在 Google App Engine Java 应用程序中加载自定义密钥存储 [英] Loading a custom key store in Google App Engine Java application
问题描述
我想使用 HTTPS 连接rel="noreferrer">URLFetch 服务.为了能够验证我的应用程序与之通信的服务器的 SSL 证书,我使用了自己的密钥库文件.当我的应用程序运行时,我想在 预热请求 中读取此文件即在执行任何 HTTPS 请求之前加载.密钥库文件是我的 WAR 文件的一部分.
I want to open a HTTPS connection in a Google App Engine app using the URLFetch service. To be able to verify the SSL certificate of the server my app is talking to, I am using my own keystore file. I want to read this file in a warmup request when my app is loaded i.e. before any HTTPS requests are performed. The keystore file is part of my WAR file.
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(ClassLoader.getSystemResourceAsStream("myKeystoreFile"), "password".toCharArray());
trustManagerFactory.init(keystore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustManagers, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
但是,我不能使用这种方法,因为虽然 HttpURLConnection 在 GAE 的 JRE 白名单中,但 HttpsUrlConnection 不在.
I cannot use this approach, however, because while HttpURLConnection is on the GAE's JRE whitelist, HttpsUrlConnection is not.
是否有另一种方法可以在 GAE 中使用自定义密钥库?我在 GAE 文档中没有找到任何关于此的信息.看起来虽然 Google 的 URLFetch 服务支持 HTTPS,但无法自定义密钥库.这是正确的吗?
Is there another way to use a custom keystore in GAE? I did not find any information on this in the GAE docs. It looks like while Google's URLFetch service supports HTTPS, the keystore cannot be customized. Is this correct?
如果这是不可能的,那么该方法在一般情况下仍然有效吗?或者是否有不同的方法仍然允许我验证 SSL 证书?
If this isn't possible, is the approach still valid in general? Or is there a different approach that does still allow me to verify the SSL certificate?
更新
2009 年,来自 Google 的 App Engine 开发人员 Nick Johnson 在 https://groups.google.com/d/topic/google-appengine-python/C9RSDGeIraE/discussion:
In 2009, App Engine developer Nick Johnson from Google said on https://groups.google.com/d/topic/google-appengine-python/C9RSDGeIraE/discussion:
urlfetch API 不允许您指定自己的客户端证书,所以不幸的是你想要实现的不是目前可能.
The urlfetch API doesn't allow you to specify your own client certificates, so unfortunately what you want to achieve is not currently possible.
这仍然正确吗?如果 App Engine 中的每个 HTTP(s) 请求都依赖于 URLFetch,这意味着在 GAE 中根本无法使用自定义证书.
Is this still correct? If every HTTP(s) request in App Engine relies on URLFetch this would mean that custom certificates just cannot be used at all in GAE.
推荐答案
您应该注册为 受信任的测试人员 出站套接字支持.在所需功能下,他们使用 SSL.如果支持 JDK SSL API 的更多部分,构建这样的东西会很简单.
You should sign up as a trusted tester for Outbound sockets support. Under Desired Features they enlist SSL. If more parts of the JDK SSL API would be supported building something like this would be simple.
这篇关于在 Google App Engine Java 应用程序中加载自定义密钥存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
