KeyStore、HttpClient 和 HTTPS:有人能给我解释一下这段代码吗?
我试图了解 此代码。
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("my.keystore"));
try {
trustStore.load(instream, "nopassword".toCharArray());
} finally {
instream.close();
}
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
Scheme sch = new Scheme("https", socketFactory, 443);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
我的问题:
trustStore.load(instream, "nopassword".toCharArray());
到底在做什么?通过阅读文档,load()
将从输入流(这只是我们刚刚创建的一个空文件)加载 KeyStore 数据,使用一些任意的“nopassword”。为什么不直接使用 null
作为 InputStream 参数并使用空字符串作为密码字段来加载它?
那么当这个空的 KeyStore 被传递给 SSLSocketFactory 构造函数时会发生什么?这样一个操作的结果是什么呢?
或者——这只是一个例子,在真实的应用程序中,您必须实际引用现有的密钥库文件/密码?
I'm trying to understand what's going on in this code.
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("my.keystore"));
try {
trustStore.load(instream, "nopassword".toCharArray());
} finally {
instream.close();
}
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
Scheme sch = new Scheme("https", socketFactory, 443);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
My Questions:
trustStore.load(instream, "nopassword".toCharArray());
is doing what exactly? From reading the documentation load()
will load KeyStore data from an input stream (which is just an empty file we just created), using some arbitrary "nopassword". Why not just load it with null
as the InputStream parameter and an empty string as the password field?
And then what is happening when this empty KeyStore is being passed to the SSLSocketFactory constructor? What's the result of such an operation?
Or -- is this simply an example where in a real application you would have to actually put a reference to an existing keystore file / password?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
此示例尝试向您展示如何加载您自己的信任存储。要使此示例正常工作,您需要在当前目录中有一个名为“my.keystore”的文件,并且密钥库的密码为“nopassword”。
请注意
new File("my.keystore")
不一定创建新文件。它只是创建一个指向路径的 File 对象。This example tries to show you how to load your own trust store. To get this example working, you need to have a file called "my.keystore" in your current directory and the password for the keystore is "nopassword".
Please note
new File("my.keystore")
doesn't necessarily create a new file. It simply creates a File object pointing to the path.看起来确实是这样。 HttpClient 4.0.1 的二进制或源代码发行版中均没有分发
“my.keystore”
文件。为了运行它,您将创建一个实际的密钥库。您可以使用 keytool 或 Portecle。此示例向您展示如何针对
DefaultHttpClient
实例使用与 JVM 默认使用的信任存储 ($JAVA_HOME/jre/lib/security/cacerts) 不同的信任存储。当 SSL 站点使用由自己内部签名的证书时,这非常有用证书颁发机构。仅当服务器证书的签名者被识别时才会建立 SSL 连接。如果您不熟悉,关于 TLS 的 Wikipedia 条目是一个不错的介绍概念。It really looks that way. There is no
"my.keystore"
file distributed in either the binary or source distributions of HttpClient 4.0.1. For this to run you would create an actual keystore. You could use either keytool or Portecle.This example is showing you how to utilize a different trust store than the one that the JVM uses by default ($JAVA_HOME/jre/lib/security/cacerts) for this instance of
DefaultHttpClient
. This is useful when an SSL site is using a certificate signed by their own in-house certificate authority. The SSL connection will only be established when the signer of the server certificate is recognized. The Wikipedia entry on TLS is a decent introduction if you are unfamiliar with the concept.