如何将多个信任库路径添加到“java.net.ssl.trustStore”？ [英] How to add multiple truststore paths to “java.net.ssl.trustStore”?

问题描述

我希望我的Java代码在一个密钥库中搜索服务器的CA证书...如果它无法找到特定的证书（我认为只有当我尝试通过LDAP连接到Directory Server时才会知道） ，它应该在另一个密钥库中寻找证书，我知道它的路径。

I want my Java Code to search for CA certificate of the server in one keystore... if it is unable to find the specific certificate (which I think will be known only when I try to connect via LDAP to Directory Server), it should look for the certificate in another keystore, whose path I know.

我试过这个：

System.setProperty（javax.net.ssl.trustStore，System.getProperty（java.home）+/ lib / security / cacerts+ System.getProperty（path.separator） + path / to / second / keystore）;

但它似乎不起作用。

只添加一个路径（其中任何一个）都有效，即如果找到证书就会像魅力一样运行，否则就会失败。

Adding only one path (either of them) works, i.e. it runs like charm if certificate is found and fails if not.

所以我的问题是：

1. 是否有方法将多重密钥库路径添加到javax.net.ssl.trustStore？

1. Is there a method to add multpile keystore paths to javax.net.ssl.trustStore?

如果不可能我应该如何编写我的代码（我要求算法），这样它就不会在f之后抛出异常第一次搜索并失败？

If it is not possible how should I write my code (I am asking for the algorithm) so that it just not throw Exception after first search itself and fail?

P.S。 ：我对Java不太熟悉。

P.S. : I am not much familiar with Java.

以下是我的代码的相关部分：

Below is the relevant section of my code:

if(useSSL)
{
  try 
  {   
    SSLContext se = SSLContext.getInstance("TLS");
    Security.addProvider(se.getProvider());
  }   
  catch(NoSuchAlgorithmException e) { }

  System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home") + "/lib/security/cacerts");

  com.org.ldap.LDAPSocketFactory ssf = new LDAPJSSESecureSocketFactory();
  LDAPConnection.setSocketFactory(ssf);
}

try 
{   
  lc = new LDAPConnection();
  lc.connect( ldapServer, ldapPort);
  lc.bind( ldapVersion,  ldapUser, (userInfo[1]).getBytes() );
}
catch (LDAPException le)
{
  le.printStackTrace();
}

推荐答案

你不能有多个 javax.net.ssl.trustStore的路径。

最简单的方法是制作JRE的本地副本 cacerts 并将证书从您的其他商店导入其中（有效地合并它们）。 （参见 keytool -importkeystore 。）

The easiest would be to make a local copy of the JRE's cacerts and import the certificates from your other store into it (effectively merging them). (See keytool -importkeystore.)

否则，如果您事先知道所有LDAP连接都将使用您的第二个密钥库（并且您还希望能够将默认信任库用于其他非相关连接），您可以仅为该 SSLSocketFactory 配置该信任存储。我不熟悉 com.org.ldap.LDAPSocketFactory ，但它可能有一个选项可以这样做。 （否则，您可以创建使用第二个信任库初始化的自定义 SSLContext 并获取 SSLSocketFactory ，如这个答案）。

Otherwise, if you know in advance that all your LDAP connections will use your second keystore (and you also want to be able to use the default truststore for other, non-related connections), you could configure that trust store for that SSLSocketFactory only. I'm not familiar with com.org.ldap.LDAPSocketFactory, but it might have an option to do so. (Otherwise, you could create your custom SSLContext initialised with your second truststore and get an SSLSocketFactory, as described in this answer).

另一种更复杂的方式是创建一个自定义 X509TrustManager ，它包装默认信任管理器，捕获其异常并再次尝试使用您的第二个商店初始化的另一个信任管理器。这是可行的，但如果信任管理员都不接受您的证书，您需要确保它仍然会抛出异常（否则会出现安全漏洞）。如果你不熟悉JSSE API（或Java），它可能不是最好的选择。

Another, more complicated way, would be to create a custom X509TrustManager that wraps the default trust manager, catches its exceptions and tries again with another trust manager initialised using your second store. It's feasible, but you'd need to make sure it still throws the exception if neither trust managers accept your certificate (otherwise, there would be a security hole). If you're not familiar with the JSSE API (or Java altogether), it's probably not the best option.

另外，使用<$ c $时要小心c>您的代码中的System.setProperty（javax.net.ssl.trustStore，...）：它是读取初始化默认 SSLContext ，但默认 SSLContext 仅在第一次需要时初始化一次。之后设置此系统属性将不起作用（当然，除非其他库中的其他类也依赖于此值）。

In addition, be careful when you use System.setProperty("javax.net.ssl.trustStore", ...) in your code: it is what's read to initialise the default SSLContext, but the default SSLContext is only initialised once, the first time it's required. Setting this system property afterwards would have no effect (unless of course, other classes from other libraries also rely on this value).

目前还不清楚你要用这个来实现什么，因为你总能成功添加一个已经存在的安全提供者：

It's also not clear what you're trying to achieve with this, since you'll always ever succeed to add a security provider that's already there:

  try 
  {   
    SSLContext se = SSLContext.getInstance("TLS");
    Security.addProvider(se.getProvider());
  }   
  catch(NoSuchAlgorithmException e) { }

这篇关于如何将多个信任库路径添加到“java.net.ssl.trustStore”？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！