如果有很多密钥库和信任库,将使用哪个密钥和证书?
[英]Which key and certificate from keystore and truststore is used when there are many?
问题描述
I have two keys in my keystore: 
我的密钥库中有两个密钥:
D:\javasslstores2>keytool -list -keystore keystore.jks -storepass passwd123
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
ssl_key_2, Jun 14, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 36:A4:FB:E6:47:12:59:D6:C3:E1:06:21:4B:21:79:7E:33:86:48:52
ssl_key, Jun 13, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 03:08:2C:CA:A4:84:DD:61:20:05:F7:56:F5:44:4C:A4:35:2B:8C:6C
and corresponding two certificates in my trustore: 以及我的受托人中相应的两个证书:
D:\javasslstores2>keytool -list -keystore truststore.jks -storepass passwd123
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
ssl_key_2, Jun 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 36:A4:FB:E6:47:12:59:D6:C3:E1:06:21:4B:21:79:7E:33:86:48:52
ssl_key, Jun 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 03:08:2C:CA:A4:84:DD:61:20:05:F7:56:F5:44:4C:A4:35:2B:8C:6C
I have written simple java ssl client and servers: 我已经编写了简单的Java ssl客户端和服务器:
Server 服务器
public class Server {
static KeyStore ks;
static KeyManagerFactory kmf;
static TrustManagerFactory tmf;
static SSLContext sc;
static TrustManager[] trustManagers;
static {
try {
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("D:\\javasslstores\\keystore.jks"), "passwd123".toCharArray());
kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "passwd123".toCharArray());
tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (Exception e) {
System.out.println(e.getMessage());
System.out.println(e.getStackTrace());
}
}
public static void main(String[] args) throws IOException {
System.out.println("SSL Server");
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
SSLServerSocket s = (SSLServerSocket) ssf.createServerSocket(8089);
System.out.println("Listening on port 8089");
SSLSocket socket = (SSLSocket) s.accept();
PrintWriter out = new PrintWriter(socket.getOutputStream(), true);
try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(socket.getInputStream()))) {
String line;
System.out.println("Data from client:");
while((line = bufferedReader.readLine()) != null){
System.out.println(line);
out.println(line);
}
}
System.out.println("Closed");
}
}
Client 客户
public class Client {
static KeyStore ks;
static KeyManagerFactory kmf;
static TrustManagerFactory tmf;
static SSLContext sc;
static TrustManager[] trustManagers;
static
{
try
{
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("D:\\javasslstores\\keystore.jks"), "passwd123".toCharArray());
kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "passwd123".toCharArray());
tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (Exception e) {
System.out.println(e.getMessage());
System.out.println(e.getStackTrace());
}
}
public static void main(String[] args) throws IOException {
SSLSocketFactory ssf = sc.getSocketFactory();
SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", 8089);
socket.startHandshake();
PrintWriter out = new PrintWriter
(new BufferedWriter
(new OutputStreamWriter
(socket.getOutputStream())));
System.out.println("SSL Client");
out.println("GET / HTTP/1.0");
out.println("From java ssl client");
out.println("written by me");
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
}
}
Above code runs fine. 上面的代码运行正常。
Doubts: 疑问:
- There are two keys and certificates with name
ssl_keyandssl_key_2.有两个密钥和证书,名称分别为ssl_key和ssl_key_2。 Which one they use?他们使用哪一个? - How they end up using same pair of key and certificate? 他们如何最终使用同一对密钥和证书?
1 个解决方案
解决方案1
0 2018-06-21 15:41:37
Good question. 好问题。 The implementation of SunX509 KeyManager ( SunX509KeyManagerImpl ) uses the first aliases it finds for which there is a private key and a key of type RSA . SunX509 KeyManager( SunX509KeyManagerImpl )的实现使用它找到的第一个别名,该别名具有一个专用密钥和一个RSA类型的密钥 。 You can debug the SunX509KeyManagerImpl.chooseServerAlias called by your Server class on main method, in order to verify the logic. 您可以在main方法上调试由Server类调用的SunX509KeyManagerImpl.chooseServerAlias ,以验证逻辑。 To change the behaviour of the SunX509KeyManager you could write your own keyManager extending X509ExtendedKeyManager and passing it to SSLContext.init . 要更改SunX509KeyManager的行为,可以编写扩展X509ExtendedKeyManager并将其传递给SSLContext.init自己的keyManager。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
KeyStore 和 TrustStore 加载失败 - 私钥必须附带证书链 - KeyStore and TrustStore load failed - Private key must be accompanied by certificate chain
如何在 Java 项目中管理证书、信任库和密钥库密钥文件 - How to manage certificate, truststore and keystore key files in a Java project
从MAC KeyChain访问导出证书并创建密钥库,信任库 - Export certificate from MAC KeyChain access and create keystore,truststore
如何从签名证书创建信任库和密钥库? - How do I create truststore and keystore from the signed certificate?
如何知道keystore / truststore中使用的域名? - how to know the domain used in keystore/truststore?
哪个是Java应用程序的密钥库/信任库的默认位置? - Which is the default location for keystore/truststore of Java applications?
如何使用自签名证书创建密钥库和信任库? - How to create keystore and truststore using self-signed certificate?
以编程方式将自签名证书添加到密钥库/信任库 - Programmatically add a self-signed certificate to your keystore/truststore
从Truststore以编程方式删除证书 - Delete Certificate from Truststore programmatical
在Java中:如何使用Keystore和Truststore证书握手安全连接? - In Java: How to handshake a secured connection using Keystore and Truststore certificate?
相关标签