列出 JVM 信任存储中的证书

发布于 2024-12-27 10:46:34 字数 302 浏览 0 评论 0 原文

我已经通过系统属性定义了一个自定义信任库：

System.setProperty("javax.net.ssl.trustStore", ...);
System.setProperty("javax.net.ssl.trustStorePassword", ...);

鉴于虚拟机已经负责加载文件，我想列出那些已加载的证书。我不想再次将信任库加载到流中并从那里获取证书，而是想查看虚拟机已自行加载的证书。另外，我想从我自己的应用程序中查看它们，而不是使用单独的工具。我已经做了一些谷歌搜索，但到目前为止我还没有找到这个。

原文

I've defined a custom truststore via system properties:

System.setProperty("javax.net.ssl.trustStore", ...);
System.setProperty("javax.net.ssl.trustStorePassword", ...);

Given that the VM already takes care of loading the file, I'd like to list those certificates that were loaded. I don't want to once again load the truststore into a stream and obtain the certificates from there, but rather I want to see those that the VM already loaded by itself. Also, I want to see them from within my own application, not using a separate tool. I've done some googling, but so far I've been unable to find this.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

遗忘曾经 2025-01-03 10:46:34

使用它们时，JSSE 使用这些设置来构建其默认的 X509TrustManager （覆盖 JRE 默认值）。但是，JSSE API 中没有任何内容可以访问用于构建默认信任管理器的密钥库，因为在 JSSE 架构中，原则上不需要从密钥库构建默认信任管理器。

如果您想读取通过 javax.net.ssl.trustStore* 属性传递的信任存储的内容，您必须自己打开该文件。

您可以找到的最接近的东西是使用默认 TrustManagerFactory 的默认 X509TrustManager。

编辑：

有关更多详细信息，您可以查看 OpenJDK 中的实现。

sun.security.ssl.DefaultSSLContextImpl（不属于公共 API 的一部分）的方法是使用从 TrustManagerFactoryImpl 获取的 KeyStore 来初始化 TrustManagerFactory（这也不属于公共 API 的一部分）：

KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);

这与 TrustManagerFactory 与 tmf.init(null)。这也依赖于默认密钥库，但这已记录在公共 API 中。
事实上，实现（使用 tmf.init(null)）最终会执行相同的操作，如 TrustManagerFactoryImpl（当 keystore 参数为 null 时，engineInit 也会调用 getCacertsKeyStore）。

在这两种情况下，KeyStore 变量不存储在类成员中，它只是一个局部变量，在使用这些初始化方法后无法访问。

生成的 X509TrustManagerImpl 确实包含可信列表证书，但 (a) trustedCerts 是私有成员，并且 (b) 这些都不是 JSSE 公共 API 的一部分。

编辑2：

如果您想要大多数时间可能有效但不能保证有效的东西，这个答案应该有帮助。请注意，默认信任存储是不一定是cacerts。

When they're used, JSSE uses these settings to build its default X509TrustManager (overriding the JRE default). However, there's nothing in the JSSE API to gain access to the keystore with which the default trust manager was build since, in the JSSE architecture, the default trust manager needs not be built from a keystore in principle.

If you want to read the content of the trust store passed via the javax.net.ssl.trustStore* properties, you will have to open the file yourself.

The closest thing you can get hold of will be the default X509TrustManager using the default TrustManagerFactory.

EDIT:

For more details, you can look at the implementation in the OpenJDK.

The logic in sun.security.ssl.DefaultSSLContextImpl (not part of the public API) is to initialise the TrustManagerFactory with a KeyStore obtained from the TrustManagerFactoryImpl (which is not part for the public API either):

KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);

This is consistent with the behaviour of TrustManagerFactory with tmf.init(null). This would also have relied on the default keystore, but that's documented in the public API.
Indeed, the implementation (with tmf.init(null)) ends up doing the same, as shown in TrustManagerFactoryImpl (engineInit also calls getCacertsKeyStore when the keystore parameter is null).

In both cases, the KeyStore variable is not stored in a class member, it's just a local variable that is not accessible after using these initialisation methods.

The resulting X509TrustManagerImpl does indeed contain the list of trusted certificates, but (a) trustedCerts is a private member and (b) none of this is part of the public API of the JSSE.

EDIT 2:

If you want something that is likely work most of the time, but is not guaranteed to work, this answer should help. Be aware that the default trust store isn't necessarily cacerts.