在密钥库中保存带有证书的私钥 - Android
Saving private key with certificate in keystore - Android
我已经解决了这个问题,但无法真正弄清楚为什么我们在这里需要它。我已经创建了一个自签名 SSL 证书并在我的 Android 设备上对其进行了测试。我已将其存储在 keystore 中并像
一样使用它
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(context.getAssets().open("self.jks"), "password".toCharArray());
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
它工作正常,即我从服务器得到了正确的响应。我的密钥库看起来像这样
Keystore type: BKS
Keystore provider: BC
Your keystore contains 1 entry
Alias name: ca
Creation date: Apr 22, 2017
Entry type: trustedCertEntry
Owner: CN=92.168.10.11,E=email@gmail.com,O=Self,L=Islamabad,C=PK
Issuer: CN=92.168.10.11,E=email@gmail.com,O=Self,L=Islamabad,C=PK
Serial number: f2b8e66caa28f0da
Valid from: Tue Apr 18 19:29:45 PKT 2017 until: Wed Apr 18 19:29:45 PKT 2018
Certificate fingerprints:
MD5: 2A:46:42:A8:7B:10:21:19:5F:B0:E2:A8:A1:BF:76:D3
SHA1: 6A:18:AE:C7:4A:46:77:23:63:6B:8F:B8:40:46:49:47:67:30:5A:D5
SHA256: B9:83:1A:D7:92:72:77:C2:88:AE:37:34:B4:70:31:94:C4:4E:03:7E:23:96:63:0C:00:E4:7F:35:B9:67:12:97
Signature algorithm name: SHA256WithRSAEncryption
Version: 1
*******************************************
*******************************************
虽然我正在关注的书有如下密钥库
Alias name: asynchronous_client
Entry type: PrivateKeyEntry
Certificate[1]:
Owner: C=UK,ST=Birmingham,L=Birmingham,O=Packt Publishing,OU=Packt
Publishing,CN=asynchronous_client
Issuer: C=UK,…,CN=packt
Certificate[2]:
Owner: C=UK,…,CN=packt
Alias name: ca
Entry type: trustedCertEntry
Owner: C=UK,…,CN=packt
Issuer: C=UK,…,CN=packt
他们有私钥和证书。我想知道
Why do they need private key here if everything works fine without it?
If we really need it, how will it be used in SSL handshake?
Why do they need private key here if everything works fine without it? If we really need it, how will it be used in SSL handshake?
客户端不需要服务器私钥来执行 SSL 握手。这不仅是不必要的,而且还是一个安全问题,因为如果服务器以外的任何人都拥有密钥的副本,则可以代表服务器执行操作,例如中间人私钥不应与其所有者以外的任何人共享。
在这种情况下,您应该只向客户端提供服务器证书(或包含它的密钥库)。
我已经解决了这个问题,但无法真正弄清楚为什么我们在这里需要它。我已经创建了一个自签名 SSL 证书并在我的 Android 设备上对其进行了测试。我已将其存储在 keystore 中并像
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(context.getAssets().open("self.jks"), "password".toCharArray());
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
它工作正常,即我从服务器得到了正确的响应。我的密钥库看起来像这样
Keystore type: BKS
Keystore provider: BC
Your keystore contains 1 entry
Alias name: ca
Creation date: Apr 22, 2017
Entry type: trustedCertEntry
Owner: CN=92.168.10.11,E=email@gmail.com,O=Self,L=Islamabad,C=PK
Issuer: CN=92.168.10.11,E=email@gmail.com,O=Self,L=Islamabad,C=PK
Serial number: f2b8e66caa28f0da
Valid from: Tue Apr 18 19:29:45 PKT 2017 until: Wed Apr 18 19:29:45 PKT 2018
Certificate fingerprints:
MD5: 2A:46:42:A8:7B:10:21:19:5F:B0:E2:A8:A1:BF:76:D3
SHA1: 6A:18:AE:C7:4A:46:77:23:63:6B:8F:B8:40:46:49:47:67:30:5A:D5
SHA256: B9:83:1A:D7:92:72:77:C2:88:AE:37:34:B4:70:31:94:C4:4E:03:7E:23:96:63:0C:00:E4:7F:35:B9:67:12:97
Signature algorithm name: SHA256WithRSAEncryption
Version: 1
*******************************************
*******************************************
虽然我正在关注的书有如下密钥库
Alias name: asynchronous_client
Entry type: PrivateKeyEntry
Certificate[1]:
Owner: C=UK,ST=Birmingham,L=Birmingham,O=Packt Publishing,OU=Packt
Publishing,CN=asynchronous_client
Issuer: C=UK,…,CN=packt
Certificate[2]:
Owner: C=UK,…,CN=packt
Alias name: ca
Entry type: trustedCertEntry
Owner: C=UK,…,CN=packt
Issuer: C=UK,…,CN=packt
他们有私钥和证书。我想知道
Why do they need private key here if everything works fine without it? If we really need it, how will it be used in SSL handshake?
Why do they need private key here if everything works fine without it? If we really need it, how will it be used in SSL handshake?
客户端不需要服务器私钥来执行 SSL 握手。这不仅是不必要的,而且还是一个安全问题,因为如果服务器以外的任何人都拥有密钥的副本,则可以代表服务器执行操作,例如中间人私钥不应与其所有者以外的任何人共享。
在这种情况下,您应该只向客户端提供服务器证书(或包含它的密钥库)。