KeyStore (Java SE 9 & JDK 9 ) (original) (raw)
public class KeyStore
extends Object
This class represents a storage facility for cryptographic keys and certificates.
A KeyStore manages different types of entries. Each type of entry implements the KeyStore.Entry interface. Three basic KeyStore.Entry implementations are provided:
- KeyStore.PrivateKeyEntry
This type of entry holds a cryptographicPrivateKey, which is optionally stored in a protected format to prevent unauthorized access. It is also accompanied by a certificate chain for the corresponding public key.
Private keys and certificate chains are used by a given entity for self-authentication. Applications for this authentication include software distribution organizations which sign JAR files as part of releasing and/or licensing software. - KeyStore.SecretKeyEntry
This type of entry holds a cryptographicSecretKey, which is optionally stored in a protected format to prevent unauthorized access. - KeyStore.TrustedCertificateEntry
This type of entry contains a single public keyCertificatebelonging to another party. It is called a trusted certificate because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate.
This type of entry can be used to authenticate other parties.
Each entry in a keystore is identified by an "alias" string. In the case of private keys and their associated certificate chains, these strings distinguish among the different ways in which the entity may authenticate itself. For example, the entity may authenticate itself using different certificate authorities, or using different public key algorithms.
Whether aliases are case sensitive is implementation dependent. In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case.
Whether keystores are persistent, and the mechanisms used by the keystore if it is persistent, are not specified here. This allows use of a variety of techniques for protecting sensitive (e.g., private or secret) keys. Smart cards or other integrated cryptographic engines (SafeKeyper) are one option, and simpler mechanisms such as files may also be used (in a variety of formats).
Typical ways to request a KeyStore object include specifying an existing keystore file, relying on the default type and providing a specific keystore type. - To specify an existing keystore file:
// get keystore password
char[] password = getPassword();
// probe the keystore file and load the keystore entries
KeyStore ks = KeyStore.getInstance(new File("keyStoreName"), password);
The system will probe the specified file to determine its keystore type and return a keystore implementation with its entries already loaded. When this approach is used there is no need to call the keystore'sload method. - To rely on the default type:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
The system will return a keystore implementation for the default type. - To provide a specific keystore type:
KeyStore ks = KeyStore.getInstance("JKS");
The system will return the most preferred implementation of the specified keystore type available in the environment. Before a keystore can be accessed, it must beloaded (unless it was already loaded during instantiation).
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] password = getPassword();
try (FileInputStream fis = new FileInputStream("keyStoreName")) {
ks.load(fis, password);
}
To create an empty keystore using the above load method, pass null as the InputStream argument.
Once the keystore has been loaded, it is possible to read existing entries from the keystore, or to write new entries into the keystore:
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(password);
// get my private key
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
ks.getEntry("privateKeyAlias", protParam);
PrivateKey myPrivateKey = pkEntry.getPrivateKey();
// save my secret key
javax.crypto.SecretKey mySecretKey;
KeyStore.SecretKeyEntry skEntry =
new KeyStore.SecretKeyEntry(mySecretKey);
ks.setEntry("secretKeyAlias", skEntry, protParam);
// store away the keystore
try (FileOutputStream fos = new FileOutputStream("newKeyStoreName")) {
ks.store(fos, password);
}
Note that although the same password may be used to load the keystore, to protect the private key entry, to protect the secret key entry, and to store the keystore (as is shown in the sample code above), different passwords or other protection parameters may also be used.
Every implementation of the Java platform is required to support the following standard KeyStore type:
PKCS12
This type is described in the KeyStore section of the Java Security Standard Algorithm Names Specification. Consult the release documentation for your implementation to see if any other types are supported.
