PKCS12密钥库和PKCS11密钥库之间有什么区别? [英] What is the difference between a PKCS12 keystore and a PKCS11 keystore?
问题描述
我对Java-NSS库感兴趣,我正在阅读 Sun的P11指南。我对以下内容感到困惑:
使用PKCS12密钥库和PKCS11密钥库有什么区别?
密钥库只是一个密钥库,对吧?有什么不同吗?它们可以在任何方面互换使用吗?
PKCS#12是一种文件格式(通常称为.p12或.pfx)您可以在其中存储私钥和证书。它主要用于转换/传输密钥和证书。如果您从浏览器导出私钥+证书,则可能采用该格式。
PKCS#11是一个接口,通常用于与硬件加密对话令牌(通常是智能卡或USB令牌,实际上是嵌入在阅读器中的智能卡)。此接口具有许多操作以使用密钥和证书。一些令牌能够使用它们包含的私钥进行签名,而密钥不能离开设备。
此接口的要点是将处理密钥和证书的内容视为一个单独的实体,而不必执行PKCS#11提供的加密操作(更具体地说,与私钥相关的操作)。 p>
当您使用PKS#11和NSS时,您实际上使用NSS作为包装在PKCS#11层后面的黑盒子(它实际上是PKCS的软件提供者) #11硬件令牌将是)。 Java通过PKCS#11使用NSS的方式略有不同,因为它不需要PKCS#11共享库(与其他PKCS#11库相比),因此,严格来说,它不是PKCS#11,虽然它非常相似。
在Java中,您可以从PKCS#11获得 RSAPrivateKey 实例存储,用它来签名和解密,而不能从模数中得到任何东西。处理它的安全提供程序将通过库进行签名/解密(因此,如果该库由硬件令牌支持,则通过令牌)。
返回到Java中的 KeyStore ,它是一个API,允许您从文件加载和使用密钥和证书(您可以获得各种文件格式,如JKS,PKCS#12,PEM,取决于您的安全提供程序)或其他底层API(例如PKCS#11,或多或少与Sun提供程序中的NSS合并,或者如果您使用的是OSX并且希望将KeyChain用作KeyStore,则与KeychainStore合并)。 / p>
I'm interested in Java-NSS libraries, and I'm reading the Sun's P11 Guide. I am confused on the following:
What is the difference between using a PKCS12 keystore and a PKCS11 keystore?
A keystore is just a keystore, right? Are there some differences? Can they be used interchangeably in any aspect?
PKCS#12 is a file format (often called .p12 or .pfx) where you can store a private key and certificates. It's used for converting/transporting keys and certificates, mainly. If you export a private key + certificate from your browser, it's likely going to be in that format.
PKCS#11 is an interface, usually used to talk to hardware cryptographic tokens (often smart-cards or USB-tokens, which effectively are smart-cards embedded in a reader). This interface has a number of operations to make use of the keys and certificates. Some tokens are able to sign using the private key they contain, without the key being able to leave the device. The point of this interface is to treat what handles the keys and certificates as a separate entity, without having to do the cryptographic operations that PKCS#11 offer (more specifically, the ones related to the private key).
When you use PKCS#11 with NSS, you're effectively using NSS as a black-box wrapped behind the PKCS#11 layer (it's effectively a software provider for what a PKCS#11 hardware token would be). There is a slight difference in the way Java uses NSS via PKCS#11 in that it doesn't require a PKCS#11 shared library (compared to other PKCS#11 libraries), so as such, it's not PKCS#11 strictly speaking, although it's very similar.
In Java, you may be able to get an RSAPrivateKey instance from a PKCS#11 store, use it to sign and decipher, without ever being able to get anything from its modulus. The security provider handling it will do the signing/deciphering via the library (and thus via the token, if that library is supported by a hardware token).
Coming back to the KeyStore in Java, it's an API that can allow you to load and use keys and certificates from files (you get various files formats such as JKS, PKCS#12, PEM, depending on your security provider) or from other underlying APIs (such as PKCS#11, more or less merged with NSS in the Sun provider, or the KeychainStore if you're on OSX and want to use the KeyChain as a KeyStore).
这篇关于PKCS12密钥库和PKCS11密钥库之间有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
