Save This Page
Home » openjdk-7 » java » security » [javadoc | source]
java.security
public class: KeyStore [javadoc | source]
java.lang.Object
   java.security.KeyStore
This class represents a storage facility for cryptographic keys and certificates.

A KeyStore manages different types of entries. Each type of entry implements the KeyStore.Entry interface. Three basic KeyStore.Entry implementations are provided:

Each entry in a keystore is identified by an "alias" string. In the case of private keys and their associated certificate chains, these strings distinguish among the different ways in which the entity may authenticate itself. For example, the entity may authenticate itself using different certificate authorities, or using different public key algorithms.

Whether aliases are case sensitive is implementation dependent. In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case.

Whether keystores are persistent, and the mechanisms used by the keystore if it is persistent, are not specified here. This allows use of a variety of techniques for protecting sensitive (e.g., private or secret) keys. Smart cards or other integrated cryptographic engines (SafeKeyper) are one option, and simpler mechanisms such as files may also be used (in a variety of formats).

Typical ways to request a KeyStore object include relying on the default type and providing a specific keystore type.

Before a keystore can be accessed, it must be loaded .

   KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

   // get user password and file input stream
   char[] password = getPassword();

   java.io.FileInputStream fis = null;
   try {
       fis = new java.io.FileInputStream("keyStoreName");
       ks.load(fis, password);
   } finally {
       if (fis != null) {
           fis.close();
       }
   }
To create an empty keystore using the above load method, pass null as the InputStream argument.

Once the keystore has been loaded, it is possible to read existing entries from the keystore, or to write new entries into the keystore:

   KeyStore.ProtectionParameter protParam =
       new KeyStore.PasswordProtection(password);

   // get my private key
   KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
       ks.getEntry("privateKeyAlias", protParam);
   PrivateKey myPrivateKey = pkEntry.getPrivateKey();

   // save my secret key
   javax.crypto.SecretKey mySecretKey;
   KeyStore.SecretKeyEntry skEntry =
       new KeyStore.SecretKeyEntry(mySecretKey);
   ks.setEntry("secretKeyAlias", skEntry, protParam);

   // store away the keystore
   java.io.FileOutputStream fos = null;
   try {
       fos = new java.io.FileOutputStream("newKeyStoreName");
       ks.store(fos, password);
   } finally {
       if (fos != null) {
           fos.close();
       }
   }
Note that although the same password may be used to load the keystore, to protect the private key entry, to protect the secret key entry, and to store the keystore (as is shown in the sample code above), different passwords or other protection parameters may also be used.

Every implementation of the Java platform is required to support the following standard KeyStore type:

This type is described in the KeyStore section of the Java Cryptography Architecture Standard Algorithm Name Documentation. Consult the release documentation for your implementation to see if any other types are supported.
Nested Class Summary:
public static interface  KeyStore.LoadStoreParameter  A marker interface for KeyStore {@link #load(KeyStore.LoadStoreParameter) load} and {@link #store(KeyStore.LoadStoreParameter) store} parameters. 
public static interface  KeyStore.ProtectionParameter  A marker interface for keystore protection parameters.

The information stored in a ProtectionParameter object protects the contents of a keystore. For example, protection parameters may be used to check the integrity of keystore data, or to protect the confidentiality of sensitive keystore data (such as a PrivateKey). 

public static class  KeyStore.PasswordProtection  A password-based implementation of ProtectionParameter
public static class  KeyStore.CallbackHandlerProtection  A ProtectionParameter encapsulating a CallbackHandler. 
public static interface  KeyStore.Entry  A marker interface for KeyStore entry types. 
public static final class  KeyStore.PrivateKeyEntry  A KeyStore entry that holds a PrivateKey and corresponding certificate chain. 
public static final class  KeyStore.SecretKeyEntry  A KeyStore entry that holds a SecretKey
public static final class  KeyStore.TrustedCertificateEntry  A KeyStore entry that holds a trusted Certificate
abstract public static class  KeyStore.Builder  A description of a to-be-instantiated KeyStore object.

An instance of this class encapsulates the information needed to instantiate and initialize a KeyStore object. That process is triggered when the {@linkplain #getKeyStore} method is called.