Since:
1.2
See Also:
PrivateKey, SecretKey, CertificateNested Class Summary
Nested Classes
Modifier and Type Class Description static class KeyStore.Builder A description of a to-be-instantiated KeyStore object. static class KeyStore.CallbackHandlerProtection A ProtectionParameter encapsulating a CallbackHandler. static interface KeyStore.Entry A marker interface for KeyStore entry types. static interface KeyStore.LoadStoreParameter A marker interface for KeyStore load andstore parameters. static class KeyStore.PasswordProtection A password-based implementation of ProtectionParameter. static class KeyStore.PrivateKeyEntry A KeyStore entry that holds a PrivateKey and corresponding certificate chain. static interface KeyStore.ProtectionParameter A marker interface for keystore protection parameters. static class KeyStore.SecretKeyEntry A KeyStore entry that holds a SecretKey. static class KeyStore.TrustedCertificateEntry A KeyStore entry that holds a trustedCertificate. Constructor Summary
Constructors
Modifier Constructor Description protected KeyStore(KeyStoreSpi keyStoreSpi,Provider provider,String type) Creates a KeyStore object of the given type, and encapsulates the given provider implementation (SPI object) in it. Method Summary
All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type Method Description Enumeration<String> aliases() Lists all the alias names of this keystore. boolean containsAlias(String alias) Checks if the given alias exists in this keystore. void deleteEntry(String alias) Deletes the entry identified by the given alias from this keystore. boolean entryInstanceOf(String alias,Class<? extends KeyStore.Entry> entryClass) Determines if the keystore Entry for the specifiedalias is an instance or subclass of the specifiedentryClass. Certificate getCertificate(String alias) Returns the certificate associated with the given alias. String getCertificateAlias(Certificate cert) Returns the (alias) name of the first keystore entry whose certificate matches the given certificate. Certificate[] getCertificateChain(String alias) Returns the certificate chain associated with the given alias. Date getCreationDate(String alias) Returns the creation date of the entry identified by the given alias. static String getDefaultType() Returns the default keystore type as specified by thekeystore.type security property, or the string "jks" (acronym for "Java keystore") if no such property exists. KeyStore.Entry getEntry(String alias,KeyStore.ProtectionParameter protParam) Gets a keystore Entry for the specified alias with the specified protection parameter. static KeyStore getInstance(File file, char[] password) Returns a loaded keystore object of the appropriate keystore type. static KeyStore getInstance(File file,KeyStore.LoadStoreParameter param) Returns a loaded keystore object of the appropriate keystore type. static KeyStore getInstance(String type) Returns a keystore object of the specified type. static KeyStore getInstance(String type,String provider) Returns a keystore object of the specified type. static KeyStore getInstance(String type,Provider provider) Returns a keystore object of the specified type. Key getKey(String alias, char[] password) Returns the key associated with the given alias, using the given password to recover it. Provider getProvider() Returns the provider of this keystore. String getType() Returns the type of this keystore. boolean isCertificateEntry(String alias) Returns true if the entry identified by the given alias was created by a call to setCertificateEntry, or created by a call to setEntry with aTrustedCertificateEntry. boolean isKeyEntry(String alias) Returns true if the entry identified by the given alias was created by a call to setKeyEntry, or created by a call to setEntry with aPrivateKeyEntry or a SecretKeyEntry. void load(InputStream stream, char[] password) Loads this KeyStore from the given input stream. void load(KeyStore.LoadStoreParameter param) Loads this keystore using the given LoadStoreParameter. void setCertificateEntry(String alias,Certificate cert) Assigns the given trusted certificate to the given alias. void setEntry(String alias,KeyStore.Entry entry,KeyStore.ProtectionParameter protParam) Saves a keystore Entry under the specified alias. void setKeyEntry(String alias, byte[] key,Certificate[] chain) Assigns the given key (that has already been protected) to the given alias. void setKeyEntry(String alias,Key key, char[] password,Certificate[] chain) Assigns the given key to the given alias, protecting it with the given password. int size() Retrieves the number of entries in this keystore. void store(OutputStream stream, char[] password) Stores this keystore to the given output stream, and protects its integrity with the given password. void store(KeyStore.LoadStoreParameter param) Stores this keystore using the given LoadStoreParameter. * ### Methods inherited from class java.lang.[Object](../../java/lang/Object.html "class in java.lang") `[clone](../../java/lang/Object.html#clone--), [equals](../../java/lang/Object.html#equals-java.lang.Object-), [finalize](../../java/lang/Object.html#finalize--), [getClass](../../java/lang/Object.html#getClass--), [hashCode](../../java/lang/Object.html#hashCode--), [notify](../../java/lang/Object.html#notify--), [notifyAll](../../java/lang/Object.html#notifyAll--), [toString](../../java/lang/Object.html#toString--), [wait](../../java/lang/Object.html#wait--), [wait](../../java/lang/Object.html#wait-long-), [wait](../../java/lang/Object.html#wait-long-int-)`Constructor Detail
