Android应用构建：8:使用keytool确认证书与私钥信息

在前面的文章中我们使用Android Studio创建了签名用于APK文件的构建，这篇文章我们将使用keytool来反向解析一下此文件的详细内容。

事前准备

本文使用keytool反向解析的keystore文件的创建可参看如下文章：

• https://liumiaocn.blog.csdn.net/article/details/103578802

此keystore的设定信息如下所示：

设定项 设定值 项目说明 Key store path keyReleaseV2.jks 签名文件名 Password liumiaocn 密码 Confirm liumiaocn 密码确认 Alias release_v2_private_key 私钥名称 Password liumiaocn 密码 Confirm liumiaocn 密码确认 Validity(years) 25 有效期(单位：年) First and Last Name Miao Liu 持有者姓名 Organizational Unit unicorn DN的OU设定项 Organization devops DN的O设定项 City or Locality DaLian DN的L设定项 State or Province LiaoNing DN的L设定项 Country Code CN DN的C设定项 keytool使用介绍

详细的keytool使用方法可参看：

• https://blog.csdn.net/liumiaocn/article/details/61921014

本文示例使用的keytool

liumiaocn:Demo liumiao$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.15.2
BuildVersion:	19C57
liumiaocn:Demo liumiao$ which keytool
/usr/bin/keytool
liumiaocn:Demo liumiao$ ls -l /usr/bin/keytool
lrwxr-xr-x  1 root  wheel  77 Dec 12 10:45 /usr/bin/keytool -> /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytool
liumiaocn:Demo liumiao$

注：keytool在完整的JDK安装之后，一般会保存在bin目录下

keystore文件确认 文件类型和内容确认

执行命令：file keyReleaseV2.jks

使用file命令可以看到keystore文件的类型是Java KeyStore，如果试图使用cat或者view确认文件内容，你会发现都是乱码，无法直接阅读。

liumiaocn:Demo liumiao$ file keyReleaseV2.jks 
keyReleaseV2.jks: Java KeyStore
liumiaocn:Demo liumiao$

证书私钥和数字指纹确认

执行命令：keytool -keystore keyReleaseV2.jks -list -storepass liumiaocn

可以看到文件的类型和条目信息，条目详细宝库私钥名称（release_v2_private_key）以及证书的数字签名信息。

liumiaocn:Demo liumiao$ keytool -keystore keyReleaseV2.jks -list -storepass liumiaocn
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

release_v2_private_key, Dec 17, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 75:D8:CF:88:14:C7:A7:6D:30:81:3F:7A:2C:75:1D:C8:38:42:34:B0

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keyReleaseV2.jks -destkeystore keyReleaseV2.jks -deststoretype pkcs12".
liumiaocn:Demo liumiao$

注：Warning的信息表明证书没有使用PKCS 12的标准方式，并给出了转换方式，可以无视。

查看详细信息(普通格式)

执行命令：keytool -keystore keyReleaseV2.jks -list -storepass liumiaocn -v

liumiaocn:Demo liumiao$ keytool -keystore keyReleaseV2.jks -list -storepass liumiaocn -v
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: release_v2_private_key
Creation date: Dec 17, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Miao Liu, OU=unicorn, O=devops, L=DaLian, ST=LiaoNing, C=CN
Issuer: CN=Miao Liu, OU=unicorn, O=devops, L=DaLian, ST=LiaoNing, C=CN
Serial number: 400dd6a8
Valid from: Tue Dec 17 15:13:39 CST 2019 until: Sat Dec 10 15:13:39 CST 2044
Certificate fingerprints:
	 MD5:  0E:50:62:3E:CB:9E:D3:58:C3:3D:45:F3:9A:CF:C2:76
	 SHA1: 75:D8:CF:88:14:C7:A7:6D:30:81:3F:7A:2C:75:1D:C8:38:42:34:B0
	 SHA256: 9C:9D:6A:45:94:12:99:D7:76:40:56:90:9B:15:F2:E1:7B:A1:00:01:68:B1:FC:56:A2:DD:A9:74:CC:B6:8A:05
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B 84 C1 DD D4 4A E2 16   66 4B AD 79 A6 93 3F 1D  .....J..fK.y..?.
0010: 54 89 1A 54                                        T..T
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keyReleaseV2.jks -destkeystore keyReleaseV2.jks -deststoretype pkcs12".
liumiaocn:Demo liumiao$

查看详细信息(rfc格式)

