在文件系统上直接使用PEM编码CA证书进行HTTPS请求？ [英] Use PEM Encoded CA Cert on filesystem directly for HTTPS request?

问题描述

这类似于将PEM导入Java密钥库。但问题的答案是使用OpenSSL进行转换和工具将它们导入文件系统的密钥存储区。

This is similar to Import PEM into Java Key Store. But the question's answers use OpenSSL for conversions and tools to import them into key stores on the file system.

我正在尝试使用格式良好的X509证书作为信任anchor：

I'm trying to use a well formed X509 certificate as a trust anchor:

static String CA_FILE = "ca-rsa-cert.pem";

public static void main(String[] args) throws Exception
{
    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(CA_FILE), null);

    TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);

    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, tmf.getTrustManagers(), null);

    // Redirected through hosts file
    URL url = new URL("https://example.com:8443");

    HttpsURLConnection connection = (HttpsURLConnection) url
            .openConnection();
    connection.setSSLSocketFactory(context.getSocketFactory());

    ...
}

当我试图跑步时该程序，我收到一个错误：

When I attempt to run the program, I get an error:

$ java TestCert 
Exception in thread "main" java.io.IOException: Invalid keystore format
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
    at java.security.KeyStore.load(KeyStore.java:1214)
    at TestCert.main(TestCert.java:30)

我也试过 KeyStore ks = KeyStore.getInstance（PEM）; 和 getInstance（X509 ）; ，但它们也不起作用。

I also tried KeyStore ks = KeyStore.getInstance("PEM"); and getInstance("X509");, but they did not work either.

我知道Java支持PEM和DER编码证书，因为这是Web服务器发送到的一个客户。但没有一个 KeyStoreType 似乎符合我的需求，所以我怀疑我没有使用正确的API。

I know Java supports PEM and DER encoded certificates because that's what a web server sends to a client. But none of the KeyStoreType's seem to match my needs, so I suspect I'm not using the right APIs for this.

我想直接使用它们并且不将它们导入长寿 KeyStore 的原因是：

The reasons I want to use them directly and not import them into a long-lived KeyStore are:

1. 有数百个要测试的PEM证书


2. 证书在我的文件系统上


3. 使用来自的证书文件系统与我的工作流程相匹配


4. 我不想使用 openssl 或 keytool


5. 我不想进行密钥存储维护

1. There are hundreds of PEM certs to test
2. The certs are on my filesystem
3. Using certs from the filesystem matches my workflow
4. I don't want to to use openssl or keytool
5. I don't want to perform key store maintenance

如何进行在文件系统上采用格式良好的PEM编码证书并直接使用它？

How does on take a well formed PEM encoded certificate on the filesystem and use it directly?

推荐答案

我在尝试另外做的时候找到了答案方式为KeyStore.TrustedCertificateEntry设置证书？。它基于Vit Hnilica在从密钥库加载证书的答案。由于大多数Stack Overflow的答案都以使用 openssl 转换开头，然后使用 keytool ...。

I found the answer while trying to do this another way at Set certificate for KeyStore.TrustedCertificateEntry?. Its based on Vit Hnilica's answer at loading a certificate from keystore. I"m going to leave the question with this answer since most Stack Overflow answers start with "convert with openssl, then use keytool ...".

String CA_FILE = ...;

FileInputStream fis = new FileInputStream(CA_FILE);
X509Certificate ca = (X509Certificate) CertificateFactory.getInstance(
        "X.509").generateCertificate(new BufferedInputStream(fis));

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setCertificateEntry(Integer.toString(1), ca);

TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
...

这篇关于在文件系统上直接使用PEM编码CA证书进行HTTPS请求？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！