Java 在 JVM 中注册多个密钥库
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1793979/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Registering multiple keystores in JVM
提问by Raz
I have two applications running in the same java virtual machine, and both use different keystores and truststores.
我有两个应用程序在同一个 java 虚拟机中运行,并且都使用不同的密钥库和信任库。
A viable option would be use a single keystore and import all the other ones into the shared keystore (e.g. keytool -import), but it would really help my requirements if I could use separate keystores for separate applications running in the same jvm.
一个可行的选择是使用单个密钥库并将所有其他密钥库导入共享密钥库(例如 keytool -import),但如果我可以为在同一个 jvm 中运行的不同应用程序使用单独的密钥库,这确实有助于我的需求。
I could set the keystore and truststores to be used as jvm parameters or system properties as follows:
我可以将密钥库和信任库设置为 jvm 参数或系统属性,如下所示:
java -Djavax.net.ssl.keyStore=serverKeys
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=serverTrust
-Djavax.net.ssl.trustStorePassword=password SSLApplication
or
或者
System.setProperty("javax.net.ssl.keyStore","serverKeys")
But the problem with this approach is that it specifies the keystore/truststore to be used at a JVM level, thus all applications running in the same JVM gets the same keystore/truststore.
但是这种方法的问题在于它指定了要在 JVM 级别使用的密钥库/信任库,因此在同一 JVM 中运行的所有应用程序都获得相同的密钥库/信任库。
I have also tried creating a custom SSLContext and setting it as the default, but it also sets the context for all applications running in the same JVM.
我还尝试创建自定义 SSLContext 并将其设置为默认值,但它还为在同一 JVM 中运行的所有应用程序设置了上下文。
SSLContext context = SSLContext.getInstance("SSL");
context.init(kms, tms, null);
SSLContext.setDefault(context);
I want to be able use different keystores/truststores without modifying individual application codes.
我希望能够在不修改单个应用程序代码的情况下使用不同的密钥库/信任库。
A solution that can dynamically register multiple key storesin addition to the default keystore/certs in jre into jvm would be great.
除了 jre 中的默认密钥库/证书之外,还可以将多个密钥库动态注册到 jvm 中的解决方案会很棒。
The solution will work in this way:
该解决方案将以这种方式工作:
- When JVM boots, it loads all the default certs/keystores from jre/certs folder (default java behaviour when no keystores specified).
- When App 1 loads it registers its keystores,
- then when App 2 loads it registers its keystores...
- 当 JVM 启动时,它会从 jre/certs 文件夹中加载所有默认证书/密钥库(未指定密钥库时的默认 Java 行为)。
- 当 App 1 加载时,它会注册它的密钥库,
- 然后当 App 2 加载时,它会注册它的密钥库......
Please let me know your ideas or solutions. Thanks in advance!
请让我知道您的想法或解决方案。提前致谢!
采纳答案by Raz
After playing with the code I have received from ZZ Coder, sylvarking and Software Monkey, I have found a solution that works:
在使用了我从 ZZ Coder、sylvarking 和 Software Monkey 收到的代码后,我找到了一个有效的解决方案:
First, I wrote a X509KeyManager that works combines a custom keystore and a default keystore.
