我知道密钥库通常会保存私钥/公钥,信任存储只保存公钥(并代表您打算与之通信的可信方列表).嗯,这是我的第一个假设,所以如果这不正确,我可能还没有开始......
我对使用keytool时如何/何时区分商店感兴趣.
所以,到目前为止,我已经创建了一个密钥库
keytool -import -alias bob -file bob.crt -keystore keystore.ks
这将创建我的keystore.ks文件.我回答yes问题我是否相信bob但是我不清楚这是否创建了密钥库文件或信任库文件?我可以设置我的应用程序以使用该文件.
-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x
并且使用System.setProperty( "javax.net.debug", "ssl")set,我可以在受信任的证书下看到证书(但不在密钥库部分下).我导入的特定证书只有一个公钥,我打算用它通过SSL连接向Bob发送内容(但也许最好留给另一个问题!).
任何指示或澄清都将非常感激.无论你导入什么,keytool的输出都是相同的,它的惯例是一个是密钥库而另一个是信任存储?使用SSL等时的关系是什么?
我正在添加到我们的大型Java应用程序的模块必须与另一家公司的SSL安全网站进行交谈.问题是该站点使用自签名证书.我有一份证书副本,以验证我没有遇到中间人攻击,我需要将此证书合并到我们的代码中,以便与服务器的连接成功.
这是基本代码:
void sendRequest(String dataPacket) {
String urlStr = "https://host.example.com/";
URL url = new URL(urlStr);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
conn.setMethod("POST");
conn.setRequestProperty("Content-Length", data.length());
conn.setDoOutput(true);
OutputStreamWriter o = new OutputStreamWriter(conn.getOutputStream());
o.write(data);
o.flush();
}
在没有为自签名证书进行任何额外处理的情况下,这会在conn.getOutputStream()处死,但有以下异常:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
....
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
....
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path …此代码连接到HTTPS站点,我假设我没有验证证书.但为什么我不必在本地为该网站安装证书?我不应该在本地安装证书并为此程序加载它还是在封面下载?客户端到远程站点之间的流量是否仍然在传输中加密?
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.net.URLConnection;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public class TestSSL {
public static void main(String[] args) throws Exception {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
} …作为安全措施的一部分,我在我的应用程序中固定公钥,因为我从我的PEM证书中提取了公钥,看起来像
-----BEGIN PUBLIC KEY-----
MIIBIj....IDAQAB
-----END PUBLIC KEY-----
但是在OWASP的示例代码中,我们看到了用于比较DER编码公钥的代码,
// DER encoded public key
private static String PUB_KEY = "30820122300d06092a864886f70d0101"
+ "0105000382010f003082010a0282010100b35ea8adaf4cb6db86068a836f3c85"
+ "5a545b1f0cc8afb19e38213bac4d55c3f2f19df6dee82ead67f70a990131b6bc"
+ "ac1a9116acc883862f00593199df19ce027c8eaaae8e3121f7f329219464e657"
+ "2cbf66e8e229eac2992dd795c4f23df0fe72b6ceef457eba0b9029619e0395b8"
+ "609851849dd6214589a2ceba4f7a7dcceb7ab2a6b60c27c69317bd7ab2135f50"
+ "c6317e5dbfb9d1e55936e4109b7b911450c746fe0d5d07165b6b23ada7700b00"
+ "33238c858ad179a82459c4718019c111b4ef7be53e5972e06ca68a112406da38"
+ "cf60d2f4fda4d1cd52f1da9fd6104d91a34455cd7b328b02525320a35253147b"
+ "e0b7a5bc860966dc84f10d723ce7eed5430203010001";
我知道DER是一种二进制格式,但不确定作者如何转换或提取上述格式?当我转换为DER时,它的原始字节不像上面的格式.有人有指针吗?
替代方法可以是,示例代码,
//Hack ahead: BigInteger and toString(). We know a DER encoded Public Key begins
//with 0x30 (ASN.1 SEQUENCE and CONSTRUCTED), so there is no leading 0x00 to drop.
RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey();
String enc
oded = new BigInteger(1 /* positive …