如何在访问密钥库时让Jetty 9忽略keypass？

Question

如何在访问密钥库时让Jetty 9忽略keypass？

这是我做的:

• 我在startssl.com为我的域名生成了证书
• 我生成链式证书(我的+ sub.class1.server.ca.pem + ca.pem) openssl pkcs12 -export -inkey ssl.key -in /home/ubuntu/bundle.crt -out /home/ubuntu/bundle.pkcs12
• 将它们导入到新的密钥库中,如下所示: keytool -importkeystore -srckeystore /home/ubuntu/bundle.pkcs12 -srcstoretype PKCS12 -destkeystore /opt/jetty/etc/keystore
• 出于某种原因,别名为"1",因此我将其重命名为"jetty" keytool -changealias -alias "1" -destalias "jetty" -keystore /opt/jetty/etc/keystore -storepass storepwd
• 请注意,我使用的storepwd是Jetty发行版的默认密码

我jetty-ssl.xml包含这个

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>
</Configure>

现在,当我启动所有这些美丽Jetty崩溃与以下错误

2013-07-11 21:34:01.984:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@e45a028(/opt/jetty/etc/keystore,/opt/jetty/etc/keystore): java.security.UnrecoverableKeyException: Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
    at java.security.KeyStore.getKey(KeyStore.java:792)
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)

这显然是密码不匹配,因为它期望/传递keypwd来自Jetty附带的默认密钥库的keypass .

这是我的证书:http://pastebin.com/raw.php？i = p8LhT50P 它的输出来自keytool -list -keystore /opt/jetty/etc/keystore -storepass storepwd -storetype JKS -v

它在哪里设置？我该如何解决这个错误？

谢谢!

Answer 1

涉及两个密码:密钥库密码(KeyStorePassword)和密钥密码(KeyManagerPassword).对于PKCS#12商店,它们是相同的.

由于您已使用密钥库密码将密钥从PKCS#12商店导入JKS存储区,这并不意味着密钥本身的密码已更改,而且可能不是"keypwd"(Jetty的默认密码).尝试KeyManagerPassword用PKCS#12商店的密码替换值.

(请注意,通常,您不需要转换密钥库,您可以将其用作PKCS12KeyStoreType.)