执行命令：keytool -keystore keyReleaseV2.jks -list -storepass liumiaocn -rfc

liumiaocn:Demo liumiao$ keytool -keystore keyReleaseV2.jks -list -storepass liumiaocn -rfc
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: release_v2_private_key
Creation date: Dec 17, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIEQA3WqDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJD
TjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcTBkRhTGlhbjEPMA0GA1UEChMG
ZGV2b3BzMRAwDgYDVQQLEwd1bmljb3JuMREwDwYDVQQDEwhNaWFvIExpdTAeFw0x
OTEyMTcwNzEzMzlaFw00NDEyMTAwNzEzMzlaMGcxCzAJBgNVBAYTAkNOMREwDwYD
VQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFuMQ8wDQYDVQQKEwZkZXZvcHMx
EDAOBgNVBAsTB3VuaWNvcm4xETAPBgNVBAMTCE1pYW8gTGl1MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoUNv/es9hjhnCPpBfMshKfPh/0Bwgr0qhtt2
h5NbGj0fc6NbFxWf4lXQmebznevF4Zp7fj4KAxsRfLfz3nuF8CJWGbuOpjFjbA/R
gpehJFW25tUs5j3wHnMpyknmJSNimXKLaoNbOPSnHNy07g7aio69yHM3ULjswSsB
xLsRmhEOoyyxXkd0thrP4MyoszePTFoOAEapdunXfBNGx6Vo/0ryQRiE0MB2rLKO
cxMORkN6kExxCnAhs6uMvzJ7RsstODxntUlKjDVR1GmnZzSaQ0XUfd6V4SC/NxX0
NsHPR5gqUjBmHLladZUZcsdGbdiNEhZbioCQbI0cQSCZgS8ACQIDAQABoyEwHzAd
BgNVHQ4EFgQUC4TB3dRK4hZmS615ppM/HVSJGlQwDQYJKoZIhvcNAQELBQADggEB
AIzFEZnKlO0fcI6yC114Nbve7LNXX/DLtNYwr7bDABEgHV0DOFG+2yEEo8GZkIPF
932kHeFiXOMOXxKAFdz0qZKwD7lOf/WQ1qLNTXlygjxe7U2s/70+PzRiDWvPNAYI
EcoyHqseXmRtypPdn+NSmT0f+uOgBZUXBGa7gri6831Bc38WL6vFN4dQKm4DBzfc
/QLypLSbl9qKknKjdyom7GXbPhDFAX0zG43wd+JicZ+jAxPtJDfD/Erxekhn08Hp
1XV0vd0Dhlhn8JmeZbZ8fMVT9GrzrR4JbKxI/PJtwqKg/3/vTPpL8OXfCk3yt2u6
sgx08KhTIssmL1POnaI5FF8=
-----END CERTIFICATE-----


*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keyReleaseV2.jks -destkeystore keyReleaseV2.jks -deststoretype pkcs12".
liumiaocn:Demo liumiao$

导出证书

执行命令：keytool -export -alias release_v2_private_key -keystore keyReleaseV2.jks -storepass liumiaocn -rfc -file android_cert.crt

liumiaocn:Demo liumiao$ keytool -export -alias release_v2_private_key -keystore keyReleaseV2.jks -storepass liumiaocn -rfc -file android_cert.crt
Certificate stored in file 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keyReleaseV2.jks -destkeystore keyReleaseV2.jks -deststoretype pkcs12".
liumiaocn:Demo liumiao$ cat android_cert.crt 
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIEQA3WqDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJD
TjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcTBkRhTGlhbjEPMA0GA1UEChMG
ZGV2b3BzMRAwDgYDVQQLEwd1bmljb3JuMREwDwYDVQQDEwhNaWFvIExpdTAeFw0x
OTEyMTcwNzEzMzlaFw00NDEyMTAwNzEzMzlaMGcxCzAJBgNVBAYTAkNOMREwDwYD
VQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFuMQ8wDQYDVQQKEwZkZXZvcHMx
EDAOBgNVBAsTB3VuaWNvcm4xETAPBgNVBAMTCE1pYW8gTGl1MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoUNv/es9hjhnCPpBfMshKfPh/0Bwgr0qhtt2
h5NbGj0fc6NbFxWf4lXQmebznevF4Zp7fj4KAxsRfLfz3nuF8CJWGbuOpjFjbA/R
gpehJFW25tUs5j3wHnMpyknmJSNimXKLaoNbOPSnHNy07g7aio69yHM3ULjswSsB
xLsRmhEOoyyxXkd0thrP4MyoszePTFoOAEapdunXfBNGx6Vo/0ryQRiE0MB2rLKO
cxMORkN6kExxCnAhs6uMvzJ7RsstODxntUlKjDVR1GmnZzSaQ0XUfd6V4SC/NxX0
NsHPR5gqUjBmHLladZUZcsdGbdiNEhZbioCQbI0cQSCZgS8ACQIDAQABoyEwHzAd
BgNVHQ4EFgQUC4TB3dRK4hZmS615ppM/HVSJGlQwDQYJKoZIhvcNAQELBQADggEB
AIzFEZnKlO0fcI6yC114Nbve7LNXX/DLtNYwr7bDABEgHV0DOFG+2yEEo8GZkIPF
932kHeFiXOMOXxKAFdz0qZKwD7lOf/WQ1qLNTXlygjxe7U2s/70+PzRiDWvPNAYI
EcoyHqseXmRtypPdn+NSmT0f+uOgBZUXBGa7gri6831Bc38WL6vFN4dQKm4DBzfc
/QLypLSbl9qKknKjdyom7GXbPhDFAX0zG43wd+JicZ+jAxPtJDfD/Erxekhn08Hp
1XV0vd0Dhlhn8JmeZbZ8fMVT9GrzrR4JbKxI/PJtwqKg/3/vTPpL8OXfCk3yt2u6
sgx08KhTIssmL1POnaI5FF8=
-----END CERTIFICATE-----
liumiaocn:Demo liumiao$

