de.captaingoldfish.scim.sdk.client.keys

Class KeyStoreSupporter

java.lang.Object

de.captaingoldfish.scim.sdk.client.keys.KeyStoreSupporter

public final class KeyStoreSupporter
extends Object

author: Pascal Knueppel
created at: 09.12.2019

This class is meant to provide additional operations to work with keystores. This implies adding new entries into a keystore, reading entries, convert a keystore from jks to pkcs12 or vice versa etc.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	KeyStoreSupporter.KeyStoreType represents the possible keystore types that are supported

Method Summary

Modifier and Type	Method and Description
static KeyStore	addCertificateEntryToKeyStore(KeyStore keyStore, Certificate certificate, String alias) this method simply adds a certificate entry to the given keystore.
static KeyStore	addKeyEntryToKeystore(KeyStore keyStore, String alias, Key key, Certificate[] certificateChain, String password) will try to add the given key-entry under the given alias to the given keystore
static KeyStore	convertKeyStore(KeyStore keyStore, String keyStorePassword, KeyStoreSupporter.KeyStoreType keyStoreType) This method will convert a given keystore with all its entries into another type of keystore.
static KeyStore	createEmptyKeyStore(KeyStoreSupporter.KeyStoreType keyStoreType, String keystorePassword) creates an empty keystore
static Enumeration<String>	getAliases(KeyStore keyStore) convenience method to access the aliases of the keystore without having to handle the exception
static byte[]	getBytes(KeyStore keyStore, String password) will convert the given keystore into a byte array
static Optional<Certificate>	getCertificate(KeyStore keyStore, String alias) convenience method to read a certificate entry from a keystore
static Optional<Certificate[]>	getCertificateChain(KeyStore keyStore, String alias) will get the certificateChain from the given alias
static void	keyStoreToFile(File file, KeyStore keyStore, String keystorePassword) Will store the given keystore into the given file.
static void	keyStoreToFile(File directory, String filename, KeyStore keyStore, String keystorePassword) Will store the given keystore into the given file.
static KeyStore	mergeKeyStores(KeyStore keyStore1, String password1, KeyStore keyStore2, String password2, KeyStoreSupporter.KeyStoreType keyStoreType, String mergedKeyStoreKeyPassword) this method will merge all accessible entries from the given keystores into a single keystore WARNING: It might be that keystore1 and 2 may contain different entries under the same alias.
static KeyPair	readFirstKeyPairEntryFromKeyStore(KeyStore keyStore, String privateKeyPassword) reads the first found keystore entry and expects it to be a private-key entry.
static KeyStore	readKeyStore(byte[] keyStoreBytes, KeyStoreSupporter.KeyStoreType keyStoreType, String keyStorePassword) will read a byte array to a keystore.
static KeyStore	readKeyStore(File file, KeyStoreSupporter.KeyStoreType keyStoreType, String keyStorePassword) will read a file to a keystore.
static KeyStore	readKeyStore(File file, String keyStorePassword) will read a file to a keystore.
static KeyStore	readKeyStore(InputStream keyStoreStream, KeyStoreSupporter.KeyStoreType keyStoreType, String keyStorePassword) will read an input stream to a keystore.
static KeyStore	readTruststore(byte[] truststoreBytes, KeyStoreSupporter.KeyStoreType keyStoreType) will read a keystore from the given byte array that can only be used as truststore
static KeyStore	readTruststore(byte[] truststoreBytes, KeyStoreSupporter.KeyStoreType keyStoreType, String password) will read a keystore from the given byte array that can only be used as truststore
static KeyStore	readTruststore(InputStream truststoreStream, KeyStoreSupporter.KeyStoreType keyStoreType) will read a keystore from the given inputstream that can only be used as truststore
static KeyStore	readTruststore(InputStream truststoreStream, KeyStoreSupporter.KeyStoreType keyStoreType, String password) will read a keystore from the given inputstream that can only be used as truststore
static Provider	selectProvider(KeyStoreSupporter.KeyStoreType keyStoreType) this method will make sure that the correct security provider is chosen for the different keystore types.
static KeyStore	toKeyStore(byte[] privateKeyBytes, byte[] certificateBytes, String alias, String keystorePassword, KeyStoreSupporter.KeyStoreType keyStoreType) creates a keystore from the given privateKey and the certificate
static KeyStore	toKeyStore(Certificate certificate, String alias, String keystorePassword, KeyStoreSupporter.KeyStoreType keyStoreType) creates a keystore from the given certificate
static KeyStore	toKeyStore(PrivateKey privateKey, Certificate certificate, String alias, String keystorePassword, KeyStoreSupporter.KeyStoreType keyStoreType) creates a keystore from the given privateKey and the certificate
static void	tryCopyKeyEntry(KeyStore keyStore, String keyStorePassword, String keyPassword, KeyStoreSupporter.KeyStoreType keyStoreType, KeyStore newKeyStore, String alias) this method tries to access an entry of the given keyStore and will add it to the newKeyStore object no matter if the given alias is a key-entry or a certificate entry

