在JVM中注册多个密钥库 [英] Registering multiple keystores in JVM
问题描述
我有两个应用程序在同一个java虚拟机上运行,并且都使用不同的密钥库和信任库。
I have two applications running in the same java virtual machine, and both use different keystores and truststores.
一个可行的选择是使用单个密钥库,其他的进入共享密钥库(例如keytool -import),但它真的会帮助我的需求,如果我可以使用单独的密钥库运行在同一个jvm中的单独的应用程序。
A viable option would be use a single keystore and import all the other ones into the shared keystore (e.g. keytool -import), but it would really help my requirements if I could use separate keystores for separate applications running in the same jvm.
我可以将密钥库和信任库设置为jvm参数或系统属性,如下所示:
I could set the keystore and truststores to be used as jvm parameters or system properties as follows:
java -Djavax.net.ssl.keyStore=serverKeys
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=serverTrust
-Djavax.net.ssl.trustStorePassword=password SSLApplication
或
System.setProperty("javax.net.ssl.keyStore","serverKeys")
此方法的问题是它指定要在JVM级别使用的密钥库/信任库,因此在同一JVM中运行的所有应用程序都将获得相同的密钥库/信任库。
But the problem with this approach is that it specifies the keystore/truststore to be used at a JVM level, thus all applications running in the same JVM gets the same keystore/truststore.
我也尝试创建自定义SSLContext并将其设置为默认值,但它也为在同一JVM中运行的所有应用程序设置上下文。
I have also tried creating a custom SSLContext and setting it as the default, but it also sets the context for all applications running in the same JVM.
SSLContext context = SSLContext.getInstance("SSL");
context.init(kms, tms, null);
SSLContext.setDefault(context);
我想要能够使用不同的密钥库/信任库而不修改单独的应用程序代码。
I want to be able use different keystores/truststores without modifying individual application codes.
除了jre中的默认keystore / certs之外,可以动态注册多个键存储的解决方案将是巨大的。
解决方案将以这种方式工作:
The solution will work in this way:
- JVM启动时,它从jre / certs文件夹加载所有默认的证书/密钥库
(没有指定密钥库时默认为java行为)。 - 当App 1加载它时,
- 那么当App 2加载它注册其密钥库...
请让我知道您的想法或解决方案。
提前感谢!
Please let me know your ideas or solutions. Thanks in advance!
推荐答案
使用ZZ Coder,sylvarking和Monkey Monkey的代码后,我找到了一个解决方案:
After playing with the code I have received from ZZ Coder, sylvarking and Software Monkey, I have found a solution that works:
首先,我写了一个X509KeyManager,它结合了自定义密钥库和默认密钥库。
First, I wrote a X509KeyManager that works combines a custom keystore and a default keystore.
class MultiKeyStoreManager implements X509KeyManager {
private static final Logger logger = Logger.getLogger(MultiKeyStoreManager.class);
private final X509KeyManager jvmKeyManager;
private final X509KeyManager customKeyManager;
public MultiKeyStoreManager(X509KeyManager jvmKeyManager, X509KeyManager customKeyManager ) {
this.jvmKeyManager = jvmKeyManager;
this.customKeyManager = customKeyManager;
}
@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
// try the first key manager
String alias = customKeyManager.chooseClientAlias(keyType, issuers, socket);
if( alias == null ) {
alias = jvmKeyManager.chooseClientAlias(keyType, issuers, socket);
logger.warn("Reverting to JVM CLIENT alias : " + alias);
}
return alias;
}
@Override
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
// try the first key manager
String alias = customKeyManager.chooseServerAlias(keyType, issuers, socket);
if( alias == null ) {
alias = jvmKeyManager.chooseServerAlias(keyType, issuers, socket);
logger.warn("Reverting to JVM Server alias : " + alias);
}
return alias;
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
X509Certificate[] chain = customKeyManager.getCertificateChain(alias);
if( chain == null || chain.length == 0) {
logger.warn("Reverting to JVM Chain : " + alias);
return jvmKeyManager.getCertificateChain(alias);
} else {
return chain;
}
}
@Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
String[] cAliases = customKeyManager.getClientAliases(keyType, issuers);
String[] jAliases = jvmKeyManager.getClientAliases(keyType, issuers);
logger.warn("Supported Client Aliases Custom: " + cAliases.length + " JVM : " + jAliases.length);
return ArrayUtils.join(cAliases,jAliases);
}
@Override
public PrivateKey getPrivateKey(String alias) {
PrivateKey key = customKeyManager.getPrivateKey(alias);
if( key == null ) {
logger.warn("Reverting to JVM Key : " + alias);
return jvmKeyManager.getPrivateKey(alias);
} else {
return key;
}
}
@Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
String[] cAliases = customKeyManager.getServerAliases(keyType, issuers);
String[] jAliases = jvmKeyManager.getServerAliases(keyType, issuers);
logger.warn("Supported Server Aliases Custom: " + cAliases.length + " JVM : " + jAliases.length);
return ArrayUtils.join(cAliases,jAliases);
}
}
然后,您可以使用此密钥库管理器在创建SSL上下文或SocketFactory时。该代码需要一些重构和整理,但它的工作完美。
Then, you can use this keystore manager when creating an SSL Context or SocketFactory. The code needs some refactoring and tidying up but it works perfectly.
