フィールドの詳細

• _blacklistLogged

  public static boolean _blacklistLogged

• DEFAULT_KEYSTORE_PASSWORD

  public static final java.lang.String DEFAULT_KEYSTORE_PASSWORD

  関連項目:

  定数フィールド値

コンストラクタの詳細

• KeyStoreUtil

  public KeyStoreUtil​()

メソッドの詳細

• createKeyStore

  public static java.security.KeyStore createKeyStore​(java.io.File ksFile,
                                                      java.lang.String password)
                                               throws java.security.GeneralSecurityException,
                                                      java.io.IOException

  Create a new KeyStore object, and load it from ksFile if it is non-null and it exists. If ksFile is non-null and it does not exist, create a new empty keystore file.

  パラメータ:

  ksFile - may be null

  password - may be null

  戻り値:

  success

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

• loadSystemKeyStore

  public static java.security.KeyStore loadSystemKeyStore​()

  Loads certs from location of javax.net.ssl.keyStore property, else from $JAVA_HOME/lib/security/jssecacerts, else from $JAVA_HOME/lib/security/cacerts.

  戻り値:

  null on catastrophic failure, returns empty KeyStore if can't load system file

  導入されたバージョン:

  0.8.2, moved from SSLEepGet.initSSLContext() in 0.9.9

• countCerts

  public static int countCerts​(java.security.KeyStore ks)

  Count all X509 Certs in a key store

  戻り値:

  number successfully added

  導入されたバージョン:

  0.8.2, moved from SSLEepGet in 0.9.9

• logCertExpiration

  public static boolean logCertExpiration​(java.io.File f,
                                          java.lang.String ksPW,
                                          long expiresWithin)

  Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for Jetty keystores, where we aren't doing the loading ourselves. If a cert isn't valid, it will probably cause bigger problems later when it's used.

  パラメータ:

  f - keystore file

  ksPW - keystore password

  expiresWithin - ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L

  戻り値:

  true if all are good, false if we logged something

  導入されたバージョン:

  0.9.34

• logCertExpiration

  public static boolean logCertExpiration​(java.security.KeyStore ks,
                                          java.lang.String location,
                                          long expiresWithin)

  Validate expiration for all private key certs in a key store. Use this for keystores containing selfsigned certs where the user will be expected to renew an expiring cert. Use this for keystores we are feeding to an SSLContext and ServerSocketFactory. We added support for self-signed certs in 0.8.3 2011-01, with a 10-year expiration. We still don't generate them by default. We don't expect anybody's certs to expire until 2021.

  パラメータ:

  location - the path or other identifying info, for logging only

  expiresWithin - ms if cert expires within this long, we will log a warning, e.g. 180*24*60*60*1000L

  戻り値:

  true if all are good, false if we logged something

  導入されたバージョン:

  0.9.34

• addCerts

  public static int addCerts​(java.io.File dir,
                             java.security.KeyStore ks)

  Load all X509 Certs from a directory and add them to the trusted set of certificates in the key store This DOES check for revocation.

  戻り値:

  number successfully added

  導入されたバージョン:

  0.8.2, moved from SSLEepGet in 0.9.9

• addCert

  public static boolean addCert​(java.io.File file,
                                java.lang.String alias,
                                java.security.KeyStore ks)

  Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This does NOT check for revocation.

  戻り値:

  success

  導入されたバージョン:

  0.8.2, moved from SSLEepGet in 0.9.9

• addCert

  public static boolean addCert​(java.io.File file,
                                java.lang.String alias,
                                java.security.KeyStore ks,
                                java.security.cert.CertStore cs)

  Load an X509 Cert from a file and add it to the trusted set of certificates in the key store This DOES check for revocation, IF cs is non-null.

  パラメータ:

  cs - may be null; if non-null, check for revocation

  戻り値:

  success

  導入されたバージョン:

  0.9.25

• randomString

  public static java.lang.String randomString​()

  48 char b32 string (30 bytes of entropy)

• createKeys

  public static boolean createKeys​(java.io.File ks,
                                   java.lang.String alias,
                                   java.lang.String cname,
                                   java.lang.String ou,
                                   java.lang.String keyPW)

  Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  ou - e.g. console

  keyPW - the key password, must be at least 6 characters

  戻り値:

  success

  導入されたバージョン:

  0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9

• createKeys

  public static boolean createKeys​(java.io.File ks,
                                   java.lang.String alias,
                                   java.lang.String cname,
                                   java.util.Set<java.lang.String> altNames,
                                   java.lang.String ou,
                                   java.lang.String keyPW)

  Create a keypair and store it in the keystore at ks, creating it if necessary. Use default keystore password, valid days, algorithm, and key size. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.

