使用 java 编写使用 ssl / tls 的客户端-服务器应用程序,而无法使用 keytool
我打算编写一个使用 SSL (TLS) 连接来交换数据的客户端-服务器应用程序。
由于客户端是可下载的,并且我不能保证对密钥库的访问,因此我正在寻找一种在运行时导入证书的方法。
我需要什么:
- 一种将服务器的公钥密钥/证书导入客户端应用程序的方法
- 一种将服务器的私钥密钥/证书导入服务器应用程序的方法
我发现了什么到目前为止:
// load the server's public crt (pem), exported from a https website
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(new
FileInputStream("C:\\certificate.crt"));
// load the pkcs12 key generated with openssl out of the server.crt and server.key (private) (if the private key is stored in the pkcs file, this is not a solution as I need to ship it with my application)
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("C:\\certificate.pkcs"), "password".toCharArray());
ks.setCertificateEntry("Alias", cert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "password".toCharArray());
// create SSLContext to establish the secure connection
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
这对我不起作用,因为我收到错误:
java.security.KeyStoreException:ks.setCertificateEntry("Alias", cert) 不支持 TrustedCertEntry;
另外,我认为 pkcs12 用于存储私钥,这不是我想要的。
我是java新手,现在我真的被这个问题困扰了。
预先感谢,
卡佐夫
What I'm planning to do is writing a client-server application that uses a SSL (TLS) connection to exchange data.
As the client is downloadable and I can not guarantee access to the keystore I'm looking for a way to import certificates at runtime.
What I need:
- A way to import the server's public key/certificate into the client application
- A way to import the server's private key/certificate into the server application
What I found out so far:
// load the server's public crt (pem), exported from a https website
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(new
FileInputStream("C:\\certificate.crt"));
// load the pkcs12 key generated with openssl out of the server.crt and server.key (private) (if the private key is stored in the pkcs file, this is not a solution as I need to ship it with my application)
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("C:\\certificate.pkcs"), "password".toCharArray());
ks.setCertificateEntry("Alias", cert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "password".toCharArray());
// create SSLContext to establish the secure connection
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
This does not work for me as I'm getting an error:
java.security.KeyStoreException: TrustedCertEntry not supported at ks.setCertificateEntry("Alias", cert);
Also, I think pkcs12 is used to store private keys which is not what I want.
I'm new to java and I'm really stuck with that problem now.
Thanks in advance,
Kazuo
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Sun 的
#PKCS12实现不允许存储不属于私钥链一部分的受信任证书。如果您需要使用
#PKCS12,则必须切换到其他提供商,例如 Bouncy Castle 支持此功能。如果您对密钥库类型没有要求,您可以切换到
JKS,它是java的密钥库,允许设置受信任的证书(即不是私钥的一部分)。对于
JKS,您可以使用默认提供程序,即 SUN。更新:
因此,您的代码必须进行如下更改:
现在您在代码中使用密钥库
store,它具有服务器的可信证书而不是私钥。从代码中的注释中我注意到您使用 OpenSSL 创建了 PKCS12?
如果您已经有 p12,则不能将“JKS”用于 KeyManager。
您必须使用
PKCS12并将其加载为PKCS12才能在kmf中使用它。所以你必须在你的应用程序中使用两种类型
Sun's implementation of
#PKCS12does not allow to store trusted certificates if are not part of the chain of the private key.If you need to use
#PKCS12you have to switch to a different provider e.g. Bouncy Castle supports this.If you do not have a requirement on keystore type you can switch to
JKSwhich is java's keystore and allows to set trusted certificates (i.e. not part of the private key).For
JKSyou can use the default provider i.e. SUN.UPDATE:
So your code would have to change as follows:
Now you use the keystore
storein your code which has the server's trusted certificate and not the private key.From the comments in the code I noticed that you have a PKCS12 created using OpenSSL?
If you already have a p12 then you can not use "JKS" for KeyManager.
You will have to use
PKCS12and load it asPKCS12to use it in thekmf.So you will have to use 2 types in your app
您不需要在运行时创建证书。您不需要将密钥库下载到客户端。您只需要由公认的 CA 签署的服务器证书即可。
您提出的建议是不安全的。客户端必须通过与证书验证通道不同的方式获取要信任的证书。否则,就没有理由信任证书、通道或证书……带有 CA 证书的 PKI 会处理所有这些事情。您的提议只会破坏 PKI 和 SSL 内置的安全性。不要这样做。
You don't need to create a certificate at runtime. You don't need to download a keystore to the client. You just need your server certificate signed by a recognized CA.
What you are proposing is insecure. The client has to acquire the certificates to trust via a different means than the channel than the certificate is authenticating. Otherwise there is no reason to trust the certificate, or the channel, or the certificate, ... PKI with CA certs takes care of all that. Your proposal just undermines the scurity built into PKI and SSL. Don't do this.