原文:https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview
转载:https://www.cnblogs.com/yangchongxing/p/13834102.html
机器翻译
Different types of keystore in Java -- Overview
Java密钥库的不同类型 -- 概述
Keystore is a storage facility to store cryptographic keys and certificates. They are most frequently used in SSL communications to prove the identity of servers and clients. A keystore can be a file or a hardware device. Three are three kinds of entries can be stored in a keystore depending on the types of keystores.
密钥库是存储加密密钥和证书的存储设施。在SSL通信中常被用于证明服务器和客户机的身份。密钥库可以是文件或硬件设备。根据密钥库的类型,可以在密钥库中存储三种类型的条目
The three types of entries are:
三种类型的条目是:
PrivateKey : This is a type of keys which are used in asymmetric cryptography. It is usually protected with password because of its sensitivity. It can also be used to sign a digital signature.
私钥:这是一种用于非对称加密的密钥类型。由于其敏感度,通常使用密码保护。它也可以用来签署数字签名
Certificate : A certificate contains a public key which can identify the subject claimed in the certificate. It is usually used to verify the identity of a server. Sometimes it is also used to identify a client when requested.
证书:一个证书包含可以标识证书中声明的主题的公钥。它通常用于验证服务器的身份。当请求时,有时它还用于识别客户机。
SecretKey : A key entry which is sued in symmetric cryptography.
对称密加密中使用的一种密钥项。
Depending on what entries the keystore can store and how the keystore can store the entries, there are a few different types of keystores in Java: JKS, JCEKS, PKCS12, PKCS11 and DKS. You can find the introduction of these keystore on Oracle's Java Cryptography Architecture description.
根据密钥库可以存储哪些条目以及密钥库如何存储这些条目,Java中有几种不同类型的密钥库:JKS、JCEKS、PKCS12、PKCS11和DKS。可以在Oracle的Java加密体系结构描述中找到这些密钥库的介绍。
Next, we will have an overview of these keystore types.
接下来,我们将对这些密钥库类型进行概述。
JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it's a Java specific keystore, so it cannot be used in other programming languages. The private keys stored in JKS cannot be extracted in Java.
JKS,Java密钥库。您可以在sun.security.provider.JavaKeyStore找到这个文件。这个密钥库是Java特有的,它通常有jks的扩展。这种类型的密钥库可以包含私钥和证书,但不能用于存储密钥。因为它是一个特定于Java的密钥库,所以不能在其他编程语言中使用。存储在JKS中的私钥在Java中无法提取。
JCEKS, JCE key store(Java Cryptography Extension KeyStore). It is a super set of JKS with more algorithms supported. It is an enhanced standard added later by Sun. You can find this file at com.sun.crypto.provider.JceKeyStore. This keystore has an extension of jceks. The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates. This keystore provides much stronger protection for stored private keys by using Triple DES encryption.
JCEKS,JCE密钥存储(Java Cryptography Extension KeyStore)。它是JKS的超级集合,支持更多的算法。这是Sun后来添加的一个增强的标准。您可以在com.sun.crypto.provider.JceKeyStore找到这个文件。 这个密钥库有一个jceks的扩展。可以放入JCEKS密钥库的条目有私钥、密钥和证书。这个密钥库通过使用三重DES加密为存储的私钥提供了更强的保护。
The provider of JCEKS is SunJCE, it was introduced in Java 1.4. Hence prior to Java 1.4, only JKS can be used.
JCEKS的提供者是SunJCE,它是在java1.4中引入的。因此,在Java1.4之前,只能使用JKS。
PKCS12, this is a standard keystore type which can be used in Java and other languages. You can find this keystore implementation at sun.security.pkcs12.PKCS12KeyStore. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type. Unlike JKS, the private keys on PKCS12 keystore can be extracted in Java. This type is portable and can be operated with other libraries written in other languages such as C, C++ or C#.
PKCS12,这是一个标准的密钥库类型,可以在Java和其他语言中使用。您可以在sun.security.pkcs12.PKCS12KeyStore找到这个密钥库的实现。它通常有p12或pfx的扩展。您可以在此类型上存储私钥、密钥和证书。与JKS不同,PKCS12密钥库上的私钥可以用Java提取。这种类型是可移植的,可以与其他语言编写的其他库一起操作,如C、C++或C语言。
Currently the default keystore type in Java is JKS, i.e the keystore format will be JKS if you don't specify the -storetype while creating keystore with keytool. However, the default keystore type will be changed to PKCS12 in Java 9 because its enhanced compatibility compared to JKS. You can check the default keystore type at $JRE/lib/security/java.security file:
目前Java中默认的密钥库类型是JKS,即如果在使用keytool创建密钥库时不指定-storetype,那么keystore格式将是JKS。但是,Java9中的默认密钥库类型将更改为PKCS12,因为它比JKS具有更强的兼容性。您可以在$JRE/lib/security/java.security文件检查默认密钥库类型:
PKCS11, this is a hardware keystore type. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet's Luna, nCipher or Smart cards. You can find this implementation at sun.security.pkcs11.P11KeyStore. When you load the keystore, you no need to create a specific provider with specific configuration. This keystore can store private keys, secret keys and certificates. When loading the keystore, the entries will be retrieved from the keystore and then converted into software entries.