* #### KeyStore protected KeyStore([KeyStoreSpi](../../java/security/KeyStoreSpi.html "class in java.security") keyStoreSpi, [Provider](../../java/security/Provider.html "class in java.security") provider, [String](../../java/lang/String.html "class in java.lang") type) Creates a KeyStore object of the given type, and encapsulates the given provider implementation (SPI object) in it. Parameters: `keyStoreSpi` \- the provider implementation. `provider` \- the provider. `type` \- the keystore type.Method Detail
* #### getInstance public static [KeyStore](../../java/security/KeyStore.html "class in java.security") getInstance([String](../../java/lang/String.html "class in java.lang") type) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns a keystore object of the specified type. This method traverses the list of registered security Providers, starting with the most preferred Provider. A new KeyStore object encapsulating the KeyStoreSpi implementation from the first Provider that supports the specified type is returned. Note that the list of registered providers may be retrieved via the [Security.getProviders()](../../java/security/Security.html#getProviders--) method. Implementation Note: The JDK Reference Implementation additionally uses the`jdk.security.provider.preferred` [Security](../../java/security/Security.html#getProperty-java.lang.String-) property to determine the preferred provider order for the specified algorithm. This may be different than the order of providers returned by[Security.getProviders()](../../java/security/Security.html#getProviders--). Parameters: `type` \- the type of keystore. See the KeyStore section in the [ Java Security Standard Algorithm Names Specification](../../../specs/security/standard-names.html#keystore-types) for information about standard keystore types. Returns: a keystore object of the specified type Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if no `Provider` supports a`KeyStoreSpi` implementation for the specified type `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if `type` is `null` See Also: [Provider](../../java/security/Provider.html "class in java.security") * #### getInstance public static [KeyStore](../../java/security/KeyStore.html "class in java.security") getInstance([String](../../java/lang/String.html "class in java.lang") type, [String](../../java/lang/String.html "class in java.lang") provider) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security"), [NoSuchProviderException](../../java/security/NoSuchProviderException.html "class in java.security") Returns a keystore object of the specified type. A new KeyStore object encapsulating the KeyStoreSpi implementation from the specified provider is returned. The specified provider must be registered in the security provider list. Note that the list of registered providers may be retrieved via the [Security.getProviders()](../../java/security/Security.html#getProviders--) method. Parameters: `type` \- the type of keystore. See the KeyStore section in the [ Java Security Standard Algorithm Names Specification](../../../specs/security/standard-names.html#keystore-types) for information about standard keystore types. `provider` \- the name of the provider. Returns: a keystore object of the specified type Throws: `[IllegalArgumentException](../../java/lang/IllegalArgumentException.html "class in java.lang")` \- if the provider name is `null` or empty `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if a `KeyStoreSpi` implementation for the specified type is not available from the specified provider `[NoSuchProviderException](../../java/security/NoSuchProviderException.html "class in java.security")` \- if the specified provider is not registered in the security provider list `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if `type` is `null` See Also: [Provider](../../java/security/Provider.html "class in java.security") * #### getInstance public static [KeyStore](../../java/security/KeyStore.html "class in java.security") getInstance([String](../../java/lang/String.html "class in java.lang") type, [Provider](../../java/security/Provider.html "class in java.security") provider) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns a keystore object of the specified type. A new KeyStore object encapsulating the KeyStoreSpi implementation from the specified Provider object is returned. Note that the specified Provider object does not have to be registered in the provider list. Parameters: `type` \- the type of keystore. See the KeyStore section in the [ Java Security Standard Algorithm Names Specification](../../../specs/security/standard-names.html#keystore-types) for information about standard keystore types. `provider` \- the provider. Returns: a keystore object of the specified type Throws: `[IllegalArgumentException](../../java/lang/IllegalArgumentException.html "class in java.lang")` \- if the specified provider