Crionics LOGO

TUTORIALS

 

 How to use Signer: Using Java key stores

As easy as 1, 2, 3...

This tutorial assumes that you have already read the tutorial about basic cryptography.
The goal is not to give the Java concepts required to use key stores.
Please refer to the Java tutorial for a deeper analysis of JCE/JCA.

 

What is a key store?

As mentioned in a previous tutorial, there are different standards to save keys and certificates on a file system. We saw that public/private key pairs have to be kept secret and that certificates are a way to identify an entity (usually a corporation or an individual). We will now discuss the Java Key Store and how it integrates with the standards described earlier.

So, what is Java Key Store, really?

A key store is a data structure that holds keys and certificates securely. It provides a standard API to store and retrieve this information, and its contents are usually ciphered and protected with a password.

All the entries in a key store have an alias. The alias is used to identify the public/private key pair and/or certificate. The key store API is also smart enough to construct a certificate chain based on the keys/certificates it contains.

PKCS12 (extensions .p12 or .pfx) is the de facto standard for PKI solutions. Yet Java comes with its own standard JKS and JCEKS that provide the same level of functionality with a proprietary format.

 

Loading a key store

When keys and certificates are spread around, they are usually encoded using industry standards such as PKCS12, PKCS7 or CRT/CER files. Adobe also has its own set of standards called ADF and FDF. These standards are used when different applications on different operating systems need to share identities and keys.

Using jPDF, you can easily create a standard Java key store from such a file. See the example below:

// Open the document:
PdfDocument doc = new PdfDocument("myunsigneddoc.pdf");

// Get the signer module:
SignerModule sm = doc.getSignerModule();

// Load the key store from the PFX file:
KeyStore ks = sm.loadFDFKeyStore(new FileInputStream("mycerts.fdf"), "mypassword".toCharArray());

In the example above, we read the key store from a FDF file. jPDF offers a full set of methods for each encoding format: PKCS12, ADF, FDF, PKCS7, PFX, etc.,... Please refer to the Java documentation for more information.

 

Getting keys and certification chains from a key store

After the key store is loaded comes the easy part - getting the associated keys and certificates. As mentioned in part 1, each entry in a key store has an alias. The alias is the key to manipulate the information.

// Get the private key for a given alias:
PrivateKey key = (PrivateKey)ks.getKey("mykey", "mypassword".toCharArray());

// Get the certification chain for a given alias:
Certificate chain[] = ks.getCertificateChain("mykey");

 

© 2000-2007 Crionics Inc. Report issues with this page