  ou - e.g. console

  keyPW - the key password, must be at least 6 characters

  戻り値:

  success

  導入されたバージョン:

  0.9.34 added altNames param

• createKeys

  public static boolean createKeys​(java.io.File ks,
                                   java.lang.String ksPW,
                                   java.lang.String alias,
                                   java.lang.String cname,
                                   java.lang.String ou,
                                   int validDays,
                                   java.lang.String keyAlg,
                                   int keySize,
                                   java.lang.String keyPW)

  Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  ou - e.g. console

  validDays - e.g. 3652 (10 years)

  keyAlg - e.g. DSA , RSA, EC

  keySize - e.g. 1024

  keyPW - the key password, must be at least 6 characters

  戻り値:

  success

  導入されたバージョン:

  0.8.3, consolidated from RouterConsoleRunner and SSLClientListenerRunner in 0.9.9

• createKeys

  public static boolean createKeys​(java.io.File ks,
                                   java.lang.String ksPW,
                                   java.lang.String alias,
                                   java.lang.String cname,
                                   java.util.Set<java.lang.String> altNames,
                                   java.lang.String ou,
                                   int validDays,
                                   java.lang.String keyAlg,
                                   int keySize,
                                   java.lang.String keyPW)

  Create a keypair and store it in the keystore at ks, creating it if necessary. For new code, the createKeysAndCRL() with the SigType argument is recommended over this one, as it throws exceptions, and returns the certificate and CRL. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.

  ou - e.g. console

  validDays - e.g. 3652 (10 years)

  keyAlg - e.g. DSA , RSA, EC

  keySize - e.g. 1024

  keyPW - the key password, must be at least 6 characters

  戻り値:

  success

  導入されたバージョン:

  0.9.34 added altNames param

• createKeysAndCRL

  public static java.lang.Object[] createKeysAndCRL​(java.io.File ks,
                                                    java.lang.String ksPW,
                                                    java.lang.String alias,
                                                    java.lang.String cname,
                                                    java.lang.String ou,
                                                    int validDays,
                                                    java.lang.String keyAlg,
                                                    int keySize,
                                                    java.lang.String keyPW)
                                             throws java.security.GeneralSecurityException,
                                                    java.io.IOException

  New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  ou - e.g. console

  validDays - e.g. 3652 (10 years)

  keyAlg - e.g. DSA , RSA, EC

  keySize - e.g. 1024

  keyPW - the key password, must be at least 6 characters

  戻り値:

  all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.25

• createKeysAndCRL

  public static java.lang.Object[] createKeysAndCRL​(java.io.File ks,
                                                    java.lang.String ksPW,
                                                    java.lang.String alias,
                                                    java.lang.String cname,
                                                    java.util.Set<java.lang.String> altNames,
                                                    java.lang.String ou,
                                                    int validDays,
                                                    java.lang.String keyAlg,
                                                    int keySize,
                                                    java.lang.String keyPW)
                                             throws java.security.GeneralSecurityException,
                                                    java.io.IOException

  New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.

  ou - e.g. console

  validDays - e.g. 3652 (10 years)

  keyAlg - e.g. DSA , RSA, EC

  keySize - e.g. 1024

  keyPW - the key password, must be at least 6 characters

  戻り値:

  all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.34 added altNames param

• createKeysAndCRL

  public static java.lang.Object[] createKeysAndCRL​(java.io.File ks,
                                                    java.lang.String ksPW,
                                                    java.lang.String alias,
                                                    java.lang.String cname,
                                                    java.lang.String ou,
                                                    int validDays,
                                                    SigType type,
                                                    java.lang.String keyPW)
                                             throws java.security.GeneralSecurityException,
                                                    java.io.IOException

  New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  ou - e.g. console

  validDays - e.g. 3652 (10 years)

  keyPW - the key password, must be at least 6 characters

  戻り値:

  all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.25

• createKeysAndCRL

  public static java.lang.Object[] createKeysAndCRL​(java.io.File ks,
                                                    java.lang.String ksPW,
                                                    java.lang.String alias,
                                                    java.lang.String cname,
                                                    java.util.Set<java.lang.String> altNames,
                                                    java.lang.String ou,
                                                    int validDays,
                                                    SigType type,
                                                    java.lang.String keyPW)
                                             throws java.security.GeneralSecurityException,
                                                    java.io.IOException

