Login/Register
java - how to store a key in keystore
Asked Answered
Solved javakeystore
E

1

19

I've need to store 2 keys into KeyStore Here's the relevant code:

KeyStore ks = KeyStore.getInstance("JKS");
String password = "password";
char[] ksPass = password.toCharArray();
ks.load(null, ksPass);
ks.setKeyEntry("keyForSeckeyDecrypt", privateKey, null, null);
ks.setKeyEntry("keyForDigitalSignature", priv, null, null);
FileOutputStream writeStream = new FileOutputStream("key.store");
ks.store(writeStream, ksPass);
writeStream.close();

Though I get an execption "Private key must be accompanied by certificate chain"

What is that, exactly? and how would I generate it?

Emblaze answered 15/12, 2012 at 17:56 Comment(0)
P
19

You need to also provide the certificate (public key) for the private key entry. For a certificate signed by a CA, the chain is the CA's certificate and the end-certificate. For a self-signed certificate you only have the self-signed certificate
Example: 

KeyPair keyPair = ...;//You already have this  
X509Certificate certificate = generateCertificate(keyPair);  
KeyStore keyStore = KeyStore.getInstance("JKS");  
keyStore.load(null,null);  
Certificate[] certChain = new Certificate[1];  
certChain[0] = certificate;  
keyStore.setKeyEntry("key1", (Key)keyPair.getPrivate(), pwd, certChain);

To generate the certificate follow this link:
Example: 

public X509Certificate generateCertificate(KeyPair keyPair){  
   X509V3CertificateGenerator cert = new X509V3CertificateGenerator();   
   cert.setSerialNumber(BigInteger.valueOf(1));   //or generate a random number  
   cert.setSubjectDN(new X509Principal("CN=localhost"));  //see examples to add O,OU etc  
   cert.setIssuerDN(new X509Principal("CN=localhost")); //same since it is self-signed  
   cert.setPublicKey(keyPair.getPublic());  
   cert.setNotBefore(<date>);  
   cert.setNotAfter(<date>);  
   cert.setSignatureAlgorithm("SHA1WithRSAEncryption");   
    PrivateKey signingKey = keyPair.getPrivate();    
   return cert.generate(signingKey, "BC");  
}
Podium answered 15/12, 2012 at 18:9 Comment(15)
the public key is of type Key, and they request Certificate[]. How would I cast the public key to Certificate ChainEmblaze
Don't you have a X509Certificate?Where did you get the private key?Podium
I've initialized a KeyPairGenerator to generate pair of keysEmblaze
You need to use a X509V3CertificateGenerator to create a certificate which you will pass as a parameter to the keystore as part of you private key entry bouncycastle.org/wiki/display/JA1/…Podium
hmm...ok I'll try to understand from the link. ThanksEmblaze
If you need help let me know.Since this is homework I will let you try out yourself firstPodium
The homework is actually an exercise to pracitice on Java Crypto API, using JCA and JCE classes. We haven't disscussed about those certificates, but in the exercise we are requested to store the private keys we've generated inside a password-protected KeyStore. So I'll be happy to recieve further help, please :)Emblaze
You can not store a private key in a keystore without the certifying chain.You need to generate the corresponding certificate and add it along the private key in the keystorePodium
So can I please get further help with this?Emblaze
Thanks alot @Cratylus!! Though all te setters doesn't seem to be existEmblaze
Use org.bouncycastle.x509.X509V3CertificateGenerator. They existPodium
My eclipse doesn't recognize org.bouncycastle as something I can import, how would I get it?Emblaze
You need to have bouncy castle library in your build pathPodium
@Podium You say KeyPair keyPair = ...;//You already have this . I don't have it! I want it! Where can I get it?Tishtisha
This is a nice solution. However, I am not allowed to use bouncy castle, only standard Java 8 JCE libraries. What to do?Salbu

© 2022 - 2024 — McMap. All rights reserved.