I have the following question on java keystores and keytool. I assume that a keystore may have more than 1 certificates. As I have tried, via keytool I can create a keystore, and to access this keystore I have to set a password. Also to开发者_开发百科 access each certificate entry I have to set a password. Is it mandatory to have the same password for the keystore and the entries? If not (and I think that it is reasonable to assume so) why is the following code:
char[] pwd = new char[]{'s','e','c','r','e','t'};
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream("myPersonal.keystore"), pwd);
kmf.init(ks, pwd);//fails here with exception
gives me the following exception?
Exception in thread "main" java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
secret
is the password to access the keystore myPersonal.keystore
which I created via keytool. There are 2 entries in it, for certificates, 1 DSA and 1 RSA. Each has a different password with keystore (and each other). Now the code is correct, because if I use a keystore with a single certificate entry having the same password as the keystore there is no exception and the program runs fine.
So what is the problem here? I should not have different passwords? I should not have many certificates? Or what?
As specified by the API, the KeyManagerFactory.init method takes in the password used to retrieve the keys from the keystore. Since there is only one password parameter, it is expecting that the password for all the keys are identical. If a different password is used for one of the keys, then you get the error you saw as the password is incorrect for that particular keystore entry.
The simplest solution for you would be to use the same password for all the entries in the keystore. If you are set on maintaining different passwords for each entry, then you may have to look into building your own custom security elements, e.g., KeyManager.
精彩评论