1. 技术文章
  2. Does JSSE use a certificate in a PrivateKeyEntry as a trust anchor?

Does JSSE use a certificate in a PrivateKeyEntry as a trust anchor?

跟風遠走 提交于 2019-12-25 06:44:49

问题


If a key store containing one or more PrivateKeyEntry is specified as a trust store, will JSSE create a trust anchor from the end-entity certificate in each of those entries?

In other words, is it enough to have a certificate under a PrivateKeyEntry if we have one keystore with both trusted and private entries? Or, must we also add that certificate as a TrustedCertificateEntry?


回答1:


It doesn't matter where certificate placed either under PrivateKeyEntry or under trustedCertEntry , JVM trusts host from certificate anyway.

Tested locally.

Run local server with https and keystore with only one PrivateKeyEntry.

And run client with code :

public static String getHTML(String urlToRead) throws Exception {
    StringBuilder result = new StringBuilder();
    URL url = new URL(urlToRead);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    conn.setRequestMethod("GET");
    BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
    String line;
    while((line = rd.readLine()) != null) {
        result.append(line);
    }
    rd.close();
    return result.toString();
}

public static void main(String[] args) throws Exception {
    String testUrl="https://localhost/test";
    System.out.println(getHTML(testUrl));
}

Without any:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

With truststore that contains only one PrivateKeyEntry (the same jks file that was used for server as keystore):

<!DOCTYPE....</html>



回答2:


Is it enough to have certificate under PrivateKeyEntry if we have one keystore with both trusted and private entries

You should never have such a keystore.

or shall we add also certificate as trustedCertEntry in order to make requests to themself/other node under proxy ?

A trustedCertEntry is used for incoming certificates. A private key entry is used for outgoing certificates.

You're conflating two different things, indeed two different uses of keystores.

  1. A keystore file that contains trustedCertEntry is a truststore, in the sense of javax.net.ssl.trustStore, and it tells JSSE which incoming certificates to trust, directly or indirectly.

  2. A keystore file that contains PrivateKeyEntry is a keystore, in the sense of javax.net.ssl.keyStore, and it tells JSSE which certificates to use for outbound certificates.

  3. A keystore file that contains both is radically malformed. A truststore is simply a list of certificates to be trusted. It isn't secret. A KeyStore contains your private key and it is top secret to everybody. Conflating the two is a major security breach.

If it doesn't matter why would there two different types of entry?

It's not even a proper question to ask. If you have a private key where a trusted certificate should be, that means you have someone else's private key, which is a prima facie security breach.



来源:https://stackoverflow.com/questions/36576061/does-jsse-use-a-certificate-in-a-privatekeyentry-as-a-trust-anchor

标签
java
ssl
keystore
truststore
jsse
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!