2018年6月1日 星期五

Java keytool 與 keystore


1. 說明  key tool refref1
Keytool是一個Java資料證書的管理工具,Keytool將金鑰(key)和證書(certificates)存在一個稱為keystore的檔中 在keystore裡,包含兩種資料:
  • 金鑰實體(Key entity:金鑰(secret key)又或者是私密金鑰和配對公開金鑰(採用非對稱加密)
  • 可信任的證書實體(trusted certificate entries):只包含公開金鑰
ailas(別名)每個keystore都關聯這一個獨一無二的alias,這個alias通常不區分大小寫  

JDK中keytool常用指令:
  • -genkey:在用戶主目錄中創建一個預設檔".keystore",還會產生一個mykey的別名,mykey中包含用戶的公開金鑰、私密金鑰和證書(在沒有指定生成位置的情況下,keystore會存在使用者系統預設目錄,如:對於windows系統,會生成在系統的C:\Documents and Settings\UserName\檔案名為“.keystore”)
  • -alias:產生別名
  • -keystore:指定金鑰庫的名稱(產生的各類資訊將不在.keystore文件中)
  • -keyalg:指定金鑰的演算法 (如 RSA  DSA(如果不指定默認採用DSA))
  • -validity:指定創建的證書有效期多少天
  • -keysize:指定金鑰長度
  • -storepass:指定金鑰庫的密碼(獲取keystore資訊所需的密碼)
  • -keypass:指定別名條目的密碼(私密金鑰的密碼)
  • -dname:指定證書擁有者資訊 例如:  "CN=名字與姓氏,OU=組織單位名稱,O=組織名稱,L=城市或區域名稱,ST=州或省份名稱,C=單位的兩字母國家代碼"
  • -list:顯示金鑰庫中的證書資訊      keytool -list -v -keystore 指定keystore -storepass 密碼
  • -v :顯示金鑰庫中的證書詳細資訊
  • -export:將別名指定的證書匯出到檔  keytool -export -alias 需要匯出的別名
  • -keystore:指定keystore -file 指定匯出的證書位置及證書名稱 -storepass 密碼
  • -file:參數指定匯出到檔的檔案名
  • -delete:刪除金鑰庫中某條目 keytool -delete -alias 指定需刪除的別名; -keystore 指定keystore;-storepass 指定密碼
  • -printcert:查看匯出的證書資訊          keytool -printcert -file yushan.crt
  • -keypasswd:修改金鑰庫中指定條目指令:keytool -keypasswd -alias 需修改的別名 -keypass 舊密碼 -new  新密碼  -storepass keystore密碼  -keystore sage
  • -storepasswd:修改keystore指令:keytool -storepasswd -keystore e:\polin.keystore(需修改口令的keystore) -storepass 123456(原始密碼) -new polinwei(新密碼)
  • -import:將已簽名數位憑證導入金鑰庫  keytool -import -alias 指定導入條目的別名 -keystore 指定keystore -file 需導入的證書

ref2 


1-2 ref2
C:\Program Files\Java\jdk1.8.0_111\bin>keytool
Key and Certificate Management Tool

Commands:

 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore

Use "keytool -command_name -help" for usage of command_name


N Example:
keytool -v -list -keystore .keystore

ref2
1. 匯入憑證到keystore
      keytool –import –alias xxx –file xxx.cer –keystore .keystore

2. 查詢keystore的內容
      keytool –list –v –keystore .keystore

3. 刪除keystore內的其中一個憑證
      keytool –delete –alias xxx –keystore .keystore

4. 產生金錀對(RSA為非對稱加密的演算法)
      keytool -genkey -alias xxx -keyalg RSA -keystore .keystore

5. 產生憑證申請檔
      keytool -certreq -alias xxx -file certreq.txt -keystore .keystore

6. 查詢PKCS12類型keystore的內容
      keytool –list –v –keystore .keystore -storetype pkcs12

7. 建立一個含有私鑰的keystore
      keytool -genkey -alias keyAlias -keyalg RSA -keystore keystore.jks

8. 修改keystore的密碼
      keytool -storepasswd -new newPassword -keystore keystore.jk


9.  Look ca content ref
C:\j2sdk1.4.2_04\jre\bin>keytool -list -keystore ./cacerts


2. 使用時間:
當 java 連線到 https 時候有時
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

http://blog.51cto.com/huangwq/1859536


3. Solution1
https://blogs.oracle.com/gc/unable-to-find-valid-certification-path-to-requested-target
https://blog.csdn.net/catoop/article/details/51155224

##使用程式建立 jsssert
will display the complete certificate and then added it to a Java KeyStore named 'jssecacerts' in the current directory.
To use it in your program, either configure JSSE to use it as its trust store or copy it into your $JAVA_HOME/jre/lib/security directory. If you want all Java applications to recognize the certificate as trusted and not just JSSE, you could also overwrite the cacerts file in that directory.