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

selectProvider

public static Provider selectProvider(KeyStoreSupporter.KeyStoreType keyStoreType)

this method will make sure that the correct security provider is chosen for the different keystore types. The experience shows us that BouncyCastleProvider is often tried to be used for JKS and JCEKS keystores. But bouncy castle cannot handle these types why we are chosing the providers manually here

Parameters:

keyStoreType - the keystore type for which a provider is needed.

Returns:

the provider that can handle the given keystore

toKeyStore

public static KeyStore toKeyStore(PrivateKey privateKey,
                                  Certificate certificate,
                                  String alias,
                                  String keystorePassword,
                                  KeyStoreSupporter.KeyStoreType keyStoreType)

creates a keystore from the given privateKey and the certificate

Parameters:

privateKey - the private key that should be packed into a keystore

certificate - the certificate that should be packed into the keystore alongside the private key

alias - the alias that should be used for the private key and the certificate

keystorePassword - the password to safe the keystore and the private key

keyStoreType - the type of the keystore

Returns:

the keystore with the private key and the certificate

Throws:

KeyStoreCreationFailedException - if the algorithm of the keyStoreType could not be resolved

KeyStoreEntryException - if the certificate or private key could not be added to the keystore

toKeyStore

public static KeyStore toKeyStore(Certificate certificate,
                                  String alias,
                                  String keystorePassword,
                                  KeyStoreSupporter.KeyStoreType keyStoreType)

creates a keystore from the given certificate

Parameters:

certificate - the certificate that should be packed into the keystore alongside the private key

alias - the alias that should be used for the private key and the certificate

keystorePassword - the password to safe the keystore and the private key

keyStoreType - the type of the keystore

Returns:

the keystore with the private key and the certificate

Throws:

KeyStoreCreationFailedException - if the algorithm of the keyStoreType could not be resolved

KeyStoreEntryException - if the certificate or private key could not be added to the keystore

toKeyStore

public static KeyStore toKeyStore(byte[] privateKeyBytes,
                                  byte[] certificateBytes,
                                  String alias,
                                  String keystorePassword,
                                  KeyStoreSupporter.KeyStoreType keyStoreType)

creates a keystore from the given privateKey and the certificate

Parameters:

privateKeyBytes - the private key that should be packed into a keystore

certificateBytes - the certificate that should be packed into the keystore alongside the private key

alias - the alias that should be used for the private key and the certificate

keystorePassword - the password to safe the keystore and the private key

keyStoreType - the type of the keystore

Returns:

the keystore with the private key and the certificate

Throws:

KeyStoreCreationFailedException - if the algorithm of the keyStoreType could not be resolved

KeyStoreEntryException - if the certificate or private key could not be added to the keystore

KeyGenerationException - if the private key could not be created from the given byte-array

CertificateCreationException - if the certificate could not be created from the given data.

getBytes

public static byte[] getBytes(KeyStore keyStore,
                              String password)

will convert the given keystore into a byte array

Parameters:

keyStore - the keystore that should be converted

password - the keystore password that will be used as encryption password for the keystore

Returns:

the byte array that contains the data of the given keystore

Throws:

KeyStoreConvertException - if the keystore conversion failed.

createEmptyKeyStore

public static KeyStore createEmptyKeyStore(KeyStoreSupporter.KeyStoreType keyStoreType,
                                           String keystorePassword)

creates an empty keystore

Parameters:

keyStoreType - the type of keystore to create

keystorePassword - the password to secure the keystore

Returns:

the newly created empty keystore-instance

addCertificateEntryToKeyStore

public static KeyStore addCertificateEntryToKeyStore(KeyStore keyStore,
                                                     Certificate certificate,
                                                     String alias)

this method simply adds a certificate entry to the given keystore. This method is only to extend the adding of certificate method by logging and it prevents overriding existing entries.

