JKS,BKS和PKCS12文件格式 [英] JKS, BKS and PKCS12 file formats
问题描述
我正在设置一个无头服务器,该服务器使用用户提供的数据-JS,CSS,HTML +密钥库为Android构建Phonegap混合应用程序.我想进行一些基本的客户端检查,以确保要上传的密钥库有效.对于JKS文件,我发现我可以通过确保所提供文件的前四个字节为MAGIC编号0xFEEDFEED
(如此处.我意识到这并不能消除用户提供垃圾的可能性,但是它确实可以作为客户端的初步屏幕.我想对PKCS12和BKS密钥库实施类似的筛选,但是无法找到这些文件格式的任何解释.非常感谢任何能够提供有关此主题的信息的人.
I am in the process of setting up a headless server that builds Phonegap hybrid apps for Android using data - JS, CSS, HTML + a keystore - provided by the user. I want to institute some basic client side checks to ensure that the keystore being uploaded is valid. For JKS files I have found that I can do a rudimentary check by ensuring that the first four bytes of the supplied file are the MAGIC number 0xFEEDFEED
as specified here. I realize that this does not eliminate the possibility that the user supplies garbage but it does help as a preliminary client-side screen. I would like to implement similar screening for the PKCS12 and BKS keystores but have been unable to find any explanations for those file formats. I'd be most grateful to anyone who might be able to provide some information on the subject.
推荐答案
首先,要考虑两件事:
- 您的列表中缺少JCEKS(JKS的更安全版本,魔术数字为
0xCECECECE
). - 有两种不兼容的BKS版本.新版本是在Bouncy Castle 1.47中引入的,完全替代了旧版本.因此,用BC 1.47或更高版本生成的BKS密钥库不能用BC 1.46或更旧版本读取.在BC 1.49中,添加了与旧格式兼容的新密钥库类型"BKS-V1"(请参见 BC发行说明).
- JCEKS is missing in your list (more secure version of JKS, magic number is
0xCECECECE
). - There are two incompatible versions of BKS. The newer version was introduced with Bouncy Castle 1.47, replacing the older version completely. Therefore BKS keystores that were generated with BC 1.47 or newer cannot be read with BC 1.46 or older. In BC 1.49 a new keystore type "BKS-V1" has been added, that is compatible with the older format (see BC Release Notes).
BKS格式以前4个字节的版本号开始,以空字节和SHA-1哈希(20个字节)结束.
BKS format starts with a version number in the first 4 bytes and ends with a null byte and a SHA-1 hash (20 bytes).
PKCS#12不太容易检测到.您将不得不将其解析为ASN.1结构(请参见 RFC 7292 ):
PKCS#12 is not so easy to detect. You will have to parse it as an ASN.1 structure (see RFC 7292):
PFX ::= SEQUENCE {
version INTEGER {v3(3)}(v3,...),
authSafe ContentInfo,
macData MacData OPTIONAL
}
如果无法将其解析为ASN.1,则不是PKCS#12.
If it cannot be parsed as ASN.1, it's not PKCS#12.
For a more accessible explanation of the PKCS12 format check here.
这篇关于JKS,BKS和PKCS12文件格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!