4.  CA 相關檔案  ref1


我對cacerts和jssecacerts文件的區別很嚴重。
我知道默認情況下,java查找jssecacerts文件,然後查找cacerts文件。
但是jssecacerts文件的要點是什麼?
我的理解是,如果需要使用一個新的信任庫,那麼應該創建一個cacerts副本,所有新的信任的CAs都應該添加到這個副本。 ( 使用新的CAs ) 應該是由 -Djavax.net.ssl.trustStore system屬性引用的。 這樣,運行在該機器上的其他java應用程序不會意外信任 non-default CAs 。


  1. 系統屬性 javax.net. ssl.trustStore
  2. java-home/lib/security/jssecacerts
  3. java-home/lib/security/cacerts ( 默認附帶)
我認為這是基於約定優於配置概念的。 如果沒有額外的編碼工作,cacert將被使用。 額外的私人ca/簽字確實的事情,開發人員可以使用第一或第二種方式,前可能只包含一個特定證書但後來包含一個確實的事情的列表


5.  處理無法透過SSL抓取網站資料的問題


6. How to get ceritifcate

import os
import re
os.system('keytool -printcert -sslserver google.com:443 >cert.txt')
fh = open("cert.txt", "r")
content = fh.readlines()
fh.close()
content = content[2]
m = re.search('CN=(.+?),', content)
if m:
    found = m.group(1)
print found



7. Secirty Look
ref1


8. Java Parameter
ref 1
  • eystore filekeystore.jks, contains the Application Server’s certificate, including its private key. The keystore file is protected with a password, initially changeit. Change the password using keytool. For more information about keytool, read Using the keytool Utility.
    Each keystore entry has a unique alias. After installation, the Application Server keystore has a single entry with alias s1as.
  • Truststore filecacerts.jks, contains the Application Server’s trusted certificates, including public keys for other entities. For a trusted certificate, the server has confirmed that the public key in the certificate belongs to the certificate’s owner. Trusted certificates generally include those of certification authorities (CAs).
    In the Platform Edition, on the server side, the Application Server uses the JSSE format, which uses keytool to manage certificates and key stores. In the Enterprise Edition, on the server side, the Application Server uses NSS, which uses certutil to manage the NSS database which stores private keys and certificates. In both editions, the client side (appclient or stand-alone), uses the JSSE format.
    By default, the Application Server is configured with a keystore and truststore that will work with the example applications and for development purposes. For production purposes, you may wish to change the certificate alias, add other certificates to the truststore, or change the name and/or location of the keystore and truststore files.

-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks-name
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts-name

I could set the keystore and truststores to be used as jvm parameters or system properties as follows:  ref 
java -Djavax.net.ssl.keyStore=serverKeys 
-Djavax.net.ssl.keyStorePassword=password 
-Djavax.net.ssl.trustStore=serverTrust 
-Djavax.net.ssl.trustStorePassword=password SSLApplication


You used the following JVM java -D system property command arguments to specify the keystore and truststore files:
  • -Djavax.net.ssl.keyStore specifies the keystore file.
  • -Djavax.net.ssl.keyStorePassword specifies the passphrase of the keystore.
  • -Djavax.net.ssl.trustStore specifies the truststore file to use to validate client certificates.
  • -Djavax.net.ssl.trustStorePassword specifies the passphrase to access the truststore file.

set CLIENT_CERT=C:\Endeca\PlatformServices\workspace\etc\eneCert.jks
set CATALINA_OPTS=-Djavax.net.ssl.keyStore=%CLIENT_CERT% 
  -Djavax.net.ssl.keyStorePassword=endeca 
  -Djavax.net.ssl.trustStore=%CLIENT_CERT% 
  -Djavax.net.ssl.trustStorePassword=endeca
cd c:\tomcat\bin
call c:\tomcat\bin\startup.bat
endlocal



Flow  ref

  1. A client tries to access https://
  2. And thus, Server responds by providing a SSL certificate (which is stored in its keyStore)
  3. Now, the client receives the SSL certificate and verifies it via trustStore (i.e the client's trustStore already has pre-defined set of certificates which it trusts.). Its like : Can I trust this server ? Is this the same server whom I am trying to talk to ? No middle man attacks ?
  4. Once, the client verifies that it is talking to server which it trusts, then SSL communication can happen over a shared secret key.




9. Flow Create  ref 

用keytool创建Keystore和Trustsotre文件 

JSSE使用Truststore和Keystore文件来提供客户端和服务器之间的安全数据传输。keytool是一个工具可以用来创建包含公钥和密钥的的keystore文件,并且利用keystore文件来创建只包含公钥的truststore文件。在本文中,我们学习如何通过下面的5步简单的创建truststore和keystore文件: 

    生成一个含有一个私钥的keystore文件 
    验证新生成的keystor而文件 
    导出凭证文件 
    把认凭证件导入到truststore文件 
    验证新创建的truststore文件 





10.  ref
There were a few ways I found to do this:
    java InstallCert [host]:[port] 
    keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
    keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert

沒有留言:

張貼留言