DETERMINACIÓN DE LA ACTIVIDAD ANTIMICROBIANA

The class that implements the keystore is the KeyStore class (java.security.KeyStore):

public class KeyStore

Represent a set of private keys, aliases (entities), and their corresponding certificates. A keystore object is typically one that has been read in from disk; that is, the KeyStore object is an in−memory representation of the keystore file.

The KeyStore class is an engine class; there is a corresponding KeyStoreSpi class that you can use to write your own keystore (more about that a little later). As we've seen, the Sun−supplied algorithms for this engine are JKS, JCEKS, and PKCS12.

Instances of the KeyStore class are predictably obtained via this method:

public static final KeyStore getInstance(String type)

public static final KeyStore getInstance(String type, String provider)

Return an instance of the KeyStore class that implements the given algorithm, supplied by the given provider, if applicable.

If you do not want to hardwire the name of the keystore algorithm into your application, you may use this method to return the string that should be passed to the getInstance( ) method:

public static final String getDefaultType( )

Return the default keystore algorithm for the environment. This value is obtained by looking for a property called keystore.type in the java.security file; Sun's version of Java sets the default value of this string to JKS.

When the keystore object is created, it is initially empty. Although the getInstance( ) method has constructed the object, it is not expected that the object's constructor will read in a keystore from any

particular location. The interaction between the keystore object and the keytool database comes via these two methods:

public final void load(InputStream is, char[] password)

Initialize the keystore from the data provided over the given input stream. The integrity of the keystore is protected by using a message digest: when the keystore is stored, a message digest that represents the data in the keystore is also stored. Before the digest is created, the password is added to the digest data; this means that the digest cannot be recreated from a keystore without knowledge of the password. This allows you to detect whether the keystore has been tampered with. The password for this method can be null, in which case the keystore is loaded and not verified.

It's somewhat misleading to call this parameter a password, although that's what the javadoc calls it, and that's the term used by keytool. If you pass null for the password, you'll always be able to read the keystore. Remember that a different password is used to decrypt the private keys in the keystore, so this isn't a security hole: if you don't have the password, you will be able to read only public certificates. If you use an incorrect password, an I/O exception is thrown.

You cannot require a password for the load( ) method to succeed since the Sun implementation of the Policy class calls this method without a password when it constructs the information needed for the access controller. You may, of course, provide your own implementation of the Policy class that requires a password.

If the class required to support the underlying message digest is not available, a

NoSuchAlgorithmException is thrown. An error in reading the data results in an

IOException, and generic format errors in the data result in a CertificateException.

public final void store(OutputStream os, char[] password)

Store the keystore to the given output stream. The password is typically included in a digest calculation of the keystore; this digest is then written to the output stream as well (but again, your own implementation of this class could use the password differently). The format of the data is completely implementation dependent.

This method may throw an IOException if the output stream cannot be read, a

NoSuchAlgorithmException if the class used to create the digest cannot be found, or a CertificateException if the keystore object contains a certificate that cannot be parsed.

There is no default file that holds the keystore. Within the core Java API, the only class that opens the keystore is the PolicyFile class, and that opens the keystore that is listed in the java.policy file(s). The tools that use the keystore (the jarsigner and keytool tools) allow you to use a command−line argument to specify the file that contains the keystore; they default to the file .keystore in the user's home directory. This is the convention your own programs will need to use. If your application needs to open the keystore (for example, to obtain a private key to sign an object), it should provide either a command−line argument or a property to specify the name of the file to open, and they should provide a reasonable default.

Following convention, we'll use the .keystore file in the user's home directory in our examples.

