我明白,密钥库通常会保留私钥/公钥,信任存储只能存在公用密钥(代表您打算通信的信任方的列表)。 那么这是我的第一个假设,所以如果这不正确,我可能还没开始很好
我有兴趣了解如何/何时使用keytool区分商店。
所以,我已经创建了一个使用密钥库
keytool -import -alias bob -file bob.crt -keystore keystore.ks它创建了我的keystore.ks文件。 我回答yes ,我相信bob的问题,但如果这创建了一个密钥库文件或信任文件,我不清楚? 我可以设置我的应用程序来使用该文件。
-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x -Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x并且使用System.setProperty( "javax.net.debug", "ssl")设置,我可以看到受信任证书的证书(但不在密钥库部分下)。 我正在导入的特定证书只有一个公钥,我打算使用它通过SSL连接发送到Bob(但也许最好留下另一个问题!)。
任何指针或说明都将不胜感激。 keytool的输出是否相同,无论您导入,它的唯一约定,一个是密钥库,而另一个信托商店? 使用SSL等时有什么关系?
I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with). Well, that's my first assumption, so if that's not correct, I probably haven't started very well...
I was interested though in understanding how / when you distinguish the stores when using keytool.
So, far I've created a keystore using
keytool -import -alias bob -file bob.crt -keystore keystore.kswhich creates my keystore.ks file. I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file? I can set up my application to use the file as either.
-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x -Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=xand with System.setProperty( "javax.net.debug", "ssl") set, I can see the certificate under trusted certifications (but not under the keystore section). The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question!).
Any pointers or clarifications would be much appreciated. Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store? What's the relationship when using SSL etc?
最满意答案
这个术语确实有点混乱,但是为了两个不同的目的, javax.net.ssl.keyStore和javax.net.ssl.trustStore都用于指定要使用的密钥库。 密钥库有多种格式,甚至不一定是文件(参见这个问题 ),而keytool只是一个对它们进行各种操作的工具(import / export / list / ...)。
javax.net.ssl.keyStore和javax.net.ssl.trustStore参数是用于构建KeyManager和TrustManager (分别)的默认参数,然后用于构建一个基本上包含要使用的SSL / TLS设置的SSLContext通过SSLSocketFactory或SSLEngine进行SSL / TLS连接。 这些系统属性就是默认值来自的,然后由SSLContext.getDefault()使用, SSLSocketFactory.getDefault()使用的本身。 (所有这些都可以通过API在许多地方进行定制,如果您不想使用默认值,并且特定的SSLContext用于给定的目的)。
KeyManager和TrustManager (以及javax.net.ssl.keyStore和javax.net.ssl.trustStore之间)之间的区别如下(引自JSSE引用指南 ):
TrustManager:确定是否应该信任远程身份验证凭据(因此连接)。
KeyManager:确定要发送到远程主机的身份验证凭据。
(其他参数可用,其默认值在JSSE参考指南中进行了说明 。请注意,虽然存在信任存储的默认值,但密钥库中没有一个。)
基本上, javax.net.ssl.keyStore的密钥库意味着包含您的私有密钥和证书,而javax.net.ssl.trustStore则是为了包含当远程方显示它时您愿意信任的CA证书证书。 在某些情况下,它们可以是同一个商店,尽管使用不同的商店往往是更好的做法(尤其是基于文件的商店)。
The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore and javax.net.ssl.trustStore are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), and keytool is just a tool to perform various operations on them (import/export/list/...).
The javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters are the default parameters used to build KeyManagers and TrustManagers (respectively), then used to build an SSLContext which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory or an SSLEngine. These system properties are just where the default values come from, which is then used by SSLContext.getDefault(), itself used by SSLSocketFactory.getDefault() for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContexts for a given purpose.)
The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore) is as follows (quoted from the JSSE ref guide):
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.
(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)
Essentially, the keystore in javax.net.ssl.keyStore is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).
更多推荐
发布评论