The new global password for the keystore. If you do not specify this value, you will be prompted for it, which is more secure.
Finally, you can get a summary of all commands with this command: −help
Print out a summary of the usage of keytool
.
10.2.10 Using Certificates from Netscape
If you have certificates that youve used in your Netscape browser, you can export them and use them with your Java programs as well. This is accomplished using the
PKCS12 keystore format. As we mentioned, this
is presently a one−way operation: you can read a PKCS12
keystore and export a certificate from it, but you cannot create or modify a
PKCS12 keystore.
The steps to accomplish this are as follows: Export your certificate from Netscape.
The exact details of this vary by Netscape release, but under the Tools menu, select Security Info in Netscape 6, its called Personal Security Manager. Select your certificate, and then export it. You can
export it to any file; the normal extension to use for the file is .p12. 1.
Read the keystore. If you exported the certificate to a file called sdocer.p12, this command will list the certificate:
piccolo keytool −list −keystore sdocer.p12 −storetype pkcs12 Enter keystore password:
Keystore type: pkcs12 Keystore provider: SunJSSE
Your keystore contains 1 entry: scott oakss verisign, inc. id, Sat Dec 30 18:39:54 EST 2000, keyEntry,
Certificate fingerprint MD5: 4D:09:08:11:95:FC:33:1C:6D:B1:15:2D:C3:FB:87:F8
2.
Export and import the certificate, if desired. If you use the export command to export the certificate, you may import it into a JKS or JCEKS keystore. Besides integrating it into a single source, this
allows you to make modifications to the entry, such as changing its password and alias. 3.
10.3 The Key Management API
The keytool
gives us the ability to create keys, obtain certificates, and so on. Now well turn our attention to using the key management facilities programatically: if you need to create a digital signature, youll use the
key management API to locate the correct key. Similarly, you may choose to store secret keys for data encryption in the keystore. The key management API allows us to read and write keystores and their entries.
In addition, the implementation of keytool
has certain limitations: it cannot create entries that store secret keys, and it is difficult to share the keys in a
keytool database among a widely dispersed group of people
like all the employees of XYZ Corporation. We can, however, use the key management API to create a key management system that has whatever features we require.
That framework is the ultimate goal of the following sections. First, however, lets take a look at the classes 188
that make up the key management API. We begin with the notion of the identity to whom a key belongs. In Javas key management model, the association between a key and its owner is application−specific, but it is
generally modeled on the Principal
interface.
10.3.1 Principals
Classes that are concerned with identities and key management in the Java security package generally implement the
Principal interface
java.security.Principal :
public interface Principal Provide an interface that supports the notion of an entity. In particular, principals have a name, but
little else. There is a single method that implementors of the
Principal interface must implement:
public String getName Return the name of the principal. This is typically an X.500 distinguished name, but it may be any
arbitrary name. The only idea that the
Principal interface abstracts is that principals have a name. The Java documentation
states that a principal is anything that can have an identity, but dont be confused by that statement; the word identity is being overloaded in this context. There is an
Identity class that implements the
Principal interface, but there are classes implementing the
Principal interface that are unrelated to the
Identity class. In addition, although it is not officially deprecated, the
Identity class is obsolete; it was used
primarily in Java 1.1. Further confusion about this interface can arise because there are two
Principal types in Java 2: the
java.security.Principal interface and the
org.omg.CORBA.Principal class. These are
unrelated, and well discuss only the java.security.Principal
interface throughout this book. The name that is stored in a principal is often an X.500 distinguished name DN. That is particularly true
when a principal is used in certain certificates like X509 certificates; it is not an absolute requirement by any means.
There are other methods listed in the Principal
interface −− namely, the equals
, toString
, and
hashCode methods. Theres no reason for those methods to be listed in the
Principal interface
since every class already inherits those methods from the Object
class. If you implement the Principal
interface, the only method you must implement is the getName
method. You should make sure that the other methods of the
Principal interface are implemented correctly −− but you should ensure these
methods of the Object
class are implemented correctly for all your classes, not just those that implement the Principal
interface.
10.3.2 The KeyStore Class
The class that implements the keystore is the KeyStore
class java.security.KeyStore
: public class KeyStore
Represent a set of private keys, aliases entities, and their corresponding certificates. A keystore object is typically one that has been read in from disk; that is, the
KeyStore object is an in−memory
representation of the keystore file. Chapter 10. Key Management
The KeyStore
class is an engine class; there is a corresponding KeyStoreSpi
class that you can use to write your own keystore more about that a little later. As weve seen, the Sun−supplied algorithms for this
engine are JKS, JCEKS, and PKCS12. Instances of the
KeyStore class are predictably obtained via this method:
public static final KeyStore getInstanceString type public static final KeyStore getInstanceString type, String provider
Return an instance of the KeyStore
class that implements the given algorithm, supplied by the given provider, if applicable.
If you do not want to hardwire the name of the keystore algorithm into your application, you may use this method to return the string that should be passed to the
getInstance method:
public static final String getDefaultType Return the default keystore algorithm for the environment. This value is obtained by looking for a
property called keystore.type
in the java.security file; Suns version of Java sets the default value of this string to JKS.
When the keystore object is created, it is initially empty. Although the getInstance
method has constructed the object, it is not expected that the objects constructor will read in a keystore from any
particular location. The interaction between the keystore object and the keytool database comes via these two methods:
public final void loadInputStream is, char[] password Initialize the keystore from the data provided over the given input stream. The integrity of the
keystore is protected by using a message digest: when the keystore is stored, a message digest that represents the data in the keystore is also stored. Before the digest is created, the password is added to
the digest data; this means that the digest cannot be recreated from a keystore without knowledge of the password. This allows you to detect whether the keystore has been tampered with. The password
for this method can be
null , in which case the keystore is loaded and not verified.
Its somewhat misleading to call this parameter a password, although thats what the javadoc
calls it, and thats the term used by
keytool . If you pass
null for the password, youll always be able to
read the keystore. Remember that a different password is used to decrypt the private keys in the keystore, so this isnt a security hole: if you dont have the password, you will be able to read only
public certificates. If you use an incorrect password, an IO exception is thrown.
You cannot require a password for the load
method to succeed since the Sun implementation of the
Policy class calls this method without a password when it constructs the information needed for
the access controller. You may, of course, provide your own implementation of the Policy
class that requires a password.
If the class required to support the underlying message digest is not available, a NoSuchAlgorithmException
is thrown. An error in reading the data results in an IOException
, and generic format errors in the data result in a CertificateException
. public final void storeOutputStream os, char[] password