JDK Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.32, 2006

JCA - KeyStore and Related Classes

Part:   1  2  3  

JDK Tutorials - Herong's Tutorial Notes © Dr. Herong Yang

Internationalization

Character Set and Encoding

Socket Communication

Document Object Model (DOM)

XSD Validation in Java

XSL - Transformer in Java

JCA - Private and Public Key Pairs

JCE - Secret Key

SSL (Secure Socket Layer)

SSL - Client Authentication

... Table of Contents

(Continued from previous part...)

JcaKeyStoreTest.java - Sample Program

The following sample program shows you how to load a keystore database from a file into a KeyStore object, extracting a certificate from the keystore into a certificate file, then importing the certificate back into the keystore. 

/**
 * JcaKeyStoreTest.java
 * Copyright (c) 2002 by Dr. Herong Yang
 */
import java.io.*;
import java.util.*;
import java.security.*;
import java.security.cert.*;
class JcaKeyStoreTest {
   public static void main(String[] a) {
      if (a.length<3) {
         System.out.println("Usage:");
         System.out.println("java JcaKeyStoreTest store sPass alias");
         return;
      }
      String store = a[0];
      String sPass = a[1];
      String alias = a[2];
      try {
         test(store,sPass,alias);
      } catch (Exception e) {
         System.out.println("Exception: "+e);
         return;
      }
   }
   private static void test(String store, String sPass, String alias)
      throws Exception {
      KeyStore ks = KeyStore.getInstance("JKS");
      System.out.println();
      System.out.println("KeyStore Object Info: ");
      System.out.println("Type = "+ks.getType());
      System.out.println("Provider = "+ks.getProvider());
      System.out.println("toString = "+ks.toString());

      FileInputStream fis = new FileInputStream(store);
      ks.load(fis,sPass.toCharArray());
      fis.close();
      System.out.println();
      System.out.println("KeyStore Content: ");
      System.out.println("Size = "+ks.size());
      Enumeration e = ks.aliases();
      while (e.hasMoreElements()) {
         String name = (String) e.nextElement();
         System.out.print("   "+name+": ");
         if (ks.isKeyEntry(name)) System.out.println(" Key entry");
         else System.out.println(" Certificate entry");
      }

      java.security.cert.Certificate cert = ks.getCertificate(alias);
      System.out.println();
      System.out.println("Certificate Object Info: ");
      System.out.println("Type = "+cert.getType());
      System.out.println("toString = "+cert.toString());

      FileOutputStream fos = new FileOutputStream(alias+".crt");
      byte[] certBytes = cert.getEncoded();
      fos.write(certBytes);
      fos.close();

      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      System.out.println();
      System.out.println("CertificateFactory Object Info: ");
      System.out.println("Type = "+cf.getType());
      System.out.println("Provider = "+cf.getProvider());
      System.out.println("toString = "+cf.toString());

      fis = new FileInputStream(alias+".crt");
      cert = cf.generateCertificate(fis);
      ks.setCertificateEntry(alias+ks.size(),cert);
      fis.close();

      fos = new FileOutputStream(store);
      ks.store(fos,sPass.toCharArray());
      fos.close();
   }
}

Here is the result of my firsts test. It uses the key store file generated from the "keytool" command. See the previous chapter for details. 

java -cp . JcaKeyStoreTest herong.jks HerongJKS my_home

KeyStore Object Info:
Type = JKS
Provider = SUN version 1.2
toString = java.security.KeyStore@6ec612

KeyStore Content:
Size = 4
   my_home_2:  Certificate entry
   my_home:  Key entry
   his_home:  Key entry
   my_copy:  Key entry

Certificate Object Info:
Type = X.509
toString = [
[
  Version: V1
  Subject: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My...
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
  Key:  Sun DSA Public Key
    Parameters:DSA
...
  Issuer: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My ...
  SerialNumber: [    407928a4 ]
]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 38 CC 05 0E   3D 67 B5 C1 D8 B0 C9 EF  0,..8...=...
0010: 57 0E C5 4F 70 A4 B5 C7   02 14 59 37 68 93 A4 48  W..Op.......
0020: 79 E0 8C 44 8C AD 2B 07   13 3A 8E FF AA 93        y..D..+.....
]

CertificateFactory Object Info:
Type = X.509
Provider = SUN version 1.2
toString = java.security.cert.CertificateFactory@3ab50a

Note that the extracted certificate is imported back into the key store a new certificate entry. You can see the new entry, my_home4, if you run the program again: 

java -cp . JcaKeyStoreTest herong.jks HerongJKS my_home

KeyStore Object Info:
Type = JKS
Provider = SUN version 1.2
toString = java.security.KeyStore@6ec612

KeyStore Content:
Size = 5
   my_home_2:  Certificate entry
   my_home4:  Certificate entry
   my_home:  Key entry
   his_home:  Key entry
   my_copy:  Key entry

Certificate Object Info:
...

Conclusion:

  • KeyStore class offers about the same functionalities of the "keytool" command.
  • There seems be to no way to generate a certificate chain.
  • There seems be to no way to generate a certificate of a given public key.

Part:   1  2  3  

Dr. Herong Yang, updated in 2006
JDK Tutorials - Herong's Tutorial Notes - JCA - KeyStore and Related Classes