问题描述

如果将包含一个或多个PrivateKeyEntry的密钥存储指定为信任存储，那么JSSE会根据每个条目中的最终实体证书创建信任锚吗?

If a key store containing one or more PrivateKeyEntry is specified as a trust store, will JSSE create a trust anchor from the end-entity certificate in each of those entries?

换句话说，如果我们有一个既包含受信任条目又包含私有条目的密钥库，那么在PrivateKeyEntry下拥有证书就足够了吗?或者，我们是否也必须将该证书添加为TrustedCertificateEntry?

In other words, is it enough to have a certificate under a PrivateKeyEntry if we have one keystore with both trusted and private entries? Or, must we also add that certificate as a TrustedCertificateEntry?

推荐答案

证书放在 PrivateKeyEntry 或 trustedCertEntry 下，JVM 下都没有关系还是会从证书信任主机.

It doesn't matter where certificate placed either under PrivateKeyEntry or under trustedCertEntry , JVM trusts host from certificate anyway.

在本地测试.

使用https运行本地服务器，并且仅使用一个PrivateKeyEntry 来运行密钥库.

Run local server with https and keystore with only one PrivateKeyEntry.

并使用代码运行客户端:

And run client with code :

public static String getHTML(String urlToRead) throws Exception {
    StringBuilder result = new StringBuilder();
    URL url = new URL(urlToRead);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    conn.setRequestMethod("GET");
    BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
    String line;
    while((line = rd.readLine()) != null) {
        result.append(line);
    }
    rd.close();
    return result.toString();
}

public static void main(String[] args) throws Exception {
    String testUrl="https://localhost/test";
    System.out.println(getHTML(testUrl));
}

没有任何内容:

具有 truststore 且仅包含一个 PrivateKeyEntry (用于服务器的与密钥库相同的jks文件):

With truststore that contains only one PrivateKeyEntry (the same jks file that was used for server as keystore):

<!DOCTYPE....</html>

这篇关于JSSE是否将PrivateKeyEntry中的证书用作信任锚?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！