Struct KeyStore 

pub struct KeyStore { /* private fields */ }

Java KeyStore (JKS) implementation

A KeyStore is a mapping of alias to either a PrivateKeyEntry or TrustedCertificateEntry.

Implementations

impl KeyStore

pub fn load_pkcs12<R: Read>(&mut self, reader: R, password: &[u8]) -> Result<()>

Load a PKCS12 keystore from reader

PKCS12 is the standard keystore format used by:

• Android (.keystore files)
• Java (.p12/.pfx files)
• OpenSSL

impl KeyStore

pub fn new() -> Self

Creates a new empty KeyStore with default options

pub fn with_options(options: KeyStoreOptions) -> Self

Creates a new empty KeyStore with custom options

pub fn store<W: Write>(&self, w: W, password: &[u8]) -> Result<()>

Writes the keystore to the writer with password-based signature

It is strongly recommended to zero out the password after use.

pub fn load<R: Read>(&mut self, r: R, password: &[u8]) -> Result<()>

Reads a keystore from the reader and verifies its signature

It is strongly recommended to zero out the password after use.

pub fn load_auto_detect<R: Read>( &mut self, reader: R, password: &[u8], ) -> Result<()>

Auto-detect format and load keystore from reader

This method automatically detects whether the file is JKS or PKCS12 format and loads it accordingly. Supports:

• JKS format (.jks files) - magic: 0xFEEDFEED
• PKCS12 format (.keystore, .p12, .pfx files) - starts with 0x30

It is strongly recommended to zero out the password after use.

pub fn set_private_key_entry( &mut self, alias: &str, entry: PrivateKeyEntry, password: &[u8], ) -> Result<()>

Adds a PrivateKeyEntry encrypted with the password

It is strongly recommended to zero out the password after use.

pub fn get_private_key_entry( &self, alias: &str, password: &[u8], ) -> Result<PrivateKeyEntry>

Returns and decrypts a PrivateKeyEntry with the password

It is strongly recommended to zero out the password after use.

pub fn get_raw_private_key_entry(&self, alias: &str) -> Result<PrivateKeyEntry>

Returns a PrivateKeyEntry without decryption (for already-decrypted keys like PKCS12)

This method returns the private key entry as-is, without attempting to decrypt it. Useful for keystores loaded from PKCS12 format where keys are already decrypted.

pub fn get_private_key_entry_certificate_chain( &self, alias: &str, ) -> Result<Vec<Certificate>>

Returns the certificate chain associated with a PrivateKeyEntry

pub fn is_private_key_entry(&self, alias: &str) -> bool

Returns true if the alias exists and is a PrivateKeyEntry

pub fn set_trusted_certificate_entry( &mut self, alias: &str, entry: TrustedCertificateEntry, ) -> Result<()>

Adds a TrustedCertificateEntry (not encrypted, just stored)

pub fn get_trusted_certificate_entry( &self, alias: &str, ) -> Result<TrustedCertificateEntry>

Returns a TrustedCertificateEntry

pub fn is_trusted_certificate_entry(&self, alias: &str) -> bool

Returns true if the alias exists and is a TrustedCertificateEntry

pub fn delete_entry(&mut self, alias: &str)

Deletes an entry from the keystore

pub fn aliases(&self) -> Vec<String>

Returns all aliases in the keystore

If ordered_aliases is set, returns aliases sorted alphabetically.

pub fn len(&self) -> usize

Returns the number of entries in the keystore

pub fn is_empty(&self) -> bool

Returns true if the keystore is empty

Trait Implementations

impl Default for KeyStore

fn default() -> Self

Returns the “default value” for a type.