Parameters:

keyStore - the keystore to which the certificate should be added

certificate - the certificate to add to the given keystore

alias - the alias that will be used for the certificate entry.

Returns:

the keystore that was also given as parameter with the added certificate.

addKeyEntryToKeystore

public static KeyStore addKeyEntryToKeystore(KeyStore keyStore,
                                             String alias,
                                             Key key,
                                             Certificate[] certificateChain,
                                             String password)

will try to add the given key-entry under the given alias to the given keystore

Parameters:

keyStore - the keystore to which the key entry should be added

alias - the alias to use for the key-entry

key - the key to set under the given alias

password - the password to secure the key within the keystore

Returns:

the same keystore that was given as parameter

convertKeyStore

public static KeyStore convertKeyStore(KeyStore keyStore,
                                       String keyStorePassword,
                                       KeyStoreSupporter.KeyStoreType keyStoreType)

This method will convert a given keystore with all its entries into another type of keystore.
this will of course only work if the private key passwords are matching the keystore password.

Parameters:

keyStore - the kystore that shall be converted

keyStorePassword - the password to open the keystore

keyStoreType - the type to which the keystore should be converted

Returns:

the converted keystore.

tryCopyKeyEntry

public static void tryCopyKeyEntry(KeyStore keyStore,
                                   String keyStorePassword,
                                   String keyPassword,
                                   KeyStoreSupporter.KeyStoreType keyStoreType,
                                   KeyStore newKeyStore,
                                   String alias)

this method tries to access an entry of the given keyStore and will add it to the newKeyStore object no matter if the given alias is a key-entry or a certificate entry

Parameters:

keyStore - the keystore that holds the original entry

keyStorePassword - the password to access the original keystore

keyPassword - the password to access the original key entry under the given alias

keyStoreType - the type of the original keystore

newKeyStore - the new keystore to which the entry should be copied

alias - the alias of the entry that should be copied

keyStoreToFile

public static void keyStoreToFile(File file,
                                  KeyStore keyStore,
                                  String keystorePassword)

Will store the given keystore into the given file.

Parameters:

file - the file where the keystore should be saved.

keyStore - the keystore to save.

keystorePassword - the password to access and save the given keystore

keyStoreToFile

public static void keyStoreToFile(File directory,
                                  String filename,
                                  KeyStore keyStore,
                                  String keystorePassword)

Will store the given keystore into the given file.

Parameters:

directory - the target directory where the keystore should be saved.

filename - the file where the keystore should be saved.

keyStore - the keystore to save.

keystorePassword - the password to access and save the given keystore

readKeyStore

public static KeyStore readKeyStore(File file,
                                    String keyStorePassword)

will read a file to a keystore.

Parameters:

file - the file that should be read to a keystore

keyStorePassword - the password to access the keystore

Returns:

the read keystore

readKeyStore

public static KeyStore readKeyStore(File file,
                                    KeyStoreSupporter.KeyStoreType keyStoreType,
                                    String keyStorePassword)

will read a file to a keystore.

Parameters:

file - the file that should be read to a keystore

keyStoreType - the type of the keystore.

keyStorePassword - the password to access the keystore

Returns:

the read keystore

readKeyStore

public static KeyStore readKeyStore(byte[] keyStoreBytes,
                                    KeyStoreSupporter.KeyStoreType keyStoreType,
                                    String keyStorePassword)

will read a byte array to a keystore.

Parameters:

keyStoreBytes - the bytes of the keyStore that should be read

keyStoreType - the type of the keystore.

keyStorePassword - the password to access the keystore

Returns:

the read keystore

readKeyStore

public static KeyStore readKeyStore(InputStream keyStoreStream,
                                    KeyStoreSupporter.KeyStoreType keyStoreType,
                                    String keyStorePassword)

will read an input stream to a keystore.

