JKS 与 PKCS12 在代码签名方面有何优点?
购买代码签名证书时,从 PKCS12 开始与 JKS 证书相比有何优点?一些供应商提供了有关从 JKS 或 PKCS12 证书签名请求开始的说明。我们希望在使用购买的证书时拥有最大的灵活性,特别是考虑到成本。例如,我们可能不仅仅签署 Java 代码(例如:iPhone 或 Android 代码签名)。选择任一方法时我们应该考虑哪些技术因素?
When buying a code-signing certificate, what are the merits of starting with a PKCS12 versus JKS certificate? Some vendors give instructions on starting with a JKS or PKCS12 certificate signing request. We'd like to have maximum flexibility in using a purchased cert, especially given the cost. For example, we may be signing more than just Java code (ex: iPhone or Android code signing). What technical considerations should we take into account when choosing either approach?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您使用 Java 工作,那么 Java 密钥存储是存储私钥的一个相当自然的地方。Java 应用程序通常希望从 JKS 获取所需的密钥,并且可以从您自己的 Java 应用程序轻松访问。不过,JKS 无法从 Java 外部访问(无需跳过一些环节)。
另一方面,PKCS#12(又名 PFX)文件是一种与语言无关的存储加密私钥和证书的方式,并且已经存在了足够长的时间,几乎所有地方都支持它。但请注意,该文件格式过于复杂和过于笼统——请参阅 Peter Gutmann 的“PFX - 如何不设计加密协议/标准”(http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html)以轻松的态度看待问题。
请注意,使用这些存储格式中的一种或另一种实际上是一个关于应用程序如何在本地存储加密私钥的问题。向您出售证书的供应商永远不会看到私钥,因此他不在乎您使用什么格式。您向他(供应商/CA)发送 PKCS#10 证书请求(包含公钥并使用私钥签名,但不包含私钥),他向您发回证书(您可以将其存储在 JKS 或PKCS#12 文件或两者,或您喜欢的任何其他文件)。
从技术上讲,这两种格式都不是理想的,因为它们都通过使用从密码派生的密钥对其进行加密来保护私钥。但这并不意味着其中任何一个都比另一个更好。如果您可以使用智能卡或其他硬件密钥存储解决方案,则安全性(尽管不方便)会更好。
决定您选择的主要因素应该是您计划如何使用私钥,即:哪些应用程序需要使用私钥以及它们已经处理什么格式的密钥存储。 PKCS#12 是更灵活的选项...但如果您打算仅将密钥与您自己编写的代码一起使用(不需要互操作性),那么您也可以考虑使用 PKCS#8 或 PKCS#15 容器。
我不建议您编写自己的代码来处理 PKCS#12(我已经这样做了,但不好玩)——使用经过验证的第三方库(如 OpenSSL)。
If you're working in Java then the Java Key Store is a fairly natural place to store private keys.Java applications typically expect to get the keys they need from JKS, and it's easy to access from your own Java apps. JKS is not accessible (without jumping through a few hoops) from outside Java, though.
PKCS#12 (aka PFX) files, on the other hand are a language-neutral way to store encrypted private keys and certificates, and has been around long enough that it's supported just about everywhere. Note, though, that the file format is horribly over-complex and over-general -- have a look at Peter Gutmann's "PFX - How Not to Design a Crypto Protocol/Standard" (http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html) for a light-hearted view of the problems.
Note that the use of one or other of these storage formats is really an issue about how your application will store encrypted private keys locally. The vendor who sells you your certificate will never see the private key so he doesn't care what format you use. You send him (the vendor/CA) a PKCS#10 certificate request (containing the public key and signed using the private key, but NOT containing the private key) and he sends you back a certificate (which you can store in JKS or in the PKCS#12 file or both, or anywhere else that takes your fancy).
Technically, neither format is ideal as they both protect the private key by encrypting it with a key derived from a password; this doesn't make either one better than the other, though. Security (though not convenience) is better if you can use a smartcard or other hardware key storage solution.
The main factor determining your choice should be how you plan to use the private key -- that is: what applications will need to use the private key and what format(s) of key store do they already handle. PKCS#12 is the more flexible option ... but if you intend to use the key only with code that you write yourself (interoperability not required) then you might also consider using PKCS#8 or PKCS#15 containers.
I can't recommend writing your own code to handle PKCS#12 (I've done it, not fun) -- use a proven third-party library (like OpenSSL).
如果您有 JKS 密钥存储,您可以使用以下命令转换为 PKCS12
,其中 my_java_keystore.jks 是 java 密钥存储,它有两个带别名的密钥
证书签名和
certforencryption
,您还可以使用 Keytool 将密钥从 PKCS12 转换为 JKS
In case you have JKS key store you can convert to PKCS12 using the below commands
where my_java_keystore.jks is the java key store that has two keys with alias
certforsigning and
certforencryption
and you can also convert the keys from PKCS12 to JKS using Keytool