通过 CLI 根据 Java 证书存储验证证书
如何通过命令行根据 Java 证书存储验证 X509(或 DER 格式)证书?
我研究过使用 keytool 实用程序,但它看起来只处理导入/导出/显示功能(无验证)。
编辑:看起来好像 keytool
可用于验证,但前提是尝试导入。 我认为提出这个问题的更好方法是是否可以使用更被动的方法(例如:不修改密钥库)。 谢谢!
How can I verify an X509 (or DER-formatted) certificate against the Java certificate store via the command line?
I've looked into using the keytool
utility, but it looks like it only handles import/export/display functionality (no verification).
EDIT: It looks as though keytool
can be used for verification, but only if an import is attempted. I suppose a better way of asking this questions is whether or not a more passive approach (as in: not modifying the keystore) is available. Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以使用
keytool
将所需的证书(位于您需要验证的证书链中的证书)从 Java 密钥库导出
到 X.509 文件中。 然后,将它们连接到一个文件中。 最后使用openssl
进行验证。这不是一个完美的解决方案,因为它涉及从信任库中弹出证书,但考虑到您的开始,它应该可以工作。
You can use
keytool
toexport
the needed certificates (those that are in the chain for the one you need to verify) from the Java keystore into X.509 files. Then, concatenate them together into one file. Finally, useopenssl
to do the verification.Not a perfect solution since it involves popping the certs out of the truststore, but it ought to work given what you are starting with.
此页面可能过于简单化:
http://java.sun。 com/docs/books/tutorial/security/toolfilex/rstep1.html
但看起来即使使用 keytool 导入也无法真正验证证书。 我没有看到任何关于根据另一个受信任证书的签名验证传入证书的签名的描述。
jarsigner 将验证已签名 jar 上的签名,但不会执行任何操作来验证用于签署 jar 的证书上的签名。
恐怕您要么必须编写一个工具来进行验证,要么寻找一个可以完成验证的商业工具。 我认为某些 PKI 工具包会有一个证书验证工具可以做到这一点。
This page could be oversimplifying:
http://java.sun.com/docs/books/tutorial/security/toolfilex/rstep1.html
But it doesn't look like even import with keytool does a true verification of a certificate. I'm not seeing any description of verifying the signature of the incoming certificate against the signature of another trusted certificate.
jarsigner will verify a signature on a signed jar, but doesn't do anything to verify the signature on the certificate used to sign the jar.
I'm afraid you'd either have to write a tool to do the verfication, or look for a commercial tool that does it. I would think that some of the PKI tool kits would have a certificate verification tool that would do this.