OpenJDK 1.22 · java.security.KeyStore · APIdia, the JavaDoc alternative

This class represents a storage facility for cryptographic keys and certificates.

A KeyStore manages different types of entries. Each type of entry implements the KeyStore.Entry interface. Three basic KeyStore.Entry implementations are provided:

KeyStore.PrivateKeyEntry
This type of entry holds a cryptographic PrivateKey, which is optionally stored in a protected format to prevent unauthorized access. It is also accompanied by a certificate chain for the corresponding public key.
Private keys and certificate chains are used by a given entity for self-authentication. Applications for this authentication include software distribution organizations which sign JAR files as part of releasing and/or licensing software.
KeyStore.SecretKeyEntry
This type of entry holds a cryptographic SecretKey, which is optionally stored in a protected format to prevent unauthorized access.
KeyStore.TrustedCertificateEntry
This type of entry contains a single public key Certificate belonging to another party. It is called a trusted certificate because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate.
This type of entry can be used to authenticate other parties.

Each entry in a keystore is identified by an "alias" string. In the case of private keys and their associated certificate chains, these strings distinguish among the different ways in which the entity may authenticate itself. For example, the entity may authenticate itself using different certificate authorities, or using different public key algorithms.

Whether aliases are case-sensitive is implementation dependent. In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case.

Whether keystores are persistent, and the mechanisms used by the keystore if it is persistent, are not specified here. This allows use of a variety of techniques for protecting sensitive (e.g., private or secret) keys. Smart cards or other integrated cryptographic engines (SafeKeyper) are one option, and simpler mechanisms such as files may also be used (in a variety of formats).

Typical ways to request a KeyStore object include specifying an existing keystore file, relying on the default type and providing a specific keystore type.

To specify an existing keystore file:
```
    // get keystore password
    char[] password = getPassword();

    // probe the keystore file and load the keystore entries
    KeyStore ks = KeyStore.getInstance(new File("keyStoreName"), password);
```
The system will probe the specified file to determine its keystore type and return a keystore implementation with its entries already loaded. When this approach is used there is no need to call the keystore's load method.
To rely on the default type:
```
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
 
```
The system will return a keystore implementation for the default type.
To provide a specific keystore type:
```
      KeyStore ks = KeyStore.getInstance("JKS");
 
```
The system will return the most preferred implementation of the specified keystore type available in the environment.

Before a keystore can be accessed, it must be loaded (unless it was already loaded during instantiation).

    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

    // get user password and file input stream
    char[] password = getPassword();

    try (FileInputStream fis = new FileInputStream("keyStoreName")) {
        ks.load(fis, password);
    }

To create an empty keystore using the above load method, pass null as the InputStream argument.

Once the keystore has been loaded, it is possible to read existing entries from the keystore, or to write new entries into the keystore:

    KeyStore.PasswordProtection protParam =
        new KeyStore.PasswordProtection(password);
    try (FileOutputStream fos = new FileOutputStream("newKeyStoreName")) {
        // get my private key
        KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
            ks.getEntry("privateKeyAlias", protParam);
        PrivateKey myPrivateKey = pkEntry.getPrivateKey();

        // save my secret key
        javax.crypto.SecretKey mySecretKey;
        KeyStore.SecretKeyEntry skEntry =
            new KeyStore.SecretKeyEntry(mySecretKey);
        ks.setEntry("secretKeyAlias", skEntry, protParam);

        // store away the keystore
        ks.store(fos, password);
    } finally {
        protParam.destroy();
    }

Note that although the same password may be used to load the keystore, to protect the private key entry, to protect the secret key entry, and to store the keystore (as is shown in the sample code above), different passwords or other protection parameters may also be used.

Every implementation of the Java platform is required to support the following standard KeyStore type:

PKCS12

This type is described in the KeyStore section of the Java Security Standard Algorithm Names Specification. Consult the release documentation for your implementation to see if any other types are supported.