注：使用rfc格式显示的内容，将证书部分直接保存成证书也是相同的作用

显示证书详细信息

执行命令：keytool -printcert -file android_cert.crt -v

或者

执行命令：keytool -printcert -file android_cert.crt

liumiaocn:Demo liumiao$ keytool -printcert -file android_cert.crt -v
Owner: CN=Miao Liu, OU=unicorn, O=devops, L=DaLian, ST=LiaoNing, C=CN
Issuer: CN=Miao Liu, OU=unicorn, O=devops, L=DaLian, ST=LiaoNing, C=CN
Serial number: 400dd6a8
Valid from: Tue Dec 17 15:13:39 CST 2019 until: Sat Dec 10 15:13:39 CST 2044
Certificate fingerprints:
	 MD5:  0E:50:62:3E:CB:9E:D3:58:C3:3D:45:F3:9A:CF:C2:76
	 SHA1: 75:D8:CF:88:14:C7:A7:6D:30:81:3F:7A:2C:75:1D:C8:38:42:34:B0
	 SHA256: 9C:9D:6A:45:94:12:99:D7:76:40:56:90:9B:15:F2:E1:7B:A1:00:01:68:B1:FC:56:A2:DD:A9:74:CC:B6:8A:05
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B 84 C1 DD D4 4A E2 16   66 4B AD 79 A6 93 3F 1D  .....J..fK.y..?.
0010: 54 89 1A 54                                        T..T
]
]

liumiaocn:Demo liumiao$

注意：keytool -printcert -file android_cert.crt -rfc效果等同于cat android_cert.crt。

因为从证书是符合X.509 v3格式的, 所以直接使用OpenSSL的命令也可获取证书的详细信息

liumiaocn:Demo liumiao$ openssl x509 -noout -in android_cert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1074648744 (0x400dd6a8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=LiaoNing, L=DaLian, O=devops, OU=unicorn, CN=Miao Liu
        Validity
            Not Before: Dec 17 07:13:39 2019 GMT
            Not After : Dec 10 07:13:39 2044 GMT
        Subject: C=CN, ST=LiaoNing, L=DaLian, O=devops, OU=unicorn, CN=Miao Liu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a1:43:6f:fd:eb:3d:86:38:67:08:fa:41:7c:cb:
                    21:29:f3:e1:ff:40:70:82:bd:2a:86:db:76:87:93:
                    5b:1a:3d:1f:73:a3:5b:17:15:9f:e2:55:d0:99:e6:
                    f3:9d:eb:c5:e1:9a:7b:7e:3e:0a:03:1b:11:7c:b7:
                    f3:de:7b:85:f0:22:56:19:bb:8e:a6:31:63:6c:0f:
                    d1:82:97:a1:24:55:b6:e6:d5:2c:e6:3d:f0:1e:73:
                    29:ca:49:e6:25:23:62:99:72:8b:6a:83:5b:38:f4:
                    a7:1c:dc:b4:ee:0e:da:8a:8e:bd:c8:73:37:50:b8:
                    ec:c1:2b:01:c4:bb:11:9a:11:0e:a3:2c:b1:5e:47:
                    74:b6:1a:cf:e0:cc:a8:b3:37:8f:4c:5a:0e:00:46:
                    a9:76:e9:d7:7c:13:46:c7:a5:68:ff:4a:f2:41:18:
                    84:d0:c0:76:ac:b2:8e:73:13:0e:46:43:7a:90:4c:
                    71:0a:70:21:b3:ab:8c:bf:32:7b:46:cb:2d:38:3c:
                    67:b5:49:4a:8c:35:51:d4:69:a7:67:34:9a:43:45:
                    d4:7d:de:95:e1:20:bf:37:15:f4:36:c1:cf:47:98:
                    2a:52:30:66:1c:b9:5a:75:95:19:72:c7:46:6d:d8:
                    8d:12:16:5b:8a:80:90:6c:8d:1c:41:20:99:81:2f:
                    00:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                0B:84:C1:DD:D4:4A:E2:16:66:4B:AD:79:A6:93:3F:1D:54:89:1A:54
    Signature Algorithm: sha256WithRSAEncryption
         8c:c5:11:99:ca:94:ed:1f:70:8e:b2:0b:5d:78:35:bb:de:ec:
         b3:57:5f:f0:cb:b4:d6:30:af:b6:c3:00:11:20:1d:5d:03:38:
         51:be:db:21:04:a3:c1:99:90:83:c5:f7:7d:a4:1d:e1:62:5c:
         e3:0e:5f:12:80:15:dc:f4:a9:92:b0:0f:b9:4e:7f:f5:90:d6:
         a2:cd:4d:79:72:82:3c:5e:ed:4d:ac:ff:bd:3e:3f:34:62:0d:
         6b:cf:34:06:08:11:ca:32:1e:ab:1e:5e:64:6d:ca:93:dd:9f:
         e3:52:99:3d:1f:fa:e3:a0:05:95:17:04:66:bb:82:b8:ba:f3:
         7d:41:73:7f:16:2f:ab:c5:37:87:50:2a:6e:03:07:37:dc:fd:
         02:f2:a4:b4:9b:97:da:8a:92:72:a3:77:2a:26:ec:65:db:3e:
         10:c5:01:7d:33:1b:8d:f0:77:e2:62:71:9f:a3:03:13:ed:24:
         37:c3:fc:4a:f1:7a:48:67:d3:c1:e9:d5:75:74:bd:dd:03:86:
         58:67:f0:99:9e:65:b6:7c:7c:c5:53:f4:6a:f3:ad:1e:09:6c:
         ac:48:fc:f2:6d:c2:a2:a0:ff:7f:ef:4c:fa:4b:f0:e5:df:0a:
         4d:f2:b7:6b:ba:b2:0c:74:f0:a8:53:22:cb:26:2f:53:ce:9d:
         a2:39:14:5f
liumiaocn:Demo liumiao$