is`null` `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if `KeyStoreSpi` implementation for the specified type is not available from the specified `Provider` object `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if `type` is `null` Since: 1.4 See Also: [Provider](../../java/security/Provider.html "class in java.security") * #### getDefaultType public static final [String](../../java/lang/String.html "class in java.lang") getDefaultType() Returns the default keystore type as specified by the`keystore.type` security property, or the string "jks" (acronym for "Java keystore") if no such property exists. The default keystore type can be used by applications that do not want to use a hard-coded keystore type when calling one of the`getInstance` methods, and want to provide a default keystore type in case a user does not specify its own. The default keystore type can be changed by setting the value of the`keystore.type` security property to the desired keystore type. Returns: the default keystore type as specified by the`keystore.type` security property, or the string "jks" if no such property exists. See Also: [security properties](../../java/security/Security.html "class in java.security") * #### getProvider public final [Provider](../../java/security/Provider.html "class in java.security") getProvider() Returns the provider of this keystore. Returns: the provider of this keystore. * #### getType public final [String](../../java/lang/String.html "class in java.lang") getType() Returns the type of this keystore. Returns: the type of this keystore. * #### getKey public final [Key](../../java/security/Key.html "interface in java.security") getKey([String](../../java/lang/String.html "class in java.lang") alias, char[] password) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [UnrecoverableKeyException](../../java/security/UnrecoverableKeyException.html "class in java.security") Returns the key associated with the given alias, using the given password to recover it. The key must have been associated with the alias by a call to `setKeyEntry`, or by a call to `setEntry` with a`PrivateKeyEntry` or `SecretKeyEntry`. Parameters: `alias` \- the alias name `password` \- the password for recovering the key Returns: the requested key, or null if the given alias does not exist or does not identify a key-related entry. Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the algorithm for recovering the key cannot be found `[UnrecoverableKeyException](../../java/security/UnrecoverableKeyException.html "class in java.security")` \- if the key cannot be recovered (e.g., the given password is wrong). * #### getCertificateChain public final [Certificate](../../java/security/cert/Certificate.html "class in java.security.cert")[] getCertificateChain([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns the certificate chain associated with the given alias. The certificate chain must have been associated with the alias by a call to `setKeyEntry`, or by a call to `setEntry` with a`PrivateKeyEntry`. Parameters: `alias` \- the alias name Returns: the certificate chain (ordered with the user's certificate first followed by zero or more certificate authorities), or null if the given alias does not exist or does not contain a certificate chain Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### getCertificate public final [Certificate](../../java/security/cert/Certificate.html "class in java.security.cert") getCertificate([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns the certificate associated with the given alias. If the given alias name identifies an entry created by a call to `setCertificateEntry`, or created by a call to `setEntry` with a`TrustedCertificateEntry`, then the trusted certificate contained in that entry is returned. If the given alias name identifies an entry created by a call to `setKeyEntry`, or created by a call to `setEntry` with a`PrivateKeyEntry`, then the first element of the certificate chain in that entry is returned. Parameters: `alias` \- the alias name Returns: the certificate, or null if the given alias does not exist or does not contain a certificate. Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### getCreationDate public final [Date](../../java/util/Date.html "class in java.util") getCreationDate([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns the creation date of the entry identified by the given alias. Parameters: `alias` \- the alias name Returns: the creation date of this entry, or null if the given alias does not exist Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### setKeyEntry public final void setKeyEntry([String](../../java/lang/String.html "class in java.lang") alias, [Key](../../java/security/Key.html "interface in java.security") key, char[] password, [Certificate](../../java/security/cert/Certificate.html "class in java.security.cert")[] chain) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Assigns the given key to the given alias, protecting it with the given password. If the given key is of type `java.security.PrivateKey`, it must be accompanied by a certificate chain certifying the corresponding public key. If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain). Parameters: `alias` \- the alias name `key` \- the key to be associated with the alias `password` \- the password to protect the key `chain` \- the certificate chain for the corresponding public key (only required if the given key is of type`java.security.PrivateKey`). Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded), the given key cannot be protected, or this operation fails for some other reason * #### setKeyEntry public final void setKeyEntry([String](../../java/lang/String.html "class in java.lang") alias, byte[] key, [Certificate](../../java/security/cert/Certificate.html "class in java.security.cert")[] chain) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Assigns the given key (that has already been protected) to the given alias. If the protected key is of type`java.security.PrivateKey`, it must be accompanied by a certificate chain certifying the corresponding public key. If the underlying keystore implementation is of type `jks`,`key` must be encoded as an`EncryptedPrivateKeyInfo` as defined in the PKCS #8 standard. If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain). Parameters: `alias` \- the alias name `key` \- the key (in protected format) to be associated with the alias `chain` \- the certificate chain for the corresponding public key (only useful if the protected key is of type`java.security.PrivateKey`). Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded), or if this operation fails for some other reason. * #### setCertificateEntry public final void setCertificateEntry([String](../../java/lang/String.html "class in java.lang") alias, [Certificate](../../java/security/cert/Certificate.html "class in java.security.cert") cert) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Assigns the given trusted certificate to the given alias. If the given alias identifies an existing entry created by a call to `setCertificateEntry`, or created by a call to `setEntry` with a`TrustedCertificateEntry`, the trusted certificate in the existing entry is overridden by the given certificate. Parameters: `alias` \- the alias name `cert` \- the certificate Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized, or the given alias already exists and does not identify an entry containing a trusted certificate, or this operation fails for some other reason. * #### deleteEntry public final void deleteEntry([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Deletes the entry identified by the given alias from this keystore. Parameters: `alias` \- the alias name Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized, or if the entry cannot be removed. * #### aliases public final [Enumeration](../../java/util/Enumeration.html "interface in java.util")<[String](../../java/lang/String.html "class in java.lang")> aliases() throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Lists all the alias names of this keystore. Returns: enumeration of the alias names Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### containsAlias public final boolean containsAlias([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Checks if the given alias exists in this keystore. Parameters: `alias` \- the alias name Returns: true if the alias exists, false otherwise Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### size public final int size() throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Retrieves the number of entries in this keystore. Returns: the number of entries in this keystore Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### isKeyEntry public final boolean isKeyEntry([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns true if the entry identified by the given alias was created by a call to `setKeyEntry`, or created by a call to `setEntry` with a`PrivateKeyEntry` or a `SecretKeyEntry`. Parameters: `alias` \- the alias for the keystore entry to be checked Returns: true if the entry identified by the given alias is a key-related entry, false otherwise. Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### isCertificateEntry public final boolean isCertificateEntry([String](../../java/lang/String.html "class in java.lang") alias) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns true if the entry identified by the given alias was created by a call to `setCertificateEntry`, or created by a call to `setEntry` with a`TrustedCertificateEntry`. Parameters: `alias` \- the alias for the keystore entry to be checked Returns: true if the entry identified by the given alias contains a trusted certificate, false otherwise. Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### getCertificateAlias public final [String](../../java/lang/String.html "class in java.lang") getCertificateAlias([Certificate](../../java/security/cert/Certificate.html "class in java.security.cert") cert) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Returns the (alias) name of the first keystore entry whose certificate matches the given certificate. This method attempts to match the given certificate with each keystore entry. If the entry being considered was created by a call to `setCertificateEntry`, or created by a call to `setEntry` with a`TrustedCertificateEntry`, then the given certificate is compared to that entry's certificate. If the entry being considered was created by a call to `setKeyEntry`, or created by a call to `setEntry` with a`PrivateKeyEntry`, then the given certificate is compared to the first element of that entry's certificate chain. Parameters: `cert` \- the certificate to match with. Returns: the alias name of the first entry with a matching certificate, or null if no such entry exists in this keystore. Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). * #### store public final void store([OutputStream](../../java/io/OutputStream.html "class in java.io") stream, char[] password) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security"), [IOException](../../java/io/IOException.html "class in java.io"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert") Stores this keystore to the given output stream, and protects its integrity with the given password. Parameters: `stream` \- the output stream to which this keystore is written. `password` \- the password to generate the keystore integrity check Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). `[IOException](../../java/io/IOException.html "class in java.io")` \- if there was an I/O problem with data `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the appropriate data integrity algorithm could not be found `[CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert")` \- if any of the certificates included in the keystore data could not be stored * #### store public final void store([KeyStore.LoadStoreParameter](../../java/security/KeyStore.LoadStoreParameter.html "interface in java.security") param) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security"), [IOException](../../java/io/IOException.html "class in java.io"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert") Stores this keystore using the given `LoadStoreParameter`. Parameters: `param` \- the `LoadStoreParameter` that specifies how to store the keystore, which may be `null` Throws: `[IllegalArgumentException](../../java/lang/IllegalArgumentException.html "class in java.lang")` \- if the given`LoadStoreParameter` input is not recognized `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded) `[IOException](../../java/io/IOException.html "class in java.io")` \- if there was an I/O problem with data `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the appropriate data integrity algorithm could not be found `[CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert")` \- if any of the certificates included in the keystore data could not be stored Since: 1.5 * #### load public final void load([InputStream](../../java/io/InputStream.html "class in java.io") stream, char[] password) throws [IOException](../../java/io/IOException.html "class in java.io"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert") Loads this KeyStore from the given input stream. A password may be given to unlock the keystore (e.g. the keystore resides on a hardware token device), or to check the integrity of the keystore data. If a password is not given for integrity checking, then integrity checking is not performed. In order to create an empty keystore, or if the keystore cannot be initialized from a stream, pass `null` as the `stream` argument. Note that if this keystore has already been loaded, it is reinitialized and loaded again from the given input stream. Parameters: `stream` \- the input stream from which the keystore is loaded, or `null` `password` \- the password used to check the integrity of the keystore, the password used to unlock the keystore, or `null` Throws: `[IOException](../../java/io/IOException.html "class in java.io")` \- if there is an I/O or format problem with the keystore data, if a password is required but not given, or if the given password was incorrect. If the error is due to a wrong password, the [cause](../../java/lang/Throwable.html#getCause--) of the`IOException` should be an`UnrecoverableKeyException` `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the algorithm used to check the integrity of the keystore cannot be found `[CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert")` \- if any of the certificates in the keystore could not be loaded * #### load public final void load([KeyStore.LoadStoreParameter](../../java/security/KeyStore.LoadStoreParameter.html "interface in java.security") param) throws [IOException](../../java/io/IOException.html "class in java.io"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert") Loads this keystore using the given `LoadStoreParameter`. Note that if this KeyStore has already been loaded, it is reinitialized and loaded again from the given parameter. Parameters: `param` \- the `LoadStoreParameter` that specifies how to load the keystore, which may be `null` Throws: `[IllegalArgumentException](../../java/lang/IllegalArgumentException.html "class in java.lang")` \- if the given`LoadStoreParameter` input is not recognized `[IOException](../../java/io/IOException.html "class in java.io")` \- if there is an I/O or format problem with the keystore data. If the error is due to an incorrect`ProtectionParameter` (e.g. wrong password) the [cause](../../java/lang/Throwable.html#getCause--) of the`IOException` should be an`UnrecoverableKeyException` `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the algorithm used to check the