首先,我编写了一个 X509KeyManager,它结合了自定义密钥库和默认密钥库。
class MultiKeyStoreManager implements X509KeyManager {
private static final Logger logger = Logger.getLogger(MultiKeyStoreManager.class);
private final X509KeyManager jvmKeyManager;
private final X509KeyManager customKeyManager;
public MultiKeyStoreManager(X509KeyManager jvmKeyManager, X509KeyManager customKeyManager ) {
this.jvmKeyManager = jvmKeyManager;
this.customKeyManager = customKeyManager;
}
@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
// try the first key manager
String alias = customKeyManager.chooseClientAlias(keyType, issuers, socket);
if( alias == null ) {
alias = jvmKeyManager.chooseClientAlias(keyType, issuers, socket);
logger.warn("Reverting to JVM CLIENT alias : " + alias);
}
return alias;
}
@Override
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
// try the first key manager
String alias = customKeyManager.chooseServerAlias(keyType, issuers, socket);
if( alias == null ) {
alias = jvmKeyManager.chooseServerAlias(keyType, issuers, socket);
logger.warn("Reverting to JVM Server alias : " + alias);
}
return alias;
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
X509Certificate[] chain = customKeyManager.getCertificateChain(alias);
if( chain == null || chain.length == 0) {
logger.warn("Reverting to JVM Chain : " + alias);
return jvmKeyManager.getCertificateChain(alias);
} else {
return chain;
}
}
@Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
String[] cAliases = customKeyManager.getClientAliases(keyType, issuers);
String[] jAliases = jvmKeyManager.getClientAliases(keyType, issuers);
logger.warn("Supported Client Aliases Custom: " + cAliases.length + " JVM : " + jAliases.length);
return ArrayUtils.join(cAliases,jAliases);
}
@Override
public PrivateKey getPrivateKey(String alias) {
PrivateKey key = customKeyManager.getPrivateKey(alias);
if( key == null ) {
logger.warn("Reverting to JVM Key : " + alias);
return jvmKeyManager.getPrivateKey(alias);
} else {
return key;
}
}
@Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
String[] cAliases = customKeyManager.getServerAliases(keyType, issuers);
String[] jAliases = jvmKeyManager.getServerAliases(keyType, issuers);
logger.warn("Supported Server Aliases Custom: " + cAliases.length + " JVM : " + jAliases.length);
return ArrayUtils.join(cAliases,jAliases);
}
}
Then, you can use this keystore manager when creating an SSL Context or SocketFactory. The code needs some refactoring and tidying up but it works perfectly.
然后,您可以在创建 SSL 上下文或 SocketFactory 时使用此密钥库管理器。代码需要一些重构和整理,但它工作得很好。
/**
* Returns an array of KeyManagers, set up to use the required keyStore.
* This method does the bulk of the work of setting up the custom trust managers.
*
* @param props
*
* @return an array of KeyManagers set up accordingly.
*/
private static KeyManager[] getKeyManagers(Properties props) throws IOException, GeneralSecurityException {
// First, get the default KeyManagerFactory.
String alg = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmFact = KeyManagerFactory.getInstance(alg);
// Next, set up the KeyStore to use. We need to load the file into
// a KeyStore instance.
FileInputStream fis = new FileInputStream(props.getProperty(SSL_KEYSTORE));
logger.info("Loaded keystore");
KeyStore ks = KeyStore.getInstance("jks");
String keyStorePassword = props.getProperty(SSL_KEYSTORE_PASSWORD);
ks.load(fis, keyStorePassword.toCharArray());
fis.close();
// Now we initialise the KeyManagerFactory with this KeyStore
kmFact.init(ks, keyStorePassword.toCharArray());
// default
KeyManagerFactory dkmFact = KeyManagerFactory.getInstance(alg);
dkmFact.init(null,null);
// Get the first X509KeyManager in the list
X509KeyManager customX509KeyManager = getX509KeyManager(alg, kmFact);
X509KeyManager jvmX509KeyManager = getX509KeyManager(alg, dkmFact);
KeyManager[] km = { new MultiKeyStoreManager(jvmX509KeyManager, customX509KeyManager) };
logger.debug("Number of key managers registered:" + km.length);
return km;
}
/**
* Find a X509 Key Manager compatible with a particular algorithm
* @param algorithm
* @param kmFact
* @return
* @throws NoSuchAlgorithmException
*/
private static X509KeyManager getX509KeyManager(String algorithm, KeyManagerFactory kmFact)
throws NoSuchAlgorithmException {
KeyManager[] keyManagers = kmFact.getKeyManagers();
if (keyManagers == null || keyManagers.length == 0) {
throw new NoSuchAlgorithmException("The default algorithm :" + algorithm + " produced no key managers");
}
X509KeyManager x509KeyManager = null;
for (int i = 0; i < keyManagers.length; i++) {
if (keyManagers[i] instanceof X509KeyManager) {
x509KeyManager = (X509KeyManager) keyManagers[i];
break;
}
}
if (x509KeyManager == null) {
throw new NoSuchAlgorithmException("The default algorithm :"+ algorithm + " did not produce a X509 Key manager");
}
return x509KeyManager;
}
private static void initialiseManager(Properties props) throws IOException, GeneralSecurityException {
// Next construct and initialise a SSLContext with the KeyStore and
// the TrustStore. We use the default SecureRandom.