Modifier and Type	Class and Description
public abstract static class	KeyStore.Builder A description of a to-be-instantiated `KeyStore` object.
public static class	KeyStore.CallbackHandlerProtection A `ProtectionParameter` encapsulating a CallbackHandler.
public static interface	KeyStore.Entry A marker interface for `KeyStore` entry types.
public static interface	KeyStore.LoadStoreParameter A marker interface for `KeyStore` `load` and `store` parameters.
public static class	KeyStore.PasswordProtection A password-based implementation of `ProtectionParameter`.
public static class	KeyStore.PrivateKeyEntry A `KeyStore` entry that holds a `PrivateKey` and corresponding certificate chain.
public static interface	KeyStore.ProtectionParameter A marker interface for keystore protection parameters.
public static class	KeyStore.SecretKeyEntry A `KeyStore` entry that holds a `SecretKey`.
pack-priv static class	KeyStore.SimpleLoadStoreParameter
public static class	KeyStore.TrustedCertificateEntry A `KeyStore` entry that holds a trusted `Certificate`.

Modifier and Type	Field and Description
private boolean	initialized
private static final Debug	kdebug
private static final String	KEYSTORE_TYPE
private final KeyStoreSpi	keyStoreSpi
private static final Debug	pdebug
private final Provider	provider
private static final boolean	skipDebug
private final String	type

Access	Constructor and Description
protected	KeyStore(KeyStoreSpi the provider implementation. keyStoreSpi, Provider the provider. provider, String the keystore type. type) Creates a `KeyStore` object of the given type, and encapsulates the given provider implementation (SPI object) in it.