  New way - Native Java, does not call out to keytool. Create a keypair and store it in the keystore at ks, creating it if necessary. This returns the public key, private key, certificate, and CRL in an array. All of these are Java classes. Keys may be converted to I2P classes with SigUtil. The private key and selfsigned cert are stored in the keystore. The public key may be derived from the private key with KeyGenerator.getSigningPublicKey(). The public key certificate may be stored separately with CertUtil.saveCert() if desired. The CRL is not stored by this method, store it with CertUtil.saveCRL() or CertUtil.exportCRL() if desired. Throws on all errors. Warning, may take a long time.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password

  alias - the name of the key

  cname - e.g. localhost. Must be a hostname or email address. IP addresses will not be correctly encoded.

  altNames - the Subject Alternative Names. May be null. May contain hostnames and/or IP addresses. cname, localhost, 127.0.0.1, and ::1 will be automatically added.

  ou - e.g. console

  validDays - e.g. 3652 (10 years)

  keyPW - the key password, must be at least 6 characters

  戻り値:

  all you need: rv[0] is a Java PublicKey rv[1] is a Java PrivateKey rv[2] is a Java X509Certificate rv[3] is a Java X509CRL

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.34 added altNames param

• getPrivateKey

  public static java.security.PrivateKey getPrivateKey​(java.io.File ks,
                                                       java.lang.String ksPW,
                                                       java.lang.String alias,
                                                       java.lang.String keyPW)
                                                throws java.security.GeneralSecurityException,
                                                       java.io.IOException

  Get a private key out of a keystore

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key

  keyPW - the key password, must be at least 6 characters

  戻り値:

  the key or null if not found

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

• exportPrivateKey

  public static void exportPrivateKey​(java.io.File ks,
                                      java.lang.String ksPW,
                                      java.lang.String alias,
                                      java.lang.String keyPW,
                                      java.io.OutputStream out)
                               throws java.security.GeneralSecurityException,
                                      java.io.IOException

  Export the private key and certificate chain (if any) out of a keystore. Does NOT close the output stream. Throws on all errors.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key

  keyPW - the key password, must be at least 6 characters

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.25

• renewPrivateKeyCertificate

  public static java.security.cert.X509Certificate renewPrivateKeyCertificate​(java.io.File ks,
                                                                              java.lang.String ksPW,
                                                                              java.lang.String alias,
                                                                              java.lang.String keyPW,
                                                                              int validDays)
                                                                       throws java.security.GeneralSecurityException,
                                                                              java.io.IOException

  Renew the the private key certificate in a keystore. Closes the input and output streams. Throws on all errors.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key, or null to get the first one in keystore

  keyPW - the key password, must be at least 6 characters

  validDays - new cert to expire this many days from now

  戻り値:

  the new certificate

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.34

• importPrivateKey

  public static java.lang.String importPrivateKey​(java.io.File ks,
                                                  java.lang.String ksPW,
                                                  java.lang.String alias,
                                                  java.lang.String keyPW,
                                                  java.io.InputStream in)
                                           throws java.security.GeneralSecurityException,
                                                  java.io.IOException

  Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key. If null, will be taken from the Subject CN of the first certificate in the chain.

  keyPW - the key password, must be at least 6 characters

  戻り値:

  the alias as specified or extracted

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.25

• storePrivateKey

  public static void storePrivateKey​(java.io.File ks,
                                     java.lang.String ksPW,
                                     java.lang.String alias,
                                     java.lang.String keyPW,
                                     java.security.PrivateKey pk,
                                     java.util.List<java.security.cert.X509Certificate> certs)
                              throws java.security.GeneralSecurityException,
                                     java.io.IOException

  Import the private key and certificate chain to a keystore. Keystore will be created if it does not exist. Private key MUST be first in the stream. Closes the stream. Throws on all errors.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key, non-null.

  keyPW - the key password, must be at least 6 characters

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

  導入されたバージョン:

  0.9.25

• getCert

  public static java.security.cert.Certificate getCert​(java.io.File ks,
                                                       java.lang.String ksPW,
                                                       java.lang.String alias)
                                                throws java.security.GeneralSecurityException,
                                                       java.io.IOException

  Get a cert out of a keystore

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key

  戻り値:

  the certificate or null if not found

  例外:

  java.security.GeneralSecurityException

  java.io.IOException

• exportCert

  public static boolean exportCert​(java.io.File ks,
                                   java.lang.String ksPW,
                                   java.lang.String alias,
                                   java.io.File certFile)

  Pull the cert back OUT of the keystore and save it in Base64-encoded X.509 format so the clients can get to it.

  パラメータ:

  ks - path to the keystore

  ksPW - the keystore password, may be null

  alias - the name of the key

  certFile - output

  戻り値:

  success

  導入されたバージョン:

  0.8.3 moved from SSLClientListenerRunner in 0.9.9