This class represents a storage facility for cryptographic
keys and certificates.
A KeyStore manages different types of entries.
Each type of entry implements the KeyStore.Entry interface.
Three basic KeyStore.Entry implementations are provided:
- KeyStore.PrivateKeyEntry
This type of entry holds a cryptographic PrivateKey,
which is optionally stored in a protected format to prevent
unauthorized access. It is also accompanied by a certificate chain
for the corresponding public key.
Private keys and certificate chains are used by a given entity for
self-authentication. Applications for this authentication include software
distribution organizations which sign JAR files as part of releasing
and/or licensing software.
- KeyStore.SecretKeyEntry
This type of entry holds a cryptographic SecretKey,
which is optionally stored in a protected format to prevent
unauthorized access.
- KeyStore.TrustedCertificateEntry
This type of entry contains a single public key Certificate
belonging to another party. It is called a trusted certificate
because the keystore owner trusts that the public key in the certificate
indeed belongs to the identity identified by the subject (owner)
of the certificate.
This type of entry can be used to authenticate other parties.
Each entry in a keystore is identified by an "alias" string. In the
case of private keys and their associated certificate chains, these strings
distinguish among the different ways in which the entity may authenticate
itself. For example, the entity may authenticate itself using different
certificate authorities, or using different public key algorithms.
Whether aliases are case sensitive is implementation dependent. In order
to avoid problems, it is recommended not to use aliases in a KeyStore that
only differ in case.
Whether keystores are persistent, and the mechanisms used by the
keystore if it is persistent, are not specified here. This allows
use of a variety of techniques for protecting sensitive (e.g., private or
secret) keys. Smart cards or other integrated cryptographic engines
(SafeKeyper) are one option, and simpler mechanisms such as files may also
be used (in a variety of formats).
Typical ways to request a KeyStore object include
relying on the default type and providing a specific keystore type.
Before a keystore can be accessed, it must be
{@link #load(java.io.InputStream, char[]) loaded}.
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] password = getPassword();
java.io.FileInputStream fis = null;
try {
fis = new java.io.FileInputStream("keyStoreName");
ks.load(fis, password);
} finally {
if (fis != null) {
fis.close();
}
}
To create an empty keystore using the above load method,
pass null as the InputStream argument.
Once the keystore has been loaded, it is possible
to read existing entries from the keystore, or to write new entries
into the keystore:
// get my private key
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
ks.getEntry("privateKeyAlias", password);
PrivateKey myPrivateKey = pkEntry.getPrivateKey();
// save my secret key
javax.crypto.SecretKey mySecretKey;
KeyStore.SecretKeyEntry skEntry =
new KeyStore.SecretKeyEntry(mySecretKey);
ks.setEntry("secretKeyAlias", skEntry,
new KeyStore.PasswordProtection(password));
// store away the keystore
java.io.FileOutputStream fos = null;
try {
fos = new java.io.FileOutputStream("newKeyStoreName");
ks.store(fos, password);
} finally {
if (fos != null) {
fos.close();
}
}
Note that although the same password may be used to
load the keystore, to protect the private key entry,
to protect the secret key entry, and to store the keystore
(as is shown in the sample code above),
different passwords or other protection parameters
may also be used. |
| Fields Summary |
|---|
| private static final String | KEYSTORE_TYPE | | private String | type | | private Provider | provider | | private KeyStoreSpi | keyStoreSpi | | private boolean | initialized |
| Constructors Summary |
|---|
protected KeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type)Creates a KeyStore object of the given type, and encapsulates the given
provider implementation (SPI object) in it.
this.keyStoreSpi = keyStoreSpi;
this.provider = provider;
this.type = type;
|
| Methods Summary |
|---|
| public final java.util.Enumeration | aliases()Lists all the alias names of this keystore.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineAliases();
| | public final boolean | containsAlias(java.lang.String alias)Checks if the given alias exists in this keystore.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineContainsAlias(alias);
| | public final void | deleteEntry(java.lang.String alias)Deletes the entry identified by the given alias from this keystore.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineDeleteEntry(alias);
| | public final boolean | entryInstanceOf(java.lang.String alias, java.lang.Class entryClass)Determines if the keystore Entry for the specified
alias is an instance or subclass of the specified
entryClass.
if (alias == null || entryClass == null) {
throw new NullPointerException("invalid null input");
}
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineEntryInstanceOf(alias, entryClass);
| | public final java.security.cert.Certificate | getCertificate(java.lang.String alias)Returns the certificate associated with the given alias.
