Package net.i2p.crypto

Class KeyStoreUtil

  • public final class KeyStoreUtil
extends Object
    Keystore utilities, consolidated from various places.
    Since:
    0.9.9

    • Constructor Detail

      • KeyStoreUtil

        public KeyStoreUtil()

    • Method Detail

      • loadSystemKeyStore

        public static KeyStore loadSystemKeyStore()
        Loads certs from location of javax.net.ssl.keyStore property, else from $JAVA_HOME/lib/security/jssecacerts, else from $JAVA_HOME/lib/security/cacerts.
        Returns:
        null on catastrophic failure, returns empty KeyStore if can't load system file
        Since:
        0.8.2, moved from SSLEepGet.initSSLContext() in 0.9.9

      • countCerts

        public static int countCerts​(KeyStore ks)
        Count all X509 Certs in a key store
        Returns:
        number successfully added
        Since:
        0.8.2, moved from SSLEepGet in 0.9.9

      • logCertExpiration

        public static boolean logCertExpiration​(File f,
                                        String ksPW,
                                        long expiresWithin)
        Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for Jetty keystores, where we aren't doing the loading ourselves. If a cert isn't valid, it will probably cause bigger problems later when it's used.
        Parameters:
        f - keystore file
        ksPW - keystore password
        expiresWithin - ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L
        Returns:
        true if all are good, false if we logged something
        Since:
        0.9.34

      • logCertExpiration

        public static boolean logCertExpiration​(KeyStore ks,
                                        String location,
                                        long expiresWithin)
        Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for keystores we are feeding to an SSLContext and ServerSocketFactory. We added support for self-signed certs in 0.8.3 2011-01, with a 10-year expiration. We still don't generate them by default. We don't expect anybody's certs to expire until 2021.
        Parameters:
        location - the path or other identifying info, for logging only
        expiresWithin - ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L
        Returns:
        true if all are good, false if we logged something
        Since:
        0.9.34

      • addCerts

        public static int addCerts​(File dir,
                           KeyStore ks)
        Load all X509 Certs from a directory and add them to the trusted set of certificates in the key store This DOES check for revocation.
        Returns:
        number successfully added
        Since:
        0.8.2, moved from SSLEepGet in 0.9.9

      • addCert

        public static boolean addCert​(File file,
                              String alias,
                              KeyStore ks)
        Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This does NOT check for revocation.
        Returns:
        success
        Since:
        0.8.2, moved from SSLEepGet in 0.9.9

      • addCert

        public static boolean addCert​(File file,
                              String alias,
                              KeyStore ks,
                              CertStore cs)
        Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This DOES check for revocation, IF cs is non-null.
        Parameters:
        cs - may be null; if non-null, check for revocation
        Returns:
        success
        Since:
        0.9.25

      • randomString

        public static String randomString()
        48 char b32 string (30 bytes of entropy)

      • createKeys

        public static boolean createKeys​(File ks,
                                 String alias,
                                 String cname,
                                 String ou,
                                 String keyPW)
        Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. As of 0.9.35, default algorithm and size depends on cname. If it appears to be a CA, it will use EC/256. Otherwise, it will use RSA/2048. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        ou - e.g. console
        keyPW - the key password, must be at least 6 characters
        Returns:
        success
        Since:
        0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9

      • createKeys

        public static boolean createKeys​(File ks,
                                 String alias,
                                 String cname,
                                 Set<String> altNames,
                                 String ou,
                                 String keyPW)
        Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. As of 0.9.35, default algorithm and size depends on cname. If it appears to be a CA, it will use EC/256. Otherwise, it will use RSA/2048. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
        ou - e.g. console
        keyPW - the key password, must be at least 6 characters
        Returns:
        success
        Since:
        0.9.34 added altNames param

      • createKeys

        public static boolean createKeys​(File ks,
                                 String ksPW,
                                 String alias,
                                 String cname,
                                 String ou,
                                 int validDays,
                                 String keyAlg,
                                 int keySize,
                                 String keyPW)
        Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        ou - e.g. console
        validDays - e.g. 3652 (10 years)
        keyAlg - e.g. DSA , RSA, EC
        keySize - e.g. 1024
        keyPW - the key password, must be at least 6 characters
        Returns:
        success
        Since:
        0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9

      • createKeys

        public static boolean createKeys​(File ks,
                                 String ksPW,
                                 String alias,
                                 String cname,
                                 Set<String> altNames,
                                 String ou,
                                 int validDays,
                                 String keyAlg,
                                 int keySize,
                                 String keyPW)
        Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
        ou - e.g. console
        validDays - e.g. 3652 (10 years)
        keyAlg - e.g. DSA , RSA, EC
        keySize - e.g. 1024
        keyPW - the key password, must be at least 6 characters
        Returns:
        success
        Since:
        0.9.34 added altNames param

