1

I'm writing a program in Java that generates RSA keys using Crt parameters. I'm able to export the key in a .pem file, but I need to export it in a pkcs12 file. How can I do that in Java?

Vega
  • 27,856
  • 27
  • 95
  • 103
Themp11
  • 23
  • 1
  • 6
  • 1
    Welcome to SO! This isn't a how-to site. If you post attempts you have made to export pkcs12 files other people can help you! – mlapaglia Jun 11 '18 at 13:16

1 Answers1

2

Java contains native support for PKCS#12 key stores through KeyStore.getInstance("PKCS12"). However, generally the key stores require you to offer a matching private key / certificate pair. Just providing a public key instead of a certificate is not enough. You must create a certificate, for instance a self signed certificate to be able to use the PKCS#12 key store provider.

I've tried to create my own Certificate instance using an anonymous type, but the PKCS#12 key store only seems to allow X.509 certificates (but it will only tell you when you store the key store, i.e. it is not fail fast.

Here's some code to create the self signed certificate and store the private key and resulting self signed certificate:

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;

import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.util.encoders.Hex;

public class StoreRSAKeyPairInPKCS12 {

    public static void main(String[] args) throws Exception {

        // --- generate a key pair (you did this already it seems)
        KeyPairGenerator rsaGen = KeyPairGenerator.getInstance("RSA");
        final KeyPair pair = rsaGen.generateKeyPair();

        // --- create the self signed cert
        Certificate cert = createSelfSigned(pair);

        // --- create a new pkcs12 key store in memory
        KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
        pkcs12.load(null, null);

        // --- create entry in PKCS12
        pkcs12.setKeyEntry("privatekeyalias", pair.getPrivate(), "entrypassphrase".toCharArray(), new Certificate[] {cert});

        // --- store PKCS#12 as file
        try (FileOutputStream p12 = new FileOutputStream("mystore.p12")) {
            pkcs12.store(p12, "p12passphrase".toCharArray());
        }

        // --- read PKCS#12 as file
        KeyStore testp12 = KeyStore.getInstance("PKCS12");
        try (FileInputStream p12 = new FileInputStream("mystore.p12")) {
            testp12.load(p12, "p12passphrase".toCharArray());
        }

        // --- retrieve private key
        System.out.println(Hex.toHexString(testp12.getKey("privatekeyalias", "entrypassphrase".toCharArray()).getEncoded()));
    }

    private static X509Certificate createSelfSigned(KeyPair pair) throws OperatorCreationException, CertIOException, CertificateException {
        X500Name dnName = new X500Name("CN=publickeystorageonly");
        BigInteger certSerialNumber = BigInteger.ONE;

        Date startDate = new Date(); // now

        Calendar calendar = Calendar.getInstance();
        calendar.setTime(startDate);
        calendar.add(Calendar.YEAR, 1);
        Date endDate = calendar.getTime();

        ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(pair.getPrivate());
        JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, pair.getPublic());

        return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
    }

}

You will need at least the PKIX library (bcpkix-jdk15on.jar) from Bouncy Castle and possibly the library of the Bouncy Castle provider. Installing the Bouncy Castle provider is not required.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • My previous answer contained a link to an old answer that created a self signed certificate, but it was very trashy and used an old Bouncy Castle implementation, so I had to refactor code from another answer. – Maarten Bodewes Jun 11 '18 at 16:38
  • The other answer can be found [here](https://stackoverflow.com/a/43918337/589259). – Maarten Bodewes Jun 11 '18 at 16:44
  • Thank you so much for your answer it helped me a lot, that's just what I needed ;) ;) – Themp11 Jun 12 '18 at 07:30
  • In openssl I can export p12 file without certificate with the option `-nocerts` is it possible to do it with Java ? – Themp11 Jun 14 '18 at 14:21