If the given alias name identifies an entry
created by a call to setCertificateEntry,
or created by a call to setEntry with a
TrustedCertificateEntry,
then the trusted certificate contained in that entry is returned.
If the given alias name identifies an entry
created by a call to setKeyEntry,
or created by a call to setEntry with a
PrivateKeyEntry,
then the first element of the certificate chain in that entry
is returned.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCertificate(alias);
| | public final java.lang.String | getCertificateAlias(java.security.cert.Certificate cert)Returns the (alias) name of the first keystore entry whose certificate
matches the given certificate.
This method attempts to match the given certificate with each
keystore entry. If the entry being considered was
created by a call to setCertificateEntry,
or created by a call to setEntry with a
TrustedCertificateEntry,
then the given certificate is compared to that entry's certificate.
If the entry being considered was
created by a call to setKeyEntry,
or created by a call to setEntry with a
PrivateKeyEntry,
then the given certificate is compared to the first
element of that entry's certificate chain.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCertificateAlias(cert);
| | public final java.security.cert.Certificate[] | getCertificateChain(java.lang.String alias)Returns the certificate chain associated with the given alias.
The certificate chain must have been associated with the alias
by a call to setKeyEntry,
or by a call to setEntry with a
PrivateKeyEntry.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCertificateChain(alias);
| | public final java.util.Date | getCreationDate(java.lang.String alias)Returns the creation date of the entry identified by the given alias.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCreationDate(alias);
| | public static final java.lang.String | getDefaultType()Returns the default keystore type as specified in the Java security
properties file, or the string
"jks" (acronym for "Java keystore")
if no such property exists.
The Java security properties file is located in the file named
<JAVA_HOME>/lib/security/java.security.
<JAVA_HOME> refers to the value of the java.home system property,
and specifies the directory where the JRE is installed.
The default keystore type can be used by applications that do not
want to use a hard-coded keystore type when calling one of the
getInstance methods, and want to provide a default keystore
type in case a user does not specify its own.
The default keystore type can be changed by setting the value of the
"keystore.type" security property (in the Java security properties
file) to the desired keystore type.
String kstype;
kstype = (String)AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return Security.getProperty(KEYSTORE_TYPE);
}
});
if (kstype == null) {
kstype = "jks";
}
return kstype;
| | public final java.security.KeyStore$Entry | getEntry(java.lang.String alias, java.security.KeyStore$ProtectionParameter protParam)Gets a keystore Entry for the specified alias
with the specified protection parameter.
if (alias == null) {
throw new NullPointerException("invalid null input");
}
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetEntry(alias, protParam);
| | public static java.security.KeyStore | getInstance(java.lang.String type)Returns a keystore object of the specified type.
This method traverses the list of registered security Providers,
starting with the most preferred Provider.
A new KeyStore object encapsulating the
KeyStoreSpi implementation from the first
Provider that supports the specified type is returned.
Note that the list of registered providers may be retrieved via
the {@link Security#getProviders() Security.getProviders()} method.
try {
Object[] objs = Security.getImpl(type, "KeyStore", (String)null);
return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
} catch (NoSuchAlgorithmException nsae) {
throw new KeyStoreException(type + " not found", nsae);
} catch (NoSuchProviderException nspe) {
throw new KeyStoreException(type + " not found", nspe);
}
| | public static java.security.KeyStore | getInstance(java.lang.String type, java.lang.String provider)Returns a keystore object of the specified type.
A new KeyStore object encapsulating the
KeyStoreSpi implementation from the specified provider
is returned. The specified provider must be registered
in the security provider list.
Note that the list of registered providers may be retrieved via
the {@link Security#getProviders() Security.getProviders()} method.
if (provider == null || provider.length() == 0)
throw new IllegalArgumentException("missing provider");
try {
Object[] objs = Security.getImpl(type, "KeyStore", provider);
return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
} catch (NoSuchAlgorithmException nsae) {
throw new KeyStoreException(type + " not found", nsae);
}
| | public static java.security.KeyStore | getInstance(java.lang.String type, java.security.Provider provider)Returns a keystore object of the specified type.
