keytool要求密码以读取Java证书ubuntu 18.04 [英] keytool asking for password to read java certificates ubuntu 18.04

问题描述

我重新安装了ubuntu 18.04.我的版本(例如Maven和Gradle)在访问存储库https时遇到问题，它显示的消息是:

I have a fresh installation of ubuntu 18.04. I'm having problems with my builds (e.g. Maven and Gradle) accessing a repository https, the message it shows is:

java.security.InvalidAlgorithmParameterException:trustAnchors参数必须为非空

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

当我尝试使用以下命令从密钥库访问证书时:

When I try to access the certificates from my keystore using the following command:

keytool -list -keystore /etc/ssl/certs/java/cacerts

系统提示输入密码，这不是问题，但是如果我按Enter键却没有输入密码，则不会显示任何条目.

I get prompted with a password, which is not a problem, but if I just press enter without inputting the password It does not show any of the entries.

如果输入密码，则所有证书均会正常显示.我要做的是将以下系统道具添加到我的所有Java应用程序中:javax.net.ssl.trustStorePassword=changeit

If I put the password, all the certificates appear normally. What I had to do is add to all my Java applications the following system prop: javax.net.ssl.trustStorePassword=changeit

然后一切正常.我在做什么错了?

Then everything works normally. What I'm doing wrong?

这是cacerts上的权限:

This is the permission on the cacerts right now:

-rw-r--r-- 1 root root 167K jun  8 11:21 /etc/ssl/certs/java/cacerts

，所以每个人都可以阅读.如果我尝试使用没有密码的列表:

so everyone can read. If I try to use list without a password:

keytool -list -keystore /etc/ssl/certs/java/cacerts                                                                             ✔  308  10:27:15 
Enter keystore password:  

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries

with the password:keytool -list -keystore /etc/ssl/certs/java/cacerts                                                                             ✔  310  10:36:33 
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 134 entries

推荐答案

读取应该没有密码，只有写入操作需要输入密码

read should be password free, only write operations should need a password

您误解了密码的用途.该密码(实际上)是密钥库的解密密钥.无论文件系统权限如何，它都可以防止未经授权的读取.

You misunderstand the purpose of the password. The password is (in effect) a decryption key for the keystore. It protects against unauthorized reads, irrespective of file system permissions.

如果您希望/需要允许在没有密码的情况下读取 ，但要防止写入，则需要使用文件系统权限.以下问题与解答解释了如何删除默认密码:

If you want / need to allow reads without a password but protect against writes, you need to use file system permissions for that. The following Q&A explains how to remove the default password:

• 如何进入不受密码保护的Java密钥库或更改密码?

这是为什么控制写(而不是读)的密码无法工作的解释.

Here's an explanation why a password controlling write (and not read) cannot work.

假设无需密码即可读取可信密钥存储区.然后，用户可以执行以下操作:

Suppose that the trusted key store is readable without a password. A user could then do the following:

• 读取密钥库中的密钥
• 创建一个新的(空)密钥库
• 将密钥写入新的密钥库
• 重命名新的密钥库，以便它替换旧的密钥库.

这可以使用自定义Java应用程序或(可能)标准的keytool实用程序和mv命令来完成.

This could be done using a custom Java application or (probably) the standard keytool utility and the mv command.

唯一可以防止这种情况的方法是阻止应用程序(或用户)通过文件系统权限用新的密钥库替换旧的密钥库.如果您无法执行此操作(例如，因为用户具有管理员级别的访问权限)，那么就没有不存在安全漏洞的解决方案.

The only way that you can prevent this is to stop the application (or the user) from replacing the old keystore with the new one via file system permissions. If you can't do that (e.g. because the user has admin-level access) then there is no solution that doesn't have security holes.

这篇关于keytool要求密码以读取Java证书ubuntu 18.04的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！