As we've seen, a keystore is arranged in terms of alias names. Aliases are arbitrarily assigned to an entry;

while the name embedded in the certificate for a particular entry may be a long, complicated, distinguished name, the alias for that entry can provide a shorter, easier−to−remember name. There are a number of simple methods in the KeyStore class that deal with these alias names:

public final Date getCreationDate(String alias)

Return the date on which the entry referenced by the given alias was created.

public final void deleteEntry(String alias)

Delete the entry referenced by the given alias from the keystore.

public final Enumeration aliases( )

Return an enumeration of all the aliases in the keystore.

public final boolean containsAlias(String alias)

Indicate whether the keystore contains an entry referenced by the given alias.

public final int size( )

Return the number of entries/aliases in the keystore.

public final boolean isKeyEntry(String alias) public final boolean isCertificateEntry(String alias)

Indicate whether the given alias represents a key entry or a certificate entry.

public final Key getKey(String alias, char[] password)

Return the private or secret key for the entry associated with the given alias. For a certificate entry, this method returns null. An UnrecoverableKeyException is thrown if the key cannot be

retrieved (e.g., if the key has been damaged).

Retrieving a private key typically requires a password; this may or may not be the same password that was used to read the entire keystore. This allows private keys to be stored encrypted so they cannot be read without the appropriate password. If the class that provides encryption cannot be found, this method throws a NoSuchAlgorithmException.

public final Certificate[] getCertificateChain(String alias)

Return the certificate chain that verifies the entry associated with the given alias, which must represent a key entry. For an alias that represents a certificate entry, and for a key entry that stores a secret key, this method returns null.

public final Certificate getCertificate(String alias)

Return the certificate associated with the given alias. If the alias represents a key entry with a private key, the certificate returned is the user's certificate (that is, the first certificate in the entry's certificate chain); certificate entries have only a single certificate.

public final String getCertificateAlias(Certificate cert)

Return the alias that corresponds to the entry that matches the given certificate (using the equals(

) method of certificate comparison). If no matches occur, null is returned.

public final void setKeyEntry(String alias, byte key[], Certificate chain[])

public final void setKeyEntry(String alias, Key k, char[] password, Certificate chain[])

Assign the given private or secret key and certificate chain to the key entry represented by the given alias, creating a new key entry if necessary. Any previous private key and certificate chain (or secret key) for this entry are lost; if the previous entry was a certificate entry, it now becomes a key entry. If the key is a secret key, the certificate chain should be null.

A KeyStoreException is thrown if the key entry cannot be encrypted by the internal encryption algorithm of the keystore. Note that when the key is passed in as a series of bytes, it is not encrypted

−− in this case, you are expected to have performed the encryption yourself.

public final void setCertificateEntry(String alias, Certificate c)

Assign the given certificate to the certificate entry represented by the given alias, creating a new entry if necessary. If an entry for this alias already exists and is a key entry, a KeyStoreException is thrown. Otherwise, if an entry for this alias already exists, it is overwritten.

Note that there is no method that returns an entire entry; you must use the specific methods (such as the getKey( ) method) to obtain the individual pieces of information you need.

These are the basic methods by which we can manage a keystore. We'll see examples of many of these methods throughout the rest of this book; for now, let's look at a simple example that handles basic operations on a keystore:

package javasec.samples.ch10;

import java.io.*;

import java.security.*;

import java.security.cert.*;

public KeyStoreHandler(char[] pw) {

// Make a private copy so the original can be collected so

public void store( ) throws FileNotFoundException,

KeyStoreException, IOException,

public static void main(String args[]) { try {

X509Certificate x509 = (X509Certificate) certs[0];

We'll use this class in the rest of the book to manage the default keystore. It's main( ) method (for testing) expects two arguments: the name of the entity in the keystore for which information is desired and the password that was used to encrypt the private key.

There are a number of points to pick out from this example. First, note that we constructed the keystore using the convention we mentioned earlier −− the .keystore file in the user's home directory.

After we've read in the data, the first thing we do is determine if the entry that we're interested in is a key entry or a certificate entry −− mostly so that we can handle the certificates for these entries differently. In the case of a key entry, we obtain the entire certificate chain and use the first entry in that chain to print out the DN for the entry while the last entry in the chain is used to print out the DN for the last certificate authority in the chain. For a certificate entry, our task is simpler: there is a single certificate, and we simply print out its information.