Spring Boot:单向 SSL 强制客户端配置密钥库 [英] Spring Boot: One-way SSL forces key store configuration on client side
问题描述
让我先说明一下 Java 安全性不是我精通的领域.
Let me preface this with the fact that Java security is not an area I'm well versed in.
我有许多通过 REST 调用进行通信的 Spring Boot 服务.当我配置使用 SSL/HTTPS 时,我需要提供对各种证书文件和相关信息的访问和配置.目前,我们只做单向验证.双向验证可能会在稍后进行.
I have a number of Spring Boot services that communicate via REST calls. When I configure to use SSL/HTTPS, I need to provide access and configuration for various certificate files and related information. Currently, we are doing only one-way verification. Two-way verification may come at a later time.
我对单向验证如何工作的理解是,客户端可以访问信任存储,其中包含有关它将与之交互的任何服务器的公钥信息.给定的服务器将有一个包含其密钥信息的密钥库(我假设公共和私有).当客户端尝试调用服务器时,两者之间会交换一些密钥信息,客户端会验证服务器的密钥信息是否包含在其信任存储中.如果是这样,一切都很好,过程继续进行.如果不是,则呼叫被拒绝.我还认为客户端不需要密钥存储信息,因为它不会被任何东西调用.
My understanding of how this works for one-way verification is that the client has access to a trust store that contains public key information about any servers that it will interact with. A given server will have a key store containing its key information (I assume both public and private). When the client attempts to invoke a server, there is some key information exchanged between the two and the client verifies whether the server's key information is contained in its trust store. If so, all is good and the process proceeds. If not, the call is rejected. I am also under the impression that the client needs no key store information, since it will not be called by anything.
当我将服务配置为使用 SSL 时,我需要设置一些 SSL 属性,如下所示:
When I configure the services to use SSL, I need to set a number of SSL properties, like the following:
server:
port: <some port>
ssl:
enabled: true
protocol: TLS
trust-store-type: JKS
trust-store: classpath:server.truststore
trust-store-password: <password>
key-store-type: JKS
key-store: classpath:server.keystore
key-store-password: <password>
key-alias: <alias>
以上是一个服务器服务的例子.稍微说一下,我认为从不调用其他任何东西的服务器"服务不需要信任存储信息.
The above is an example for a server service. On a slight tangent, I would think that a "server" service that never calls anything else, would have no need for the trust store information.
对于从来没有被任何东西调用过的客户端服务,我认为我应该能够省略与密钥存储相关的信息.类似于以下内容:
For a client service that is never called by anything, I would think that I should be able to leave out the key store related information. Something like the following:
server:
port: <some port>
ssl:
enabled: true
protocol: TLS
trust-store-type: JKS
trust-store: classpath:server.truststore
trust-store-password: <password>
显然它需要信任存储信息,但我认为不应该需要任何密钥存储信息,因为它不需要.
Obviously it needs the trust store information, but I think should not need any key store information, since it's not needed.
但是,我不允许这样做.如果我试图忽略密钥存储属性,应用程序将失败,抱怨它无法加载密钥存储空".Spring Boot 应用程序启动过程似乎需要在启用 SSL 的情况下指定密钥存储属性,无论是否需要.
I am not allowed to do this, however. If I attempt to leave out the key store properties, the application will fail complaining that it cannot load key store 'null'. The Spring Boot application startup process seems to require key store properties to be specified if SSL is enabled, regardless of whether it's needed.
有没有办法解决这个问题?
Is there a way to work around this?
推荐答案
使用 Spring Boot 应用程序作为消费者的一种方式 ssl 例如 REST 服务消费者,只需要设置信任存储,不需要密钥存储作为根据 PKI 基础设施.但是,如果您选择使用 application.properties 来指定信任存储,则还必须指定一个密钥存储,这有点奇怪,但是如果您可以使用以下两个代码在代码中指定信任存储,则有一种解决方法随处可见的一段代码
One way ssl with Spring Boot app as a consumer for example a REST service consumer, only trust store is required to be set up no need for the key store as per the PKI infrastructure. However if you choose to use application.properties to specify the trust store, you have to specify a key store as well, bit bizarre, but there is a work around if you are ok to specify the trust store in the code using the following two piece of code anywhere
System.setProperty("javax.net.ssl.trustStore", new File("YourTrustStore.jks").getAbsolutePath() );
使用 keytool 创建信任存储
To create a trust store using keytool
keytool -keystore YourTrustStore.jks -alias MyCA -import -file C:/temp/ca.cer
这篇关于Spring Boot:单向 SSL 强制客户端配置密钥库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