      • createKeysAndCRL

        public static Object[] createKeysAndCRL​(File ks,
                                        String ksPW,
                                        String alias,
                                        String cname,
                                        String ou,
                                        int validDays,
                                        String keyAlg,
                                        int keySize,
                                        String keyPW)
                                 throws GeneralSecurityException,
                                        IOException
        New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        ou - e.g. console
        validDays - e.g. 3652 (10 years)
        keyAlg - e.g. DSA , RSA, EC
        keySize - e.g. 1024
        keyPW - the key password, must be at least 6 characters
        Returns:
        all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.25

      • createKeysAndCRL

        public static Object[] createKeysAndCRL​(File ks,
                                        String ksPW,
                                        String alias,
                                        String cname,
                                        Set<String> altNames,
                                        String ou,
                                        int validDays,
                                        String keyAlg,
                                        int keySize,
                                        String keyPW)
                                 throws GeneralSecurityException,
                                        IOException
        New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
        ou - e.g. console
        validDays - e.g. 3652 (10 years)
        keyAlg - e.g. DSA , RSA, EC
        keySize - e.g. 1024
        keyPW - the key password, must be at least 6 characters
        Returns:
        all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.34 added altNames param

      • createKeysAndCRL

        public static Object[] createKeysAndCRL​(File ks,
                                        String ksPW,
                                        String alias,
                                        String cname,
                                        String ou,
                                        int validDays,
                                        SigType type,
                                        String keyPW)
                                 throws GeneralSecurityException,
                                        IOException
        New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        ou - e.g. console
        validDays - e.g. 3652 (10 years)
        keyPW - the key password, must be at least 6 characters
        Returns:
        all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.25

      • createKeysAndCRL

        public static Object[] createKeysAndCRL​(File ks,
                                        String ksPW,
                                        String alias,
                                        String cname,
                                        Set<String> altNames,
                                        String ou,
                                        int validDays,
                                        SigType type,
                                        String keyPW)
                                 throws GeneralSecurityException,
                                        IOException
        New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password
        alias - the name of the key
        cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.
        altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.
        ou - e.g. console
        validDays - e.g. 3652 (10 years)
        keyPW - the key password, must be at least 6 characters
        Returns:
        all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.34 added altNames param

      • exportPrivateKey

        public static void exportPrivateKey​(File ks,
                                    String ksPW,
                                    String alias,
                                    String keyPW,
                                    OutputStream out)
                             throws GeneralSecurityException,
                                    IOException
        Export the private key and certificate chain (if any) out of a keystore. Does NOT close the output stream. Throws on all errors.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password, may be null
        alias - the name of the key
        keyPW - the key password, must be at least 6 characters
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.25

      • renewPrivateKeyCertificate

        public static X509Certificate renewPrivateKeyCertificate​(File ks,
                                                         String ksPW,
                                                         String alias,
                                                         String keyPW,
                                                         int validDays)
                                                  throws GeneralSecurityException,
                                                         IOException
        Renew the the private key certificate in a keystore. Closes the input and output streams. Throws on all errors.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password, may be null
        alias - the name of the key, or null to get the first one in keystore
        keyPW - the key password, must be at least 6 characters
        validDays - new cert to expire this many days from now
        Returns:
        the new certificate
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.34

      • importPrivateKey

        public static String importPrivateKey​(File ks,
                                      String ksPW,
                                      String alias,
                                      String keyPW,
                                      InputStream in)
                               throws GeneralSecurityException,
                                      IOException
        Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password, may be null
        alias - the name of the key. If null, will be taken from the Subject CN of the first certificate in the chain.
        keyPW - the key password, must be at least 6 characters
        Returns:
        the alias as specified or extracted
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.25

      • storePrivateKey

        public static void storePrivateKey​(File ks,
                                   String ksPW,
                                   String alias,
                                   String keyPW,
                                   PrivateKey pk,
                                   List<X509Certificate> certs)
                            throws GeneralSecurityException,
                                   IOException
        Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password, may be null
        alias - the name of the key, non-null.
        keyPW - the key password, must be at least 6 characters
        Throws:
        GeneralSecurityException
        IOException
        Since:
        0.9.25

      • exportCert

        public static boolean exportCert​(File ks,
                                 String ksPW,
                                 String alias,
                                 File certFile)
        Pull the cert back OUT of the keystore and save it in Base64-encoded X.509 format so the clients can get to it.
        Parameters:
        ks - path to the keystore
        ksPW - the keystore password, may be null
        alias - the name of the key
        certFile - output
        Returns:
        success
        Since:
        0.8.3 moved from SSLClientListenerRunner in 0.9.9

      • main

        public static void main​(String[] args)
        Usage: KeyStoreUtil system (loads from system keystore) KeyStoreUtil foo.ks (loads from system keystore, and from foo.ks keystore if exists, else creates empty) KeyStoreUtil import file.ks file.key alias keypw (imports private key from file to keystore) KeyStoreUtil export file.ks alias keypw (exports private key from keystore) KeyStoreUtil keygen file.ks alias keypw (create keypair in keystore) KeyStoreUtil keygen2 file.ks alias keypw (create keypair using I2PProvider)