1、密钥工厂keyFactory
实现将不透明加密密钥(Key)和透明加密密钥(KeySpec)之间的转换.------------不对称密钥
通过getInstance()方法实例化一个KeyFactory对象,使用:
PublicKey generatePublic(KeySpec keySpec) 获取不透明公钥PrivateKey generatePrivate(KeySpec keySpec) 获取不透明私钥KeySpec getKeySpec(Key key, Class keySpec)根据指定的KeySpec对象,返回透明的密钥类型
SecretKeyFactory
实现将不透明加密密钥(Key)和透明加密密钥(KeySpec)之间的转换.--------------------------------对称密钥
byte[] desKeyData = { (byte)0x01, (byte)0x02, (byte)0x03, (byte)0x04, (byte)0x05, (byte)0x06, (byte)0x07, (byte)0x08 };
DESKeySpec desKeySpec = new DESKeySpec(desKeyData);
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
SecretKey secretKey = keyFactory.generateSecret(desKeySpec);
2、KeyGenerator-----------------------产生对称密钥
第一步:初始化
public void init(SecureRandom random);
public void init(int keysize);
public void init(int keysize, SecureRandom random);
通过设置密钥长度或种子,进行初始化KeyGenerator,如果只输入密钥长度,系统会默认提供种子信息。
或者可以传入AlgorithmParameterSpec 类,进行初始化
public void init(AlgorithmParameterSpec params);
public void init(AlgorithmParameterSpec params, SecureRandom random);
3、密钥协议类KeyAgreement
Key agreement is a protocol by which 2 or more parties can establish the same cryptographic keys, without having to exchange any secret information
Each party initializes their key agreement object with their private key, and then enters the public keys for each party that will participate in the communication. In most cases, there are just two parties, but algorithms such as Diffie-Hellman allow for multiple parties (3 or more) to participate. When all the public keys have been entered, eachKeyAgreement object will generate (agree upon) the same key.
通过使用自己的私钥初始化密钥协议类,然后使用另一方的公钥产生一个密钥。可以两方或者三方以上使用。
01、通过getInstance()实例化一个密钥协议类。
02、调用init方法初始化
public void init(Key key);
public void init(Key key, SecureRandom random);
public void init(Key key, AlgorithmParameterSpec params);
public void init(Key key, AlgorithmParameterSpec params,
SecureRandom random);
03、调用doPhase方法产生中间的密钥,lastPhase参数,如果是true,说明这是最后的阶段,如果是false,说明还要继续调用doPhase方法(三方以上使用)
public Key doPhase(Key key, boolean lastPhase);
04、产生共享密钥,通过调用一下方法可以产生共享密钥
public byte[] generateSecret();
public int generateSecret(byte[] sharedSecret, int offset);
public SecretKey generateSecret(String algorithm);
3、 密钥管理 KeyStore
01、设置KeyStore文件类型:keystore.type=jceks或者keystore.type=jks
除了JKS类型的KeyStore,还有其他两种类型:jceks和pks12
"jceks" is an alternate proprietary keystore format to "jks" that uses much stronger encryption in the form of Password-Based Encryption with Triple-DES.
The Sun "jceks" implementation can parse and convert a "jks" keystore file to the "jceks" format. You may upgrade your keystore of type "jks" to a keystore of type "jceks" by changing the password of a private-key entry in your keystore and specifying "-storetype jceks" as the keystore type. To apply the cryptographically strong(er) key protection supplied to a private key named "signkey" in your default keystore, use the following command, which will prompt you for the old and new key passwords:
keytool -keypasswd -alias signkey -storetype jceks
jceks比jks使用更强的加密算法。可以将jks类型转化成jceks类型,通过修改私钥实体的密码并且使用"-storetype jceks"作为keystore的类型。
- "pkcs12" is another option. This is a cross platform keystore based on the RSA PKCS12 Personal Information Exchange Syntax Standard. This standard is primarily meant for storing or transporting a user's private keys, certificates, and miscellaneous secrets. As of JDK 6, standards for storing Trusted Certificates in "pkcs12" have not been established yet, and thus "jks" or "jceks" should be used for trusted certificates.
pkcs12格式的密钥容器不能存储信任证书。
KeyStoreClass它是一个引擎类,提供了定义良好的用来接口访问密钥容器信息。.
This class represents an in-memory collection of keys and certificates.
KeyStoremanages two types of entries:这个类代表了内存中的密钥和证书集合。管理两种类型的实体
-
Key Entry (保存着敏感的私钥信息,以一种受保护的形式存储,避免非授权的访问。存储着对称密钥或者或者含有私钥的证书链,私钥和证书链使用数字签名用来对一个实体进行自我验证。
-
This type of keystore entry holds very sensitive cryptographic key information, which is stored in a protected format to prevent unauthorized access. Typically, a key stored in this type of entry is a secret key, or a private key accompanied by the certificate chain authenticating the corresponding public key.
Private keys and certificate chains are used by a given entity for self-authentication using digital signatures. For example, software distribution organizations digitally sign JAR files as part of releasing and/or licensing software.
Trusted Certificate Entry (包含一个公钥证书,keystore的拥有者信任这个证书属于某个实体,这种类型可以用来认证其他实体)
-
This type of entry contains a single public key certificate belonging to another party. It is called a trusted certificate because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate.
This type of entry can be used to authenticate other parties.
-
创建一个
KeyStoreObject使用getInstance方法 -
加载Keystore到内存中:
Loading a Particular Keystore into Memory
Before a
KeyStoreobject can be used, the actual keystore data must be loaded into memory via theloadmethod:final void load(InputStream stream, char[] password)
获取Keystore别名的列表
-
Getting a List of the Keystore Aliases
final Enumeration aliases()
判断一个别名是否是证书类型或者密钥类型
-
Determining Keystore Entry Types
-
final boolean isKeyEntry(String alias) final boolean isCertificateEntry(String alias)
添加/设置/删除密钥类型实体或者证书实体
-
Adding/Setting/Deleting Keystore Entries
The
setCertificateEntrymethod assigns a certificate to a specified alias:final void setCertificateEntry(String alias, Certificate cert)
-
final void setKeyEntry(String alias, Key key, char[] password, Certificate[] chain) final void setKeyEntry(String alias, byte[] key, Certificate[] chain)The
deleteEntrymethod deletes an entry:final void deleteEntry(String alias)
从Keystore获取信息
-
Getting Information from the Keystore
-
The
getKeymethod returns the key associated with the given alias. The key is recovered using the given password:
The following methods return the certificate, or certificate chain, respectively, associated with the given alias:final Key getKey(String alias, char[] password)
You can determine the name (final Certificate getCertificate(String alias) final Certificate[] getCertificateChain(String alias)
alias) of the first entry whose certificate matches a given certificate via the following:final String getCertificateAlias(Certificate cert) 保存密钥容器
-
Saving the KeyStore
The in-memory keystore can be saved via the
storemethod:final void store(OutputStream stream, char[] password)
-
516
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
