java - 将证书和私钥加载到 Java KeyStore 中
问题描述
我正在尝试从 Azure Key Vault 获取证书及其私钥,然后调用远程服务器并进行客户端证书身份验证。
第一部分运行良好(从 Key Vault 获取),但是我完全坚持将公共和私有材料导入 KeyStore。
我试过了
keyStore.load(publicKey, null);
keyStore.load(new ByteArrayInputStream(privateKey.getBytes()),
"thePassphrase".toCharArray());
但这导致
java.io.IOException: DER input, Integer tag error
at java.base/sun.security.util.DerInputStream.getInteger(DerInputStream.java:192)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1995)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
这是完整的东西减去我不知道如何实现的东西 -
DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl("https://<myvault>.vault.azure.net")
.credential(credential)
.buildClient();
CertificateClient certClient = new CertificateClientBuilder()
.vaultUrl("https://<myvault>.vault.azure.net")
.credential(credential)
.buildClient();
// Get the public part of the cert
KeyVaultCertificateWithPolicy certificate = certClient.getCertificate("Joes-Crab-Shack");
byte[] publicKey = certificate.getCer();
// Get the private key
KeyVaultSecret secret = secretClient.getSecret(
certificate.getName(),
certificate.getProperties().getVersion());
String privateKey = secret.getValue();
// ***************
// How do i get the cert and its private key into KeyStore?
KeyStore keyStore = KeyStore.getInstance("PKCS12");
// I've also tried "JKS" but that leads to
// java.io.IOException: Invalid keystore format
keyStore.load(...)
// ***************
// Do client certificate authentication
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null).build();
CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
response = httpClient.execute(new HttpGet("https://remote.that.asks.for.client.cert/"));
InputStream inputStream = response.getEntity().getContent();
body = IOUtils.readInputStreamToString(inputStream, Charsets.UTF_8);
我如何将证书及其私钥放入 KeyStore,以便我可以在我的 HTTP 客户端中使用它?
解决方案
有点晚了,但我想提出一个我在从 Azure Keyvault 检索证书然后将其放入 java Keystore 时实践过的解决方案。
我使用的依赖项如下。
com.azure:azure-security-keyvault-certificates:jar:4.1.3
com.azure:azure-identity:jar:1.0.4
com.azure:azure-security-keyvault-secrets:jar:4.1.1
然后,代码块如下。
public class RestTemplateProvider {
@Value("${azure.keyvault.service.cert-alias}")
private String alias;
@Value("${azure.keyvault.tenant-id}")
private String tenantId;
@Value("${azure.keyvault.client-key}")
private String clientSecret;
@Value("${azure.keyvault.client-id}")
private String clientId;
@Value("${azure.keyvault.uri}")
private String vaultUri;
public RestTemplate provideRestTemplate() {
char[] emptyPass = {};
CloseIoStream closeableIoStream = CloseIoStream.newInstance();
try {
// Azure KeyVault Credentials
ClientSecretCredential credential = new ClientSecretCredentialBuilder()
.tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.build();
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl(vaultUri)
.credential(credential)
.buildClient();
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(vaultUri)
.credential(credential)
.buildClient();
// Azure KeyVault Credentials
// Retrieving certificate
KeyVaultCertificateWithPolicy certificateWithPolicy = certificateClient.getCertificate(alias);
KeyVaultSecret secret = secretClient.getSecret(alias, certificateWithPolicy.getProperties().getVersion());
byte[] rawCertificate = certificateWithPolicy.getCer();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream certificateStream = new ByteArrayInputStream(rawCertificate);
Certificate certificate = cf.generateCertificate(certificateStream);
close(certificateStream);
// Retrieving certificate
// Retrieving private key
String base64PrivateKey = secret.getValue();
byte[] rawPrivateKey = Base64.getDecoder().decode(base64PrivateKey);
KeyStore rsaKeyGenerator = KeyStore.getInstance(KeyStore.getDefaultType());
ByteArrayInputStream keyStream = new ByteArrayInputStream(rawPrivateKey);
rsaKeyGenerator.load(keyStream, null);
close(keyStream);
Key rsaPrivateKey = rsaKeyGenerator.getKey(rsaKeyGenerator.aliases().nextElement(), emptyPass);
// Retrieving private key
// Importing certificate and private key into the KeyStore
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setKeyEntry(alias, rsaPrivateKey, emptyPass, new Certificate[] {certificate});
// Importing certificate and private key into the KeyStore
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
new SSLContextBuilder()
.loadTrustMaterial(null, new TrustAllStrategy())
.loadKeyMaterial(keyStore, emptyPass)
.build(),
NoopHostnameVerifier.INSTANCE);
// It is just a sample, except for the sslsocketfactory please use the configuration which is right for you.
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.setConnectionTimeToLive(1000, TimeUnit.MILLISECONDS)
.setKeepAliveStrategy((httpResponse, httpContext) -> 10 * 1000)
.build();
ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;
} catch (IOException | CertificateException
| NoSuchAlgorithmException | UnrecoverableKeyException
| KeyStoreException | KeyManagementException e) {
log.error("Error!!!")
}
return null;
}
private void close(Closeable c) {
if (c != null) {
try {
c.close();
} catch (IOException e) {
// log
}
}
}
}
我希望寻找在 java Keystores 中使用 Azure Keyvault 证书的解决方案的人可以从中受益。
推荐阅读
- vb.net - Group by two columns in linq
- javascript - 如何在下面的 onClick 方法中运行 RowDataBound 方法?
- visual-studio-code - 更改 VSCode 小地图颜色
- arrays - 如何在python中将.dat文件转换为数组
- c# - c# File.Exists 总是使用 value 属性返回 false
- ruby-on-rails - 使用遥控器:真
- c# - 协议异常错误
- java - 如何使用光标获取所有联系人并将其存储在字符串中以将它们存储在firebase实时数据库中
- oracle-apex - Oracle APEX: scale image interactive report
- javascript - 将html5画布下载为pdf(safari浏览器)