堆栈内存溢出
  简体   繁体   English

如何避免在代码库中使用密钥库/ trustore纯文本密码?

[英]How to avoid having keystore/trustore plain text password in code base?

 原文  2017-01-09 09:48:20       java/ security/ password-protection/ mutual-authentication

问题描述

To meet our internal security requirements, I've written a Java client that uses certificates to mutually authenticate with the server. 为了满足我们的内部安全性要求,我编写了一个Java客户端,该客户端使用证书与服务器进行相互认证。 However, to get the certificate into a SSLContext, I have to provide a password to the keystore and trustore. 但是,要将证书放入SSLContext,我必须提供密码到密钥库和信任库。 The password is in plaint text in the code, which is also against our requirements. 密码是代码中的纯文本,这也违反了我们的要求。

Is there any way to avoid having the keystore/truststore passwords in plain text in the code? 有什么方法可以避免在代码中使用明文形式存储密钥库/信任库密码? I've tried answers on Stack Overflow that suggest creating a store without a password and/or just loading a certificate directly into the SSLContext, but authentication fails when I try these methods. 我已经尝试过关于Stack Overflow的答案,这些答案建议创建一个没有密码和/或直接将证书直接加载到SSLContext的商店,但是当我尝试这些方法时,身份验证将失败。

1 个解决方案

解决方案1
 1  2017-01-09 10:14:20

Typically, certificates and truststores do not contain information that must be kept secret. 通常,证书和信任库不包含必须保密的信息。 The one thing that has to be kept secret is the private key which is contained in the keystore. 必须保密的一件事是密钥库中包含的私钥。 Protecting the keystore with a password is somehow like putting a key in a safe and locking that safe with a second key - so it doesn't really help. 用密码保护密钥库就像以某种方式将密钥放在保险箱中并用第二个密钥锁定该保险箱一样,因此实际上并没有帮助。

Anyway, you could read the password from a (resource) file that you don't check in to your VCS and leave it to the deployment to provide that file (which could be protected by restricting read access to the appropiate user at operating system level). 无论如何,您可以从未签到VCS的(资源)文件中读取密码,然后将密码留给部署以提供该文件(可以通过在操作系统级别限制对适当用户的读取访问权限来保护该密码。 )。

But of course, you could do that directly with the keystore, too - without using a password. 但是,当然,您也可以直接通过密钥库执行此操作-无需使用密码。

If requirements are high, have a look at Trusted Platform Module . 如果要求很高,请查看Trusted Platform Module

Key- and truststores can be configured by system properties, so it could be possible to deal not at all with it from source code. 密钥库和信任库可以通过系统属性进行配置,因此可以完全不使用源代码中的密钥库和信任库。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用密钥库和信任库配置Spring Ws? - How to configure Spring Ws with keystore and trustore? 密钥库和信任库不一起工作 - keystore and trustore not working together Keycloak Federation Configuration,初始化服务时keystore/trustore错误 - Keycloak Federation Configuration, keystore/trustore error when initializing the service Android AES(带有Keystore)使用相同的纯文本生成不同的密文 - Android AES (with Keystore) produces different cipher text with same plain text 如何更改Java Keystore(JKS)密钥库和别名密码以使它们正常工作 - How to change Java Keystore(JKS) keystore and alias password so that they work 如何使用 cacerts 和 jks trustore togeser, - How use cacerts and jks trustore togeser, 如何删除java密钥库个人/私人密码 - how to delete java keystore personal/private password 如何在Java中更改KeyStore文件的密码? - How to change Password of KeyStore File in Java? 如何存储Java KeyStore密码? - How do I store a Java KeyStore password? 什么是源密钥库密码以及如何查找它? - what is source keystore password and how to find it?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM