在JVM信任库中列出证书 [英] Listing certificates in JVM trust store

问题描述

我已经通过系统属性定义了一个自定义信任库：

I've defined a custom truststore via system properties:

System.setProperty("javax.net.ssl.trustStore", ...);
System.setProperty("javax.net.ssl.trustStorePassword", ...);

鉴于VM已经负责加载文件，我想列出那些证书装了。我不想再次将信任库加载到流中并从那里获取证书，而是希望看到VM已经自己加载的那些。另外，我希望从我自己的应用程序中看到它们，而不是使用单独的工具。我做了一些谷歌搜索，但到目前为止我一直无法找到它。

Given that the VM already takes care of loading the file, I'd like to list those certificates that were loaded. I don't want to once again load the truststore into a stream and obtain the certificates from there, but rather I want to see those that the VM already loaded by itself. Also, I want to see them from within my own application, not using a separate tool. I've done some googling, but so far I've been unable to find this.

推荐答案

当它们被使用时， JSSE使用这些设置来构建其默认的 X509TrustManager （覆盖JRE默认值）。但是，JSSE API中没有任何内容可以访问构建缺省信任管理器的密钥库，因为在JSSE体系结构中，原则上不需要从密钥库构建缺省信任管理器。

When they're used, JSSE uses these settings to build its default X509TrustManager (overriding the JRE default). However, there's nothing in the JSSE API to gain access to the keystore with which the default trust manager was build since, in the JSSE architecture, the default trust manager needs not be built from a keystore in principle.

如果要阅读通过 javax.net.ssl.trustStore * 属性传递的信任存储的内容，则必须打开你自己的文件。

If you want to read the content of the trust store passed via the javax.net.ssl.trustStore* properties, you will have to open the file yourself.

你能得到的最接近的东西是使用默认<$的默认 X509TrustManager c $ c> TrustManagerFactory 。

The closest thing you can get hold of will be the default X509TrustManager using the default TrustManagerFactory.

编辑：

有关更多详细信息，您可以查看OpenJDK中的实现。

For more details, you can look at the implementation in the OpenJDK.

sun.security.ssl.DefaultSSLContextImpl （不是公共API的一部分）是初始化 Trus tManagerFactory ，其中 KeyStore 从 TrustManagerFactoryImpl 获取（不属于公共API）或者）：

The logic in sun.security.ssl.DefaultSSLContextImpl (not part of the public API) is to initialise the TrustManagerFactory with a KeyStore obtained from the TrustManagerFactoryImpl (which is not part for the public API either):

KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);

这与 TrustManagerFactory 使用 tmf.init（null）。这也依赖于默认密钥库，但这在公共API中有记录。
实际上，实现（使用 tmf.init（null））最终会做同样的事情，如 TrustManagerFactoryImpl （ engineInit 也调用 getCacertsKeyStore 。

This is consistent with the behaviour of TrustManagerFactory with tmf.init(null). This would also have relied on the default keystore, but that's documented in the public API. Indeed, the implementation (with tmf.init(null)) ends up doing the same, as shown in TrustManagerFactoryImpl (engineInit also calls getCacertsKeyStore when the keystore parameter is null).

在这两种情况下， KeyStore 变量都不存储在类成员中，它只是一个无法访问的局部变量使用这些初始化方法后。

In both cases, the KeyStore variable is not stored in a class member, it's just a local variable that is not accessible after using these initialisation methods.

结果 X509TrustManagerImpl 确实包含受信任列表证书，但（a） trustedCerts 是私人成员，（b）这些都不是公共API的一部分e JSSE。

The resulting X509TrustManagerImpl does indeed contain the list of trusted certificates, but (a) trustedCerts is a private member and (b) none of this is part of the public API of the JSSE.

编辑2：

如果你想要一些可能的东西大部分时间工作，但不能保证工作，这个答案应该有所帮助。请注意，默认信任存储区不是不一定 cacerts 。

If you want something that is likely work most of the time, but is not guaranteed to work, this answer should help. Be aware that the default trust store isn't necessarily cacerts.

这篇关于在JVM信任库中列出证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！