什么是密钥库? [英] What is Keystore?
问题描述
我得到了:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
.
.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.
ValidatorException: PKIX path building failed: sun.security.provider.
certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
在搜索如何解决此异常时遇到了我不理解的术语 Keystore.简单来说什么是密钥库?它与 SSL 有什么关系?
Searching on how to resolve this exception I have come across the term Keystore which I do not understand. What is Keystore in simple terms? How it is related to SSL?
推荐答案
Keystore 在 Java 中可以指三件事,具体取决于上下文.(它们都密切相关,但又略有不同.)
Keystore in Java can refer to three things, depending on the context. (They're all closely related but subtly different.)
密钥库可以是存储私钥、证书和对称密钥的存储库.这通常是一个文件,但也可以通过不同的方式处理存储(例如加密令牌或使用操作系统自己的机制.)
A keystore can be a repository where private keys, certificates and symmetric keys can be stored. This is typically a file, but the storage can also be handled in different ways (e.g. cryptographic token or using the OS's own mechanism.)
KeyStore 也是一个类,它是标准 API 的一部分.它本质上是一种加载、保存和通常与上述物理"密钥库之一交互的方式.KeyStore 也可以完全在内存中,如果您只需要应用程序的 API 抽象.
KeyStore is also a class which is part of the standard API. It is essentially a way to load, save and generally interact with one of the "physical" keystores as described above. A KeyStore can also be purely in memory, if you just need the API abstraction for your application.
如何加载和处理这样的 KeyStore 实例取决于支持它的密钥库文件(或其他存储系统)的格式.多种格式可用.一些最常见的是 JKS 和 PKCS#12 (.p12).
How to load and handle such a KeyStore instance depends on the format of the keystore file (or other storage system) that backs it. Multiple formats are available. Some of the most common are JKS and PKCS#12 (.p12).
keystore"也可以用作truststore"的对应物.这就是它可能令人困惑的地方,因为密钥库"和信任库"都是密钥库,它们只是用于不同的目的.您可以在此答案中找到更多详细信息.密钥库用于初始化密钥管理器,而信任库用于初始化信任管理器.来自 JSSE 参考指南:
"keystore" can also be used as the counterpart of "truststore". This is where it can get confusing, since both "keystore" and "truststore" are keystores, they're just used for different purposes. You can find more details in this answer. The keystore is used to initialise the key manager, whereas the truststore is used to initialise the trust manager. From the JSSE reference guide:
A
TrustManager判断是否远程认证凭据(以及连接)应该是可信的.
A
TrustManagerdetermines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager 确定要发送的身份验证凭据到远程主机.
A KeyManager determines which authentication credentials to send
to the remote host.
本质上,用作信任库的密钥库将包含许多您愿意信任的 (CA) 证书:这些是您将用来验证您还不知道和信任的远程证书的信任锚.相比之下,用作密钥库的密钥库将包含您自己的证书及其私钥:这是您将用于向远程方进行身份验证(在需要时)的内容.
Essentially, a keystore used as a truststore will contain a number of (CA) certificates that you're willing to trust: those are the trust anchors you are going to use to verify remote certificates you don't already know and trust. In contrast, a keystore used as a keystore will contain your own certificate and its private key: this is what you're going to use to authenticate yourself to a remote party (when required).
有一个与 JRE (/lib/security/cacerts) 捆绑在一起的默认信任库.没有默认的密钥库,因为它通常对用户来说是一个更明确的步骤.
There is a default truststore bundled with the JRE (/lib/security/cacerts). There isn't a default keystore, since it's usually a more explicit step for the user.
在 SSL/TLS 的上下文中,密钥库(用作密钥库的密钥库)将是服务器存储其证书和私钥的地方(或者,当使用客户端证书身份验证时,客户端将其证书和私有密钥存储在钥匙).信任库(用作信任库的密钥库)将是客户端存储它愿意信任的 CA 的 CA 证书的地方,以便在连接到 SSL/TLS 服务器时能够验证服务器证书(类似地,在服务器端,这也是用于验证客户端证书的 CA 证书的存储位置).
In the context of SSL/TLS, a keystore (keystore used as a keystore) will be where a server stores its certificate and private key (or, when client-certificate authentication is used, where the client stores its certifcate and private key). A truststore (keystore used as a truststore) will be where the client stores the CA certificates of the CAs it is willing to trust, so as to be able to verify the server certificate when making a connection to an SSL/TLS server (similarly, on the server side, this is also where the CA certificates used to verify the client certificates are stored).
通常,您收到的错误 ("ValidatorException: PKIX path building failed") 发生在无法使用信任库中的任何证书验证您正在连接的服务器的证书时正在使用.您通常需要在您的信任库中拥有直接在您的信任库中的服务器证书(只能在小范围内进行管理)或用于颁发该服务器证书的 CA 的 CA 证书(或链中的证书之一)礼物,当有链时).
Typically, the error you're getting ("ValidatorException: PKIX path building failed") happens when the certificate of the server you're connecting to cannot be verified using any certificate in the truststore you're using. You would generally need to have in your truststore either the server certificate directly in your truststore (which is only manageable on a small scale) or the CA certificate of the CA used to issue that server certificate (or one of the certificates in the chain it presents, when there is a chain).
这篇关于什么是密钥库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