integrity of the keystore cannot be found `[CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert")` \- if any of the certificates in the keystore could not be loaded Since: 1.5 * #### getEntry public final [KeyStore.Entry](../../java/security/KeyStore.Entry.html "interface in java.security") getEntry([String](../../java/lang/String.html "class in java.lang") alias, [KeyStore.ProtectionParameter](../../java/security/KeyStore.ProtectionParameter.html "interface in java.security") protParam) throws [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [UnrecoverableEntryException](../../java/security/UnrecoverableEntryException.html "class in java.security"), [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Gets a keystore `Entry` for the specified alias with the specified protection parameter. Parameters: `alias` \- get the keystore `Entry` for this alias `protParam` \- the `ProtectionParameter` used to protect the `Entry`, which may be `null` Returns: the keystore `Entry` for the specified alias, or `null` if there is no such entry Throws: `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if`alias` is `null` `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the algorithm for recovering the entry cannot be found `[UnrecoverableEntryException](../../java/security/UnrecoverableEntryException.html "class in java.security")` \- if the specified`protParam` were insufficient or invalid `[UnrecoverableKeyException](../../java/security/UnrecoverableKeyException.html "class in java.security")` \- if the entry is a`PrivateKeyEntry` or `SecretKeyEntry` and the specified `protParam` does not contain the information needed to recover the key (e.g. wrong password) `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded). Since: 1.5 See Also: [setEntry(String, KeyStore.Entry, KeyStore.ProtectionParameter)](../../java/security/KeyStore.html#setEntry-java.lang.String-java.security.KeyStore.Entry-java.security.KeyStore.ProtectionParameter-) * #### setEntry public final void setEntry([String](../../java/lang/String.html "class in java.lang") alias, [KeyStore.Entry](../../java/security/KeyStore.Entry.html "interface in java.security") entry, [KeyStore.ProtectionParameter](../../java/security/KeyStore.ProtectionParameter.html "interface in java.security") protParam) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Saves a keystore `Entry` under the specified alias. The protection parameter is used to protect the`Entry`. If an entry already exists for the specified alias, it is overridden. Parameters: `alias` \- save the keystore `Entry` under this alias `entry` \- the `Entry` to save `protParam` \- the `ProtectionParameter` used to protect the `Entry`, which may be `null` Throws: `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if`alias` or `entry` is `null` `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded), or if this operation fails for some other reason Since: 1.5 See Also: [getEntry(String, KeyStore.ProtectionParameter)](../../java/security/KeyStore.html#getEntry-java.lang.String-java.security.KeyStore.ProtectionParameter-) * #### entryInstanceOf public final boolean entryInstanceOf([String](../../java/lang/String.html "class in java.lang") alias, [Class](../../java/lang/Class.html "class in java.lang")<? extends [KeyStore.Entry](../../java/security/KeyStore.Entry.html "interface in java.security")> entryClass) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security") Determines if the keystore `Entry` for the specified`alias` is an instance or subclass of the specified`entryClass`. Parameters: `alias` \- the alias name `entryClass` \- the entry class Returns: true if the keystore `Entry` for the specified`alias` is an instance or subclass of the specified `entryClass`, false otherwise Throws: `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if`alias` or `entryClass` is `null` `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if the keystore has not been initialized (loaded) Since: 1.5 * #### getInstance public static final [KeyStore](../../java/security/KeyStore.html "class in java.security") getInstance([File](../../java/io/File.html "class in java.io") file, char[] password) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security"), [IOException](../../java/io/IOException.html "class in java.io"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert") Returns a loaded keystore object of the appropriate keystore type. First the keystore type is determined by probing the specified file. Then a keystore object is instantiated and loaded using the data from that file. A password may be given to unlock the keystore (e.g. the keystore resides on a hardware token device), or to check the integrity of the keystore data. If a password is not given for integrity checking, then integrity checking is not performed. This method traverses the list of registered security[providers](../../java/security/Provider.html "class in java.security"), starting with the most preferred Provider. For each [KeyStoreSpi](../../java/security/KeyStoreSpi.html "class in java.security") implementation supported by a Provider, it invokes the [engineProbe](../../java/security/KeyStoreSpi.html#engineProbe-java.io.InputStream-) method to determine if it supports the