Java KeyStore 类中如何使用别名?

2022-01-25 00:00:00 ssl ssl-certificate android java

类 KeyStore 有一个名为 setCertificateEntry(alias, certificate) 的方法.我看到的大多数客户端示例都使用ca"作为别名.服务器是否在客户端-服务器握手期间自动请求ca"?如果我使用abc"而不是ca",会发生什么?问候.

Class KeyStore has a method called setCertificateEntry(alias, certificate). Most client examples I see use "ca" as the alias name. Is the server asking for "ca" automatically during the client-server handshake? What really would happen if I use "abc" instead of "ca?" Regards.

推荐答案

别名实际上只是您正在使用的密钥库的本地名称.它用于标识密钥库中的条目,因此您不能将它重复用于两个条目,但它可以是您喜欢的任何内容(尽管我必须承认我从未尝试过使用非 ASCII 字符,并且只有官方信任库使用小写字母或数字).

The alias is really just a name that is local to the keystore you are using. It is what identifies the entry in the keystore, so you can't re-use it for two entries, but it can be whatever you like (although I must admit I have never tried with non-ASCII characters, and the official truststore only uses lower case letters or numbers).

文档还说:

别名是否区分大小写取决于实现.为了避免出现问题,建议不要在 KeyStore 中使用仅大小写不同的别名.

Whether aliases are case sensitive is implementation dependent. In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case.

某些密钥库实现和格式可能有更多限制或以不同方式使用该名称.例如,WINDOWS-ROOT keystore(它是 Windows 原生存储的前端)使用 Windows 的友好名称"作为别名,遗憾的是它在 Windows 证书存储中不是唯一的,因此来自原生存储的一些证书可能被隐藏并且无法使用(这是一个从别名到条目的映射,加载具有相同名称的新条目替换另一个条目).但是,这当然不应该成为 Android 的问题.

Some keystore implementations and formats might have more constraints or use that name differently. For example, the WINDOWS-ROOT keystore (which is a front-end for the Windows native store) uses Windows's "friendly name" as the alias, which is unfortunately not unique in the Windows certificate store, so some certificates from the native store may be hidden and not usable (it's a map from alias to entry, loading a new entry with the same name replaces the other one). However, this shouldn't be a concern on Android, of course.

如果您正在构建一个将用作信任库的密钥库,该密钥库可能包含许多 CA,调用一个ca"将使以后难以识别它们.(这主要是一个管理问题,能够手动找到哪个证书.)

If you're building a keystore that you'll use as a truststore, which is likely to contain a number of CAs, calling one "ca" would make it difficult to identify them later on. (This is mostly an administrative problem to be able to find manually which cert is where.)

如果您查看默认信任库,您将获得名称类似于这些 CA 证书的主题 DN 的别名,例如verisignclass1g2ca".

If you look at the default truststore, you'll get aliases with names the resemble the Subject DN of these CA certificates, for example "verisignclass1g2ca".

对于用作密钥库(与信任库相反)并且包含多个私钥条目的密钥库而言,拥有一个您能记住的标识符通常更为重要,因为这可以帮助您将应用程序配置为使用特定证书来标识自己.

Having an identifier you can remember is generally more important for keystores that are used as keystores (as opposed to truststores) and which contain multiple private key entries, since this can help you configure your application to use a particular certificate to identify itself.

相关文章