Method Summary

Modifier and Type	Method and Description
public final Enumeration<String>	Returns: enumeration of the alias names aliases() Lists all the alias names of this keystore.
public final boolean	Returns: `true` if the alias exists, `false` otherwise containsAlias(String the alias name alias) Checks if the given alias exists in this keystore.
public final void	deleteEntry(String the alias name alias) Deletes the entry identified by the given alias from this keystore.
public final boolean	Returns: `true` if the keystore `Entry` for the specified `alias` is an instance or subclass of the specified `entryClass`, `false` otherwise entryInstanceOf(String the alias name alias, Class<? extends KeyStore.Entry> the entry class entryClass) Determines if the keystore `Entry` for the specified `alias` is an instance or subclass of the specified `entryClass`.
public final Set<KeyStore.Entry.Attribute>	Returns: an unmodifiable `Set` of attributes. This set is empty if the `KeyStoreSpi` implementation has not overridden `KeyStoreSpi#engineGetAttributes(String)`, or the given alias does not exist, or there are no attributes associated with the alias. This set may also be empty for `PrivateKeyEntry` or `SecretKeyEntry` entries that contain protected attributes and are only available through the `Entry#getAttributes` method after the entry is extracted. getAttributes(String the alias name alias) Retrieves the attributes associated with the given alias.
public final Certificate	Returns: the certificate, or `null` if the given alias does not exist or does not contain a certificate. getCertificate(String the alias name alias) Returns the certificate associated with the given alias.
public final String	Returns: the alias name of the first entry with a matching certificate, or `null` if no such entry exists in this keystore. getCertificateAlias(Certificate the certificate to match with. cert) Returns the (alias) name of the first keystore entry whose certificate matches the given certificate.
public final Certificate[]	Returns: the certificate chain (ordered with the user's certificate first followed by zero or more certificate authorities), or `null` if the given alias does not exist or does not contain a certificate chain getCertificateChain(String the alias name alias) Returns the certificate chain associated with the given alias.
public final Date	Returns: the creation date of this entry, or `null` if the given alias does not exist getCreationDate(String the alias name alias) Returns the creation date of the entry identified by the given alias.
public static final String	Returns: the default keystore type as specified by the `keystore.type` security property, or the string "pkcs12" if no such property exists. getDefaultType() Returns the default keystore type as specified by the `keystore.type` security property, or the string "pkcs12" if no such property exists.
public final KeyStore.Entry	Returns: the keystore `Entry` for the specified alias, or `null` if there is no such entry getEntry(String get the keystore `Entry` for this alias alias, KeyStore.ProtectionParameter the `ProtectionParameter` used to protect the `Entry`, which may be `null` protParam) Gets a keystore `Entry` for the specified alias with the specified protection parameter.
public static KeyStore	Returns: a keystore object of the specified type getInstance(String the type of keystore. See the KeyStore section in the Java Security Standard Algorithm Names Specification for information about standard keystore types. type) Returns a `KeyStore` object of the specified type.
public static KeyStore	Returns: a keystore object of the specified type getInstance(String the type of keystore. See the KeyStore section in the Java Security Standard Algorithm Names Specification for information about standard keystore types. type, String the name of the provider. provider) Returns a `KeyStore` object of the specified type.
public static KeyStore	Returns: a keystore object of the specified type getInstance(String the type of keystore. See the KeyStore section in the Java Security Standard Algorithm Names Specification for information about standard keystore types. type, Provider the provider. provider) Returns a `KeyStore` object of the specified type.
public static final KeyStore	Returns: a keystore object loaded with keystore data getInstance(File the keystore file file, char[] the keystore password, which may be `null` password) Returns a loaded keystore object of the appropriate keystore type.
public static final KeyStore	Returns: a keystore object loaded with keystore data getInstance(File the keystore file file, KeyStore.LoadStoreParameter the `LoadStoreParameter` that specifies how to load the keystore, which may be `null` param) Returns a loaded keystore object of the appropriate keystore type.
private static final KeyStore	getInstance(File file, char[] password, KeyStore.LoadStoreParameter param, boolean hasPassword)
public final Key	Returns: the requested key, or `null` if the given alias does not exist or does not identify a key-related entry. getKey(String the alias name alias, char[] the password for recovering the key password) Returns the key associated with the given alias, using the given password to recover it.
public final Provider	Returns: the provider of this keystore. getProvider() Returns the provider of this keystore.
private String	getProviderName()
public final String	Returns: the type of this keystore. getType() Returns the type of this keystore.
public final boolean	Returns: `true` if the entry identified by the given alias contains a trusted certificate, `false` otherwise. isCertificateEntry(String the alias for the keystore entry to be checked alias) Returns `true` if the entry identified by the given alias was created by a call to `setCertificateEntry`, or created by a call to `setEntry` with a `TrustedCertificateEntry`.
public final boolean	Returns: `true` if the entry identified by the given alias is a key-related entry, `false` otherwise. isKeyEntry(String the alias for the keystore entry to be checked alias) Returns `true` if the entry identified by the given alias was created by a call to `setKeyEntry`, or created by a call to `setEntry` with a `PrivateKeyEntry` or a `SecretKeyEntry`.
public final void	load(InputStream the input stream from which the keystore is loaded, or `null` stream, char[] the password used to check the integrity of the keystore, the password used to unlock the keystore, or `null` password) Loads this keystore from the given input stream.
public final void	load(KeyStore.LoadStoreParameter the `LoadStoreParameter` that specifies how to load the keystore, which may be `null` param) Loads this keystore using the given `LoadStoreParameter`.
public final void	setCertificateEntry(String the alias name alias, Certificate the certificate cert) Assigns the given trusted certificate to the given alias.
public final void	setEntry(String save the keystore `Entry` under this alias alias, KeyStore.Entry the `Entry` to save entry, KeyStore.ProtectionParameter the `ProtectionParameter` used to protect the `Entry`, which may be `null` protParam) Saves a keystore `Entry` under the specified alias.
public final void	setKeyEntry(String the alias name alias, Key the key to be associated with the alias key, char[] the password to protect the key password, Certificate[] the certificate chain for the corresponding public key (only required if the given key is of type `java.security.PrivateKey`). chain) Assigns the given key to the given alias, protecting it with the given password.
public final void	setKeyEntry(String the alias name alias, byte[] the key (in protected format) to be associated with the alias key, Certificate[] the certificate chain for the corresponding public key (only useful if the protected key is of type `java.security.PrivateKey`). chain) Assigns the given key (that has already been protected) to the given alias.
public final int	Returns: the number of entries in this keystore size() Retrieves the number of entries in this keystore.
public final void	store(OutputStream the output stream to which this keystore is written. stream, char[] the password to generate the keystore integrity check. May be `null` if the keystore does not support or require an integrity check. password) Stores this keystore to the given output stream, and protects its integrity with the given password.
public final void	store(KeyStore.LoadStoreParameter the `LoadStoreParameter` that specifies how to store the keystore, which may be `null` param) Stores this keystore using the given `LoadStoreParameter`.

Inherited from java.lang.Object:: clone equals finalize getClass hashCode notify notifyAll toString wait wait wait

public Class KeyStore

Nested and Inner Type Summary

Field Summary

Constructor Summary

Method Summary