Parameters:

keyStoreStream - the bytes of the keyStore that should be read

keyStoreType - the type of the keystore.

keyStorePassword - the password to access the keystore

Returns:

the read keystore

readTruststore

public static KeyStore readTruststore(byte[] truststoreBytes,
                                      KeyStoreSupporter.KeyStoreType keyStoreType)

will read a keystore from the given byte array that can only be used as truststore

Parameters:

truststoreBytes - the bytes of the truststore

keyStoreType - the keystore type that the truststore represents

Returns:

a keystore that can only be used as truststore

readTruststore

public static KeyStore readTruststore(byte[] truststoreBytes,
                                      KeyStoreSupporter.KeyStoreType keyStoreType,
                                      String password)

will read a keystore from the given byte array that can only be used as truststore

Parameters:

truststoreBytes - the bytes of the truststore

keyStoreType - the keystore type that the truststore represents

password - an optional password that can be entered for JKS keystores and must be entered for PKCS12 keystores

Returns:

a keystore that can only be used as truststore

readTruststore

public static KeyStore readTruststore(InputStream truststoreStream,
                                      KeyStoreSupporter.KeyStoreType keyStoreType)

will read a keystore from the given inputstream that can only be used as truststore

Parameters:

truststoreStream - a stream containing the truststore data

keyStoreType - the keystore type that the truststore represents

Returns:

a keystore that can only be used as truststore

readTruststore

public static KeyStore readTruststore(InputStream truststoreStream,
                                      KeyStoreSupporter.KeyStoreType keyStoreType,
                                      String password)

will read a keystore from the given inputstream that can only be used as truststore

Parameters:

truststoreStream - a stream containing the truststore data

keyStoreType - the keystore type that the truststore represents

password - an optional password that can be entered for JKS keystores and must be entered for PKCS12 keystores

Returns:

a keystore that can only be used as truststore

mergeKeyStores

public static KeyStore mergeKeyStores(KeyStore keyStore1,
                                      String password1,
                                      KeyStore keyStore2,
                                      String password2,
                                      KeyStoreSupporter.KeyStoreType keyStoreType,
                                      String mergedKeyStoreKeyPassword)

this method will merge all accessible entries from the given keystores into a single keystore
WARNING:
It might be that keystore1 and 2 may contain different entries under the same alias. In order for these both not to collide with one another the alias from keystore2 will be extended by "_2"

If keystore 1 and 2 will share the same entry under different aliases the alias from keystore1 is preferred unless the entry of keystore1 is accessible. Otherwise the entry of keystore2 will be added if it is accessbile instead.

If a private key entry cannot be accessed since its password is not matching the keystore password the entry will be omitted and only be added as a certificate entry.

Parameters:

keyStore1 - the first keystore

password1 - the password to access the first keystore

keyStore2 - the second keystore

password2 - the password to access the second keystore

keyStoreType - this will be the type of the keystore that contains the new entries.

mergedKeyStoreKeyPassword - this will be the password of all added private keys within the merged keystore.

Returns:

a new keystore that contains all entries of the two keystores that were directly accessible.

readFirstKeyPairEntryFromKeyStore

public static KeyPair readFirstKeyPairEntryFromKeyStore(KeyStore keyStore,
                                                        String privateKeyPassword)

reads the first found keystore entry and expects it to be a private-key entry. This method can be used if the alias of the keystore is unknown and the given keystore contains only a single private-key-entry

Parameters:

keyStore - the keystore with hopefully only a single private key entry

privateKeyPassword - the password of the private key

Returns:

the keypair of the keystore. (Since empty keystores are invalid this method should never return null)

Throws:

KeyStoreReadingException - if the keystore entry could not be read or if the first keystore entry is only a certificate entry

getAliases

public static Enumeration<String> getAliases(KeyStore keyStore)

convenience method to access the aliases of the keystore without having to handle the exception

Parameters:

keyStore - the keystore to get the aliases from

Returns:

the aliases of the given keystore

Throws:

KeyStoreReadingException - in case of a KeyStoreException

getCertificateChain

public static Optional<Certificate[]> getCertificateChain(KeyStore keyStore,
                                                          String alias)

will get the certificateChain from the given alias

Parameters:

keyStore - the keystore from which the certificate chain should be extracted

alias - the alias where the chain should be found

Returns:

the certificate chain if present or an empty

getCertificate

public static Optional<Certificate> getCertificate(KeyStore keyStore,
                                                   String alias)

convenience method to read a certificate entry from a keystore