Can anyone explain how to encrypt and decrypt files using certificates stored in a java 'PKCS#12` keystore?
问题:
回答1:
As mention Eugene Mayevski, your question is wrong and cannot be answered in its original form. But I'll try to clarify it for you a bit. PKCS#12 - cryptographic format is for storing cerificates and private keys. When you encrypt or decrypt data, you use cipher implementation and content of PKCS#12
container.
Java has build-in support for work with PKCS#12 keystores, work with this containers doesn't much differ than standart JKS keystore.
For example, code to load JKS keystore
KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
store.load(is, password.toCharArray());
and code to load PKCS#12 keystore
KeyStore store = KeyStore.getInstance("PKCS12");
store.load(is, password.toCharArray());
After that you have unlimited accsess to keystore content. You can get certificates and keys, stored in keystore, without that strange actions with import/export in Firefox.
Key key = store.getKey("alias_for_key", password.toCharArray());
Next thing, when you have keys and certificates, is encryption. For encryption. you need instance of Cipher class.
Cipher c = Cipher.getInstance(key.getAlgorithm());
c.init(Cipher.ENCRYPT_MODE, key);
Cipher ready to encrypt. If encryption data is relativily small, you can use update()
method, other way is to create CipherOutputStream
.
To decrypt, simply init cipher with different mode and, depends of encryption algorithm, key. For symmetric algorithm key will the same, for asymmetric algorithm for encryption uses public key, and for decryption private key.
In this article you can learn more about cryptography.
回答2:
This blog post should explain it to you perfectly.
Using the PKCS12 encryption with PEM files.
To get this running you first need a Java Keystore in PFX (Personal File Exchange) format.
Keytool command:
keytool -genkeypair -alias mykeystore -keypass lala -keystore
mykeystore.pfx -storepass lala -validity 10000 -keyalg RSA -keysize
2048 -storetype pkcs12
This will generate the mykeystore.pfx file. This file can be imported as a Certificate in Firefox.
Import - Open Firefox – Tools – Options – Advanced – View Certificates – You Certificates – Import – Select PFX file – Import it.
Export - Select the Certificate – View – Details – Export it to X.509 PEM). (you can also export to DER)
1. The Private Key
First we need to extract the Private Key from the PFX file.
2. The Public Key
Secondly you will need to encrypt a file using the public key. But first you need the public key.
3. Encryption with the Public Key
Now you have the Public Key you can encrypt a File.
4. Decryption with the Private Key
So now the file is encrypted it can be sent/stored for the receiving party to…well…receive it and decrypt it. To decrypt it we need the Private Key and luckily that was saved/stored in the private.pem file
5. Encryption/Decryption with AES keys
Another way to encrypt/decrypt stuff is via an AES 256 bits key. The key will be generated randomly per file and written to the file system. Then this AES key can be encrypted using the above RSA mechanism. This will improve the performance of encryption for large files.
Source - http://coenos.com/blog/?p=257