只要使用规范的格式，一般来说openssl还是keytool都可以混用，比如虽然Android的应用构建中没有直接出现CSR文件，但是keytool提供类似的可以确认详细信息，CSR文件的格式满足PKCS #10，比如这里也可以使用keytool对openssl创建的CSR文件进行信息的显示，虽然跟Android的应用构建无关，这里顺便memo一下。

liumiaocn:ca liumiao$ file request.csr 
request.csr: PEM certificate request
liumiaocn:ca liumiao$ keytool -printcertreq -file request.csr
PKCS #10 Certificate Request (Version 1.0)
Subject: CN=devops.com, OU=unicorn, O=devops, L=DaLian, ST=LiaoNing, C=CN
Format: X.509
Public Key: 2048-bit RSA key
Signature algorithm: SHA256withRSA
liumiaocn:ca liumiao$ cat request.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCExpYW9OaW5nMQ8w
DQYDVQQHDAZEYUxpYW4xDzANBgNVBAoMBmRldm9wczEQMA4GA1UECwwHdW5pY29y
bjETMBEGA1UEAwwKZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPUxo1pWlC7KpPpEV+3pndr9HtxYjdrLPucmgzqPzKgOeP1zlwhJ+Ef+
x2cLlat1k+VWVvGIj+4R+RDWgWYNfDpXKPNVvRkIH/bTXxLX7x52fKFxGgtdpxAz
xRsjFJnOINvTCUAOjg6TSrL/foZ0RUN3ahthB4FhyNAVTvFDSYltZWrrT54DkgKz
k7lJslAaZmS9GHSnO5eRaK+6C2b7B+Z9Oge9a3MQ3esLGr4y60Ft+sXvDKi8F8bI
ADHS5P/+88kuixTHnzxFw3ZaRduxWXe+ZKYiHtYBWV4r7xNMstiK/Xxvcw2zsJ/j
CHJ8v/7U6aUxwf/Ng45s0tabOWyIsH0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAAwm3arWnmY9xQ8dirOK/b7U5knyF2/5S2R2oU2kh77Ie5Zq5hS990XRlAcxP6
kJY+PNdlUtlz8DVYYoW4cCVyDB/o0yKlT+g2VPcRugsHt+TZylqyXOS+13zyoFOk
bvoH9Q9N/FhhsJkOrcocbTVPVkMW2zNt7tkjCUITZXMh79/5qKzUSPuWjADnYfy0
wWxGKKrF/n9QnvFNmvsW37K1iSr6qF9njpzVHzTT09nUPsVtcj3k1ZxXOBN8fWU/
93zJQSQU12eA+CIo94keTDDlkW5F2sf2psWkGW2u+KvEC/HhqSVKWInb5vPflsA8
uZIxXCuiQ4XzM0HwflRPRjTl
-----END CERTIFICATE REQUEST-----
liumiaocn:ca liumiao$