Package com.ibm.security.keystoreski

This package provides utilities for extracting information from a key store given a Subject Key Identifier (SKI). The SKI is an extension of the X.509 Public Key Infrastructure, which is described in RFC 3280, Section 4.2.1.2.

According to RFC 3280, section 4.2.1.2, the SKI can be derived in multiple ways. The class com.ibm.security.keystoreski.SKIDefinition represents this SKI. Before the SKI can be extracted from the certificate, the com.ibm.security.keystoreski.SKIDefinitionFactory must be initialized with SKIDefinition implementation that should be used.

Extracting from the certificate the SKI from the SHA-1 hash of the public key of the certificate

// Extract the SKI from the certificate by calculating the SKI from the
// SHA-1 hash of the public key of the certificate.
SKIDefinition definition = SKIDefinition.newSHA1PublicKeySKIDefinition();
String ski = definition.getSubjectKeyIdentifier(caCert);

Class com.ibm.security.keystoreski.KeyStoreSKI extracts information from a key store given the SKI. How the SKI is extracted is defined by the SKIDefinition, as discussed earlier in this topic.

The interface assumes that all entries within a key store have a unique SKI value. If the entries do not have a unique SKI value, the first matching SKI is returned.

Obtaining the alias, certificate, and private key from a key store by using a composite SKIDefinition

String filename = "keys.pfx";
KeyStore ks = KeyStore.getInstance("PKCS12");
InputStream in = new FileInputStream(filename);

char[] password = "NEWPASSWORD".toCharArray();
ks.load(in, password);

// Construct a KeyStoreSKI to operate on the KeyStore.
KeyStoreSKI kss = KeyStoreSKIFactory.newKeyStoreSKI(ks);

// The subject key identifier that is going to be the search criteria.
// It should be in Base64 format.
String ski = ...;
// The definition of how to obtain the Subject Key Identifier from the
// each entry in the key store.
// It is defined by first inspecting the extension field (2.5.29.14),
// and if that fails, generating the
// SHA-1 hash of the public key as specified in RFC 3280 Section
// 4.2.1.2.
SKIDefinition definition1 =
         SKIDefinitionFactory.newX509ExtensionSKIDefinition();
SKIDefinition definition2 =
         SKIDefinitionFactory.newSHA1PublicKeySKIDefinition();

SKIDefinition definition =
       SKIDefinitionFactory.newCompositeSKIDefinition
              (definition1, definition2);

// Obtain the first alias associated with an end entity certificate
// that matches the Subject Key Identifier criteria with the
// given Subject Key Identifier definition.
String alias = kss.getAlias(ski, definition);

// Obtain the first certificate associated with an end entity
// certificate that matches the Subject Key Identifier
// criteria with the given Subject Key Identifier definition.
Certificate certificate = kss.getCertificate(ski, definition);

// Obtain the first private key with an end entity certificate that
// matches the Subject Key Identifier
// criteria with the given Subject Key Identifier definition.
PrivateKey privateKey = kss.getPrivateKey(ski, definition, password);

// Output the alias.
System.out.println(alias);

// Output the public key.
System.out.println(certificate.getPublicKey().toString());

// Output the private key in hexadecimal.
if(privateKey != null){
    System.out.println(privateKey.toString());
}