如何在openssl生成的java中使用.key和.crt文件?

2022-01-10 00:00:00 cryptography ssl openssl java crt

我需要java中的非对称加密.我使用 http://www.imacat.idv.tw/tech/sslcerts.html .
如何使用这些 .key 和 .crt 文件提取 Java 中的公钥和私钥?

I need asymmetric encryption in java. I generate .key and .crt files with own password and .crt file by openssl that said in http://www.imacat.idv.tw/tech/sslcerts.html .
How to use these .key and .crt file to extract publickey and private key in Java?

推荐答案

您的 .key.crt 文件可能是 PEM 格式.要检查这一点,请使用文本编辑器打开它们并检查内容是否类似于 -----BEGIN CERTIFICATE----- (或开始 RSA 私钥"...).这通常是 OpenSSL 使用的默认格式,除非您明确指定 DER.

Your .key and .crt files may be in PEM format. To check this open them with a text editor and check whether the content looks like ------BEGIN CERTIFICATE------ (or "begin RSA private key"...). This is generally the default format used by OpenSSL, unless you've explicitly specified DER.

这可能不是必需的(见下文),但如果您的证书是 DER 格式(二进制格式),您可以使用以下方法将它们转换为 PEM 格式:

It's probably not required (see below), but if your certificate is in DER format (a binary format), you can convert them in PEM format using:

openssl x509 -inform DER -in cert.crt -outform PEM -out cert.pem

(如果需要,请查看 openssl rsa 的帮助以使用私钥执行类似操作.)

(Check the help for openssl rsa for doing something similar with the private key if needed.)

然后你有两个选择:

  • 构建一个 PKCS#12 文件

  • Build a PKCS#12 file

openssl pkcs12 -export -in myhost.crt -inkey myhost.key -out myhost.p12

然后,您可以直接从 Java 中将其用作PKCS12"类型的密钥库.除文件位置外,大多数 Java 应用程序都应允许您指定密钥库类型.对于默认系统属性,这是通过 javax.net.ssl.keyStoreType 完成的(但您正在使用的应用程序可能不使用它).否则,如果您想显式加载它,请使用以下内容:

You can then use it directly from Java as a keystore of type "PKCS12". Most Java applications should allow you to specify a keystore type in addition to the file location. For the default system properties, this is done with javax.net.ssl.keyStoreType (but the application you're using might not be using this). Otherwise, if you want to load it explicitly, use something like this:

KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream fis =
    new FileInputStream("/path/to/myhost.p12");
ks.load(fis, "password".toCharArray()); // There are other ways to read the password.
fis.close();

(然后,您应该能够遍历 aliases()/security/KeyStore.html" rel="noreferrer">KeyStore 并使用 getCertificate (然后使用 getPublicKey()公钥)和 getKey().

(Then, you should be able to iterate through the aliases() of the KeyStore and use getCertificate (and then getPublicKey() for the public key) and getKey().

  • 使用 BouncyCastle 的 PEMReader.

 FileReader fr = ... // Create a FileReader for myhost.crt
 PEMReader pemReader = new PEMReader(fr);
 X509Certificate cert = (X509Certificate)pemReader.readObject();
 PublicKey pk = cert.getPublicKey();
 // Close reader...

对于私钥,如果私钥受密码保护,则需要实现 PasswordFinder(请参阅 PEMReader 文档中的链接)来构建 PEMReader.(您需要将 readObject() 的结果转换为 KeyPrivateKey.)

For the private key, you'll need to implement a PasswordFinder (see link from PEMReader doc) for constructing the PEMReader if the private key is password-protected. (You'll need to cast the result of readObject() into a Key or PrivateKey.)

相关文章