This makes it possible to decouple configuration from KeyStore object creation and e.g. delay a password prompt until it is needed. 

static class  KeyStore.SimpleLoadStoreParameter   
Constructor:
 protected KeyStore(KeyStoreSpi keyStoreSpi,
    Provider provider,
    String type) 
    Creates a KeyStore object of the given type, and encapsulates the given provider implementation (SPI object) in it.
    Parameters:
    keyStoreSpi - the provider implementation.
    provider - the provider.
    type - the keystore type.
Method from java.security.KeyStore Summary:
aliases,   containsAlias,   deleteEntry,   entryInstanceOf,   getCertificate,   getCertificateAlias,   getCertificateChain,   getCreationDate,   getDefaultType,   getEntry,   getInstance,   getInstance,   getInstance,   getKey,   getProvider,   getType,   isCertificateEntry,   isKeyEntry,   load,   load,   setCertificateEntry,   setEntry,   setKeyEntry,   setKeyEntry,   size,   store,   store
Methods from java.lang.Object:
clone,   equals,   finalize,   getClass,   hashCode,   notify,   notifyAll,   toString,   wait,   wait,   wait
Method from java.security.KeyStore Detail:
 public final Enumeration<String> aliases() throws KeyStoreException 
    Lists all the alias names of this keystore.
 public final boolean containsAlias(String alias) throws KeyStoreException 
    Checks if the given alias exists in this keystore.
 public final  void deleteEntry(String alias) throws KeyStoreException 
    Deletes the entry identified by the given alias from this keystore.
 public final boolean entryInstanceOf(String alias,
    Class<Entry> entryClass) throws KeyStoreException 
    Determines if the keystore Entry for the specified alias is an instance or subclass of the specified entryClass.
 public final Certificate getCertificate(String alias) throws KeyStoreException 
    Returns the certificate associated with the given alias.

    If the given alias name identifies an entry created by a call to setCertificateEntry, or created by a call to setEntry with a TrustedCertificateEntry, then the trusted certificate contained in that entry is returned.

    If the given alias name identifies an entry created by a call to setKeyEntry, or created by a call to setEntry with a PrivateKeyEntry, then the first element of the certificate chain in that entry is returned.

 public final String getCertificateAlias(Certificate cert) throws KeyStoreException 
    Returns the (alias) name of the first keystore entry whose certificate matches the given certificate.

    This method attempts to match the given certificate with each keystore entry. If the entry being considered was created by a call to setCertificateEntry, or created by a call to setEntry with a TrustedCertificateEntry, then the given certificate is compared to that entry's certificate.

    If the entry being considered was created by a call to setKeyEntry, or created by a call to setEntry with a PrivateKeyEntry, then the given certificate is compared to the first element of that entry's certificate chain.

 public final Certificate[] getCertificateChain(String alias) throws KeyStoreException 
    Returns the certificate chain associated with the given alias. The certificate chain must have been associated with the alias by a call to setKeyEntry, or by a call to setEntry with a PrivateKeyEntry.
 public final Date getCreationDate(String alias) throws KeyStoreException 
    Returns the creation date of the entry identified by the given alias.
 public static final String getDefaultType() 
    Returns the default keystore type as specified in the Java security properties file, or the string "jks" (acronym for "Java keystore") if no such property exists. The Java security properties file is located in the file named <JAVA_HOME>/lib/security/java.security. <JAVA_HOME> refers to the value of the java.home system property, and specifies the directory where the JRE is installed.

    The default keystore type can be used by applications that do not want to use a hard-coded keystore type when calling one of the getInstance methods, and want to provide a default keystore type in case a user does not specify its own.

    The default keystore type can be changed by setting the value of the "keystore.type" security property (in the Java security properties file) to the desired keystore type.

 public final Entry getEntry(String alias,
    ProtectionParameter protParam) throws NoSuchAlgorithmException, UnrecoverableEntryException, KeyStoreException 
    Gets a keystore Entry for the specified alias with the specified protection parameter.
 public static KeyStore getInstance(String type) throws KeyStoreException 
    Returns a keystore object of the specified type.

