JKS与PKCS12进行代码签名的优点是什么? [英] What are the merits of JKS vs PKCS12 for code signing?
问题描述
购买代码签名证书时,从PKCS12与JKS证书开始的优点是什么?一些供应商提供了有关开始JKS或PKCS12证书签名请求的说明。我们希望在使用购买的证书时具有最大的灵活性,尤其是考虑到成本。例如,我们可能不仅对Java代码进行签名(例如:iPhone或Android代码签名)。选择任何一种方法时,我们应考虑哪些技术方面的考虑?
如果您使用Java,则Java密钥库这是一个非常自然的存储私钥的地方。Java应用程序通常希望从JKS获得所需的密钥,并且可以轻松地从您自己的Java应用程序进行访问。但是,无法从Java外部访问JKS(无需跳几圈)。
PKCS#12(又名PFX)文件是一种语言-中性的方式来存储加密的私钥和证书,并且已经存在了很长的时间,几乎所有地方都支持它。不过请注意,文件格式极其复杂且过于笼统-请看一下Peter Gutmann的 PFX-如何不设计加密协议/标准( http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html )
请注意,使用一种或其他存储格式确实是有关应用程序如何存储加密私钥的问题当地。向您出售证书的供应商将永远不会看到私钥,因此他不在乎您使用哪种格式。您向他(供应商/ CA)发送PKCS#10证书请求(包含公钥并使用私钥签名,但不包含私钥),然后他向您发回证书(可以将其存储在JKS或
从技术上讲,这两种格式都不是理想的,因为它们都通过用a加密来保护私钥。从密码派生的密钥;但是,这并不能使任何一个都比另一个更好。如果您可以使用智能卡或其他硬件密钥存储解决方案,则安全性(虽然不方便)会更好。
决定选择的主要因素应该是您计划使用哪种方式。私钥-即:哪些应用程序将需要使用私钥以及它们已经处理过的密钥存储格式。 PKCS#12是更灵活的选择……但是,如果您打算仅将密钥与自己编写的代码一起使用(不需要互操作性),则还可以考虑使用PKCS#8或PKCS#15容器。
我不建议您编写自己的代码来处理PKCS#12(我这样做了,很有趣)-使用经过验证的第三方库(例如OpenSSL)。 / p>
When buying a code-signing certificate, what are the merits of starting with a PKCS12 versus JKS certificate? Some vendors give instructions on starting with a JKS or PKCS12 certificate signing request. We'd like to have maximum flexibility in using a purchased cert, especially given the cost. For example, we may be signing more than just Java code (ex: iPhone or Android code signing). What technical considerations should we take into account when choosing either approach?
If you're working in Java then the Java Key Store is a fairly natural place to store private keys.Java applications typically expect to get the keys they need from JKS, and it's easy to access from your own Java apps. JKS is not accessible (without jumping through a few hoops) from outside Java, though.
PKCS#12 (aka PFX) files, on the other hand are a language-neutral way to store encrypted private keys and certificates, and has been around long enough that it's supported just about everywhere. Note, though, that the file format is horribly over-complex and over-general -- have a look at Peter Gutmann's "PFX - How Not to Design a Crypto Protocol/Standard" (http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html) for a light-hearted view of the problems.
Note that the use of one or other of these storage formats is really an issue about how your application will store encrypted private keys locally. The vendor who sells you your certificate will never see the private key so he doesn't care what format you use. You send him (the vendor/CA) a PKCS#10 certificate request (containing the public key and signed using the private key, but NOT containing the private key) and he sends you back a certificate (which you can store in JKS or in the PKCS#12 file or both, or anywhere else that takes your fancy).
Technically, neither format is ideal as they both protect the private key by encrypting it with a key derived from a password; this doesn't make either one better than the other, though. Security (though not convenience) is better if you can use a smartcard or other hardware key storage solution.
The main factor determining your choice should be how you plan to use the private key -- that is: what applications will need to use the private key and what format(s) of key store do they already handle. PKCS#12 is the more flexible option ... but if you intend to use the key only with code that you write yourself (interoperability not required) then you might also consider using PKCS#8 or PKCS#15 containers.
I can't recommend writing your own code to handle PKCS#12 (I've done it, not fun) -- use a proven third-party library (like OpenSSL).
这篇关于JKS与PKCS12进行代码签名的优点是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