A new KeyStore object encapsulating the
KeyStoreSpi implementation from the specified Provider
object is returned. Note that the specified Provider object
does not have to be registered in the provider list.
if (provider == null)
throw new IllegalArgumentException("missing provider");
try {
Object[] objs = Security.getImpl(type, "KeyStore", provider);
return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
} catch (NoSuchAlgorithmException nsae) {
throw new KeyStoreException(type + " not found", nsae);
}
| | public final java.security.Key | getKey(java.lang.String alias, char[] password)Returns the key associated with the given alias, using the given
password to recover it. The key must have been associated with
the alias by a call to setKeyEntry,
or by a call to setEntry with a
PrivateKeyEntry or SecretKeyEntry.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetKey(alias, password);
| | public final java.security.Provider | getProvider()Returns the provider of this keystore.
return this.provider;
| | public final java.lang.String | getType()Returns the type of this keystore.
return this.type;
| | public final boolean | isCertificateEntry(java.lang.String alias)Returns true if the entry identified by the given alias
was created by a call to setCertificateEntry,
or created by a call to setEntry with a
TrustedCertificateEntry.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineIsCertificateEntry(alias);
| | public final boolean | isKeyEntry(java.lang.String alias)Returns true if the entry identified by the given alias
was created by a call to setKeyEntry,
or created by a call to setEntry with a
PrivateKeyEntry or a SecretKeyEntry.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineIsKeyEntry(alias);
| | public final void | load(java.io.InputStream stream, char[] password)Loads this KeyStore from the given input stream.
A password may be given to unlock the keystore
(e.g. the keystore resides on a hardware token device),
or to check the integrity of the keystore data.
If a password is not given for integrity checking,
then integrity checking is not performed.
In order to create an empty keystore, or if the keystore cannot
be initialized from a stream, pass null
as the stream argument.
Note that if this keystore has already been loaded, it is
reinitialized and loaded again from the given input stream.
keyStoreSpi.engineLoad(stream, password);
initialized = true;
| | public final void | load(java.security.KeyStore$LoadStoreParameter param)Loads this keystore using the given LoadStoreParameter.
Note that if this KeyStore has already been loaded, it is
reinitialized and loaded again from the given parameter.
keyStoreSpi.engineLoad(param);
initialized = true;
| | public final void | setCertificateEntry(java.lang.String alias, java.security.cert.Certificate cert)Assigns the given trusted certificate to the given alias.
If the given alias identifies an existing entry
created by a call to setCertificateEntry,
or created by a call to setEntry with a
TrustedCertificateEntry,
the trusted certificate in the existing entry
is overridden by the given certificate.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineSetCertificateEntry(alias, cert);
| | public final void | setEntry(java.lang.String alias, java.security.KeyStore$Entry entry, java.security.KeyStore$ProtectionParameter protParam)Saves a keystore Entry under the specified alias.
The protection parameter is used to protect the
Entry.
If an entry already exists for the specified alias,
it is overridden.
if (alias == null || entry == null) {
throw new NullPointerException("invalid null input");
}
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineSetEntry(alias, entry, protParam);
| | public final void | setKeyEntry(java.lang.String alias, java.security.Key key, char[] password, java.security.cert.Certificate[] chain)Assigns the given key to the given alias, protecting it with the given
password.
If the given key is of type java.security.PrivateKey,
it must be accompanied by a certificate chain certifying the
corresponding public key.
If the given alias already exists, the keystore information
associated with it is overridden by the given key (and possibly
certificate chain).
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
if ((key instanceof PrivateKey) &&
(chain == null || chain.length == 0)) {
throw new IllegalArgumentException("Private key must be "
+ "accompanied by certificate "
+ "chain");
}
keyStoreSpi.engineSetKeyEntry(alias, key, password, chain);
| | public final void | setKeyEntry(java.lang.String alias, byte[] key, java.security.cert.Certificate[] chain)Assigns the given key (that has already been protected) to the given
alias.
If the protected key is of type
java.security.PrivateKey, it must be accompanied by a
certificate chain certifying the corresponding public key. If the
underlying keystore implementation is of type jks,
key must be encoded as an
EncryptedPrivateKeyInfo as defined in the PKCS #8 standard.
If the given alias already exists, the keystore information
associated with it is overridden by the given key (and possibly
certificate chain).
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineSetKeyEntry(alias, key, chain);
| | public final int | size()Retrieves the number of entries in this keystore.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineSize();
| | public final void | store(java.io.OutputStream stream, char[] password)Stores this keystore to the given output stream, and protects its
integrity with the given password.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineStore(stream, password);
| | public final void | store(java.security.KeyStore$LoadStoreParameter param)Stores this keystore using the given LoadStoreParameter.
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineStore(param);
|
|