    This method traverses the list of registered security Providers, starting with the most preferred Provider. A new KeyStore object encapsulating the KeyStoreSpi implementation from the first Provider that supports the specified type is returned.

    Note that the list of registered providers may be retrieved via the Security.getProviders() method.

 public static KeyStore getInstance(String type,
    String provider) throws KeyStoreException, NoSuchProviderException 
    Returns a keystore object of the specified type.

    A new KeyStore object encapsulating the KeyStoreSpi implementation from the specified provider is returned. The specified provider must be registered in the security provider list.

    Note that the list of registered providers may be retrieved via the Security.getProviders() method.

 public static KeyStore getInstance(String type,
    Provider provider) throws KeyStoreException 
    Returns a keystore object of the specified type.

    A new KeyStore object encapsulating the KeyStoreSpi implementation from the specified Provider object is returned. Note that the specified Provider object does not have to be registered in the provider list.

 public final Key getKey(String alias,
    char[] password) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException 
    Returns the key associated with the given alias, using the given password to recover it. The key must have been associated with the alias by a call to setKeyEntry, or by a call to setEntry with a PrivateKeyEntry or SecretKeyEntry.
 public final Provider getProvider() 
    Returns the provider of this keystore.
 public final String getType() 
    Returns the type of this keystore.
 public final boolean isCertificateEntry(String alias) throws KeyStoreException 
    Returns true if the entry identified by the given alias was created by a call to setCertificateEntry, or created by a call to setEntry with a TrustedCertificateEntry.
 public final boolean isKeyEntry(String alias) throws KeyStoreException 
    Returns true if the entry identified by the given alias was created by a call to setKeyEntry, or created by a call to setEntry with a PrivateKeyEntry or a SecretKeyEntry.
 public final  void load(LoadStoreParameter param) throws IOException, NoSuchAlgorithmException, CertificateException 
    Loads this keystore using the given LoadStoreParameter.

    Note that if this KeyStore has already been loaded, it is reinitialized and loaded again from the given parameter.

 public final  void load(InputStream stream,
    char[] password) throws IOException, NoSuchAlgorithmException, CertificateException 
    Loads this KeyStore from the given input stream.

    A password may be given to unlock the keystore (e.g. the keystore resides on a hardware token device), or to check the integrity of the keystore data. If a password is not given for integrity checking, then integrity checking is not performed.

    In order to create an empty keystore, or if the keystore cannot be initialized from a stream, pass null as the stream argument.

    Note that if this keystore has already been loaded, it is reinitialized and loaded again from the given input stream.

 public final  void setCertificateEntry(String alias,
    Certificate cert) throws KeyStoreException 
    Assigns the given trusted certificate to the given alias.

    If the given alias identifies an existing entry created by a call to setCertificateEntry, or created by a call to setEntry with a TrustedCertificateEntry, the trusted certificate in the existing entry is overridden by the given certificate.

 public final  void setEntry(String alias,
    Entry entry,
    ProtectionParameter protParam) throws KeyStoreException 
    Saves a keystore Entry under the specified alias. The protection parameter is used to protect the Entry.

    If an entry already exists for the specified alias, it is overridden.

 public final  void setKeyEntry(String alias,
    byte[] key,
    Certificate[] chain) throws KeyStoreException 
    Assigns the given key (that has already been protected) to the given alias.

    If the protected key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key. If the underlying keystore implementation is of type jks, key must be encoded as an EncryptedPrivateKeyInfo as defined in the PKCS #8 standard.

    If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain).

 public final  void setKeyEntry(String alias,
    Key key,
    char[] password,
    Certificate[] chain) throws KeyStoreException 
    Assigns the given key to the given alias, protecting it with the given password.

    If the given key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key.

    If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain).

 public final int size() throws KeyStoreException 
    Retrieves the number of entries in this keystore.
 public final  void store(LoadStoreParameter param) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException 
    Stores this keystore using the given LoadStoreParameter.
 public final  void store(OutputStream stream,
    char[] password) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException 
    Stores this keystore to the given output stream, and protects its integrity with the given password.