SSLContext context = SSLContext.getInstance("SSL");
context.init(getKeyManagers(props), getTrustManagers(props), null);
SSLContext.setDefault(context);
}
Let me know if anyone has any question or need any demonstration codes.
如果有人有任何问题或需要任何演示代码,请告诉我。
回答by ZZ Coder
Check out my answer to this question,
看看我对这个问题的回答,
How can I have multiple SSL certificates for a Java server
If you use the MyKeyManager, you can have multiple keystores or you can use a single keystore for multiple contexts.
如果使用 MyKeyManager,则可以有多个密钥库,也可以将单个密钥库用于多个上下文。
回答by Cody A. Ray
Raz's answer was a great start, but wasn't quite flexible enough to meet my needs. The MultiStoreKeyManager explicitly checks the custom KeyManager and then falls back to the jvm KeyManager if an operation fails. I actually want to check jvm certs first; the best solution should be able to handle either case. Additionally, the answer fails to provide a working TrustManager.
Raz 的回答是一个很好的开始,但不够灵活,无法满足我的需求。MultiStoreKeyManager 显式检查自定义 KeyManager,然后在操作失败时回退到 jvm KeyManager。我实际上想先检查 jvm 证书;最好的解决方案应该能够处理任何一种情况。此外,答案未能提供有效的 TrustManager。
I've written a couple more flexible classes, CompositeX509KeyManager and CompositeX509TrustManager, which add support for any number of keystores in an arbitrary order.
我编写了几个更灵活的类,CompositeX509KeyManager 和 CompositeX509TrustManager,它们以任意顺序添加了对任意数量的密钥库的支持。
CompositeX509KeyManager
CompositeX509KeyManager
package com.mycompany.ssl;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.annotation.Nullable;
import javax.net.ssl.X509KeyManager;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
/**
* Represents an ordered list of {@link X509KeyManager}s with most-preferred managers first.
*
* This is necessary because of the fine-print on {@link SSLContext#init}:
* Only the first instance of a particular key and/or trust manager implementation type in the
* array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.)
*
* @author codyaray
* @since 4/22/2013
* @see http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm
*/
public class CompositeX509KeyManager implements X509KeyManager {
private final List keyManagers;
/**
* Creates a new {@link CompositeX509KeyManager}.
*
* @param keyManagers the X509 key managers, ordered with the most-preferred managers first.
*/
public CompositeX509KeyManager(List keyManagers) {
this.keyManagers = ImmutableList.copyOf(keyManagers);
}
/**
* Chooses the first non-null client alias returned from the delegate
* {@link X509TrustManagers}, or {@code null} if there are no matches.
*/
@Override
public @Nullable String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
for (X509KeyManager keyManager : keyManagers) {
String alias = keyManager.chooseClientAlias(keyType, issuers, socket);
if (alias != null) {
return alias;
}
}
return null;
}
/**
* Chooses the first non-null server alias returned from the delegate
* {@link X509TrustManagers}, or {@code null} if there are no matches.
*/
@Override
public @Nullable String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
for (X509KeyManager keyManager : keyManagers) {
String alias = keyManager.chooseServerAlias(keyType, issuers, socket);
if (alias != null) {
return alias;
}
}
return null;
}
/**
* Returns the first non-null private key associated with the
* given alias, or {@code null} if the alias can't be found.
*/
@Override
public @Nullable PrivateKey getPrivateKey(String alias) {
for (X509KeyManager keyManager : keyManagers) {
PrivateKey privateKey = keyManager.getPrivateKey(alias);
if (privateKey != null) {
return privateKey;
}
}
return null;
}
/**
* Returns the first non-null certificate chain associated with the
* given alias, or {@code null} if the alias can't be found.
*/
@Override
public @Nullable X509Certificate[] getCertificateChain(String alias) {
for (X509KeyManager keyManager : keyManagers) {
X509Certificate[] chain = keyManager.getCertificateChain(alias);
if (chain != null && chain.length > 0) {
return chain;
}
}
return null;
}
/**
* Get all matching aliases for authenticating the client side of a
* secure socket, or {@code null} if there are no matches.
*/
@Override
public @Nullable String[] getClientAliases(String keyType, Principal[] issuers) {
ImmutableList.Builder aliases = ImmutableList.builder();
for (X509KeyManager keyManager : keyManagers) {
aliases.add(keyManager.getClientAliases(keyType, issuers));
}
return emptyToNull(Iterables.toArray(aliases.build(), String.class));
}
/**
* Get all matching aliases for authenticating the server side of a
* secure socket, or {@code null} if there are no matches.