这是硬件密钥库类型。它为Java库提供了一个与硬件密钥库设备(如SafeNet的Luna、nCipher或智能卡)连接的接口。您可以在sun.security.pkcs11.P11KeyStore找到实现类。加载密钥库时,不需要创建具有特定配置的特定提供程序。这个密钥库可以存储私钥、密钥和证书。加载密钥库时,将从密钥库检索条目,然后将其转换为软件条目
DKS, Domain KeyStore is a keystore of keystore. It abstracts a collection of keystores that are presented as a single logical keystore. Itself is actually not a keystore. This new keystore type is introduced in Java 8. There is a new class DomainLoadStoreParameter which closely relates to DKS.
DKS,域密钥库是密钥库的密钥库。它抽象出一组密钥存储库,这些密钥存储库以单个逻辑密钥库的形式呈现。它本身并不是一个密钥库。Java8中引入了这个新的密钥库类型。有一个新的类DomainLoadStoreParameter与DKS密切相关。
This keystore is located at sun.security.provider.DomainKeyStore.java.
这个密钥库在sun.security.provider.DomainKeyStore.java。
Windows-MY, this is a type of keystore on Windows which is managed by the Windows operating system. It stores the user private keys and certificates which can be used to perform cryptographic operations such as signature verification, data encryption etc. Since it's a kind of native keystore, Java doesn't have a general API to access it. Oracle provides a separate API to access the Windows-MY keystore -- SunMSCAPI. The provider class for this API is sun.security.mscapi.SunMSCAPI.
Windows-MY,这是Windows上由Windows操作系统管理的一种密钥库。它存储用户的私钥和证书,可以用来执行诸如签名验证、数据加密等加密操作。由于它是一种本地密钥库,Java没有通用的API来访问它。Oracle提供了一个单独的API来访问Windows MY keystore——SunMSCAPI。此API的提供程序类是sun.security.mscapi.SunMSCAPI。
BKS, BoucyCastle keystore, is a keystore format provided the popular third party Java cryptographic library provider -- BouncyCastle. It is a keystore similar to the JKS provided by Oracle JDK. But it supports storing secret key, private key and certificate. It is frequently used in mobile application developments.
BKS,BoucyCastle密钥库是流行的第三方Java加密库提供程序BouncyCastle提供的密钥库格式。它是一个类似于oraclejdk提供的JKS的密钥库。但它支持存储密钥、私钥和证书。它经常用于移动应用程序开发。
In Java, there are a few choices on how a keystore can be processed. Writing the Java code is apparently a choice. Apart from this, a tool comes along with the JDK can also be used, it is called keytool.
在Java中,对于如何处理密钥库有一些选择。编写Java代码显然是一种选择。除此之外,JDK附带的一个工具也可以使用,它叫做keytool。
keytool is a command line tool. It can be used to create keystore, generate keys, import and export certificates etc. For a full list of commands keytool supports, you can refer to Oracle keytool guideline.
keytool是一个命令行工具。它可用于创建密钥库、生成密钥、导入和导出证书等。有关keytool支持的命令的完整列表,请参阅Oracle keytool指南。
If you are using IBM JDK, there is one more tool which can be used, it is ikeyman. ikeyman is a GUI tool which can provide a straightforward view of the keystore. The entries in the keystore. Keys and certificates can be created using ikeyman as well. It is a tool used frequently by system administrators.
如果您使用的是ibmjdk,还有一个可以使用的工具,它是ikeyman。ikeyman是一个GUI工具,它可以提供密钥库的直观视图。密钥库中的条目。密钥和证书也可以使用ikeyman创建。它是系统管理员经常使用的工具。
Below are the details of each keystore supported in Java.
下面是Java支持的每个密钥库的详细信息。
Different types of keystore in Java -- JKS
Different types of keystore in Java -- JCEKS
Different types of keystore in Java -- PKCS12
Different types of keystore in Java -- PKCS11
Different types of keystore in Java -- DKS
Different types of keystore in Java -- Windows-MY
Different types of keystore in Java -- BKS