specified keystore. A new KeyStore object is returned that encapsulates the KeyStoreSpi implementation from the first Provider that supports the specified file. Note that the list of registered providers may be retrieved via the [Security.getProviders()](../../java/security/Security.html#getProviders--) method. Parameters: `file` \- the keystore file `password` \- the keystore password, which may be `null` Returns: a keystore object loaded with keystore data Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if no Provider supports a KeyStoreSpi implementation for the specified keystore file. `[IOException](../../java/io/IOException.html "class in java.io")` \- if there is an I/O or format problem with the keystore data, if a password is required but not given, or if the given password was incorrect. If the error is due to a wrong password, the [cause](../../java/lang/Throwable.html#getCause--) of the `IOException` should be an`UnrecoverableKeyException`. `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the algorithm used to check the integrity of the keystore cannot be found. `[CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert")` \- if any of the certificates in the keystore could not be loaded. `[IllegalArgumentException](../../java/lang/IllegalArgumentException.html "class in java.lang")` \- if file does not exist or does not refer to a normal file. `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if file is `null`. `[SecurityException](../../java/lang/SecurityException.html "class in java.lang")` \- if a security manager exists and its[SecurityManager.checkRead(java.io.FileDescriptor)](../../java/lang/SecurityManager.html#checkRead-java.io.FileDescriptor-) method denies read access to the specified file. Since: 9 See Also: [Provider](../../java/security/Provider.html "class in java.security") * #### getInstance public static final [KeyStore](../../java/security/KeyStore.html "class in java.security") getInstance([File](../../java/io/File.html "class in java.io") file, [KeyStore.LoadStoreParameter](../../java/security/KeyStore.LoadStoreParameter.html "interface in java.security") param) throws [KeyStoreException](../../java/security/KeyStoreException.html "class in java.security"), [IOException](../../java/io/IOException.html "class in java.io"), [NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security"), [CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert") Returns a loaded keystore object of the appropriate keystore type. First the keystore type is determined by probing the specified file. Then a keystore object is instantiated and loaded using the data from that file. A `LoadStoreParameter` may be supplied which specifies how to unlock the keystore data or perform an integrity check. This method traverses the list of registered security [providers](../../java/security/Provider.html "class in java.security"), starting with the most preferred Provider. For each [KeyStoreSpi](../../java/security/KeyStoreSpi.html "class in java.security") implementation supported by a Provider, it invokes the [engineProbe](../../java/security/KeyStoreSpi.html#engineProbe-java.io.InputStream-) method to determine if it supports the specified keystore. A new KeyStore object is returned that encapsulates the KeyStoreSpi implementation from the first Provider that supports the specified file. Note that the list of registered providers may be retrieved via the [Security.getProviders()](../../java/security/Security.html#getProviders--) method. Parameters: `file` \- the keystore file `param` \- the `LoadStoreParameter` that specifies how to load the keystore, which may be `null` Returns: a keystore object loaded with keystore data Throws: `[KeyStoreException](../../java/security/KeyStoreException.html "class in java.security")` \- if no Provider supports a KeyStoreSpi implementation for the specified keystore file. `[IOException](../../java/io/IOException.html "class in java.io")` \- if there is an I/O or format problem with the keystore data. If the error is due to an incorrect`ProtectionParameter` (e.g. wrong password) the [cause](../../java/lang/Throwable.html#getCause--) of the`IOException` should be an`UnrecoverableKeyException`. `[NoSuchAlgorithmException](../../java/security/NoSuchAlgorithmException.html "class in java.security")` \- if the algorithm used to check the integrity of the keystore cannot be found. `[CertificateException](../../java/security/cert/CertificateException.html "class in java.security.cert")` \- if any of the certificates in the keystore could not be loaded. `[IllegalArgumentException](../../java/lang/IllegalArgumentException.html "class in java.lang")` \- if file does not exist or does not refer to a normal file, or if param is not recognized. `[NullPointerException](../../java/lang/NullPointerException.html "class in java.lang")` \- if file is `null`. `[SecurityException](../../java/lang/SecurityException.html "class in java.lang")` \- if a security manager exists and its[SecurityManager.checkRead(java.io.FileDescriptor)](../../java/lang/SecurityManager.html#checkRead-java.io.FileDescriptor-) method denies read access to the specified file. Since: 9 See Also: [Provider](../../java/security/Provider.html "class in java.security")