*/
@Override
public @Nullable String[] getServerAliases(String keyType, Principal[] issuers) {
ImmutableList.Builder aliases = ImmutableList.builder();
for (X509KeyManager keyManager : keyManagers) {
aliases.add(keyManager.getServerAliases(keyType, issuers));
}
return emptyToNull(Iterables.toArray(aliases.build(), String.class));
}
@Nullable
private static <T> T[] emptyToNull(T[] arr) {
return (arr.length == 0) ? null : arr;
}
}
CompositeX509TrustManager
CompositeX509信任管理器
package com.mycompany.ssl;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
/**
* Represents an ordered list of {@link X509TrustManager}s with additive trust. If any one of the
* composed managers trusts a certificate chain, then it is trusted by the composite manager.
*
* This is necessary because of the fine-print on {@link SSLContext#init}:
* Only the first instance of a particular key and/or trust manager implementation type in the
* array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.)
*
* @author codyaray
* @since 4/22/2013
* @see http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm
*/
public class CompositeX509TrustManager implements X509TrustManager {
private final List trustManagers;
public CompositeX509TrustManager(List trustManagers) {
this.trustManagers = ImmutableList.copyOf(trustManagers);
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
for (X509TrustManager trustManager : trustManagers) {
try {
trustManager.checkClientTrusted(chain, authType);
return; // someone trusts them. success!
} catch (CertificateException e) {
// maybe someone else will trust them
}
}
throw new CertificateException("None of the TrustManagers trust this certificate chain");
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
for (X509TrustManager trustManager : trustManagers) {
try {
trustManager.checkServerTrusted(chain, authType);
return; // someone trusts them. success!
} catch (CertificateException e) {
// maybe someone else will trust them
}
}
throw new CertificateException("None of the TrustManagers trust this certificate chain");
}
@Override
public X509Certificate[] getAcceptedIssuers() {
ImmutableList.Builder certificates = ImmutableList.builder();
for (X509TrustManager trustManager : trustManagers) {
certificates.add(trustManager.getAcceptedIssuers());
}
return Iterables.toArray(certificates.build(), X509Certificate.class);
}
}
Usage
用法
For the standard case of one keystore + jvm keystore, you can wire it up like this. I'm using Guava again, but in a Guicey wrapper this time:
对于一个 keystore + jvm keystore 的标准情况,你可以这样接线。我再次使用 Guava,但这次使用 Guicey 包装器:
@Provides @Singleton
SSLContext provideSSLContext(KeyStore keystore, char[] password) {
String defaultAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
X509KeyManager customKeyManager = getKeyManager("SunX509", keystore, password);
X509KeyManager jvmKeyManager = getKeyManager(defaultAlgorithm, null, null);
X509TrustManager customTrustManager = getTrustManager("SunX509", keystore);
X509TrustManager jvmTrustManager = getTrustManager(defaultAlgorithm, null);
KeyManager[] keyManagers = { new CompositeX509KeyManager(ImmutableList.of(jvmKeyManager, customKeyManager)) };
TrustManager[] trustManagers = { new CompositeX509TrustManager(ImmutableList.of(jvmTrustManager, customTrustManager)) };
SSLContext context = SSLContext.getInstance("SSL");
context.init(keyManagers, trustManagers, null);
return context;
}
private X509KeyManager getKeyManager(String algorithm, KeyStore keystore, char[] password) {
KeyManagerFactory factory = KeyManagerFactory.getInstance(algorithm);
factory.init(keystore, password);
return Iterables.getFirst(Iterables.filter(
Arrays.asList(factory.getKeyManagers()), X509KeyManager.class), null);
}
private X509TrustManager getTrustManager(String algorithm, KeyStore keystore) {
TrustManagerFactory factory = TrustManagerFactory.getInstance(algorithm);
factory.init(keystore);
return Iterables.getFirst(Iterables.filter(
Arrays.asList(factory.getTrustManagers()), X509TrustManager.class), null);
}
I extracted this from my blog postabout this problem which has a bit more detail, motivation, etc. All the code is there though, so its standalone. :)