/**
* Returns an array of KeyManagers, set up to use the required keyStore.
* This method does the bulk of the work of setting up the custom trust managers.
*
* @param props
*
* @return an array of KeyManagers set up accordingly.
*/
private static KeyManager[] getKeyManagers(Properties props) throws IOException, GeneralSecurityException {
// First, get the default KeyManagerFactory.
String alg = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmFact = KeyManagerFactory.getInstance(alg);
// Next, set up the KeyStore to use. We need to load the file into
// a KeyStore instance.
FileInputStream fis = new FileInputStream(props.getProperty(SSL_KEYSTORE));
logger.info("Loaded keystore");
KeyStore ks = KeyStore.getInstance("jks");
String keyStorePassword = props.getProperty(SSL_KEYSTORE_PASSWORD);
ks.load(fis, keyStorePassword.toCharArray());
fis.close();
// Now we initialise the KeyManagerFactory with this KeyStore
kmFact.init(ks, keyStorePassword.toCharArray());
// default
KeyManagerFactory dkmFact = KeyManagerFactory.getInstance(alg);
dkmFact.init(null,null);
// Get the first X509KeyManager in the list
X509KeyManager customX509KeyManager = getX509KeyManager(alg, kmFact);
X509KeyManager jvmX509KeyManager = getX509KeyManager(alg, dkmFact);
KeyManager[] km = { new MultiKeyStoreManager(jvmX509KeyManager, customX509KeyManager) };
logger.debug("Number of key managers registered:" + km.length);
return km;
}
/**
* Find a X509 Key Manager compatible with a particular algorithm
* @param algorithm
* @param kmFact
* @return
* @throws NoSuchAlgorithmException
*/
private static X509KeyManager getX509KeyManager(String algorithm, KeyManagerFactory kmFact)
throws NoSuchAlgorithmException {
KeyManager[] keyManagers = kmFact.getKeyManagers();
if (keyManagers == null || keyManagers.length == 0) {
throw new NoSuchAlgorithmException("The default algorithm :" + algorithm + " produced no key managers");
}
X509KeyManager x509KeyManager = null;
for (int i = 0; i < keyManagers.length; i++) {
if (keyManagers[i] instanceof X509KeyManager) {
x509KeyManager = (X509KeyManager) keyManagers[i];
break;
}
}
if (x509KeyManager == null) {
throw new NoSuchAlgorithmException("The default algorithm :"+ algorithm + " did not produce a X509 Key manager");
}
return x509KeyManager;
}
private static void initialiseManager(Properties props) throws IOException, GeneralSecurityException {
// Next construct and initialise a SSLContext with the KeyStore and
// the TrustStore. We use the default SecureRandom.
SSLContext context = SSLContext.getInstance("SSL");
context.init(getKeyManagers(props), getTrustManagers(props), null);
SSLContext.setDefault(context);
}
如果有任何问题或需要任何演示,
Let me know if anyone has any question or need any demonstration codes.
这篇关于在JVM中注册多个密钥库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
