The Java Tutorials have been written for JDK 8.Java教程是为JDK 8编写的。Examples and practices described in this page don't take advantage of improvements introduced in later releases and might use technology no longer available.本页中描述的示例和实践没有利用后续版本中引入的改进,并且可能使用不再可用的技术。See Java Language Changes for a summary of updated language features in Java SE 9 and subsequent releases.有关Java SE 9及其后续版本中更新的语言特性的摘要,请参阅Java语言更改。
See JDK Release Notes for information about new features, enhancements, and removed or deprecated options for all JDK releases.有关所有JDK版本的新功能、增强功能以及已删除或不推荐的选项的信息,请参阅JDK发行说明。
This lesson explains why digital signatures, certificates, and keystores are needed. The lesson also compares use of the tools versus the JDK Security API with respect to generating signatures. 本课解释了为什么需要数字签名、证书和密钥存储库。在生成签名方面,本课程还比较了工具与JDKSecurityneneneba API的使用情况。Such tool usage is demonstrated in the next two lessons, Signing Code and Granting It Permissions and Exchanging Files. 在接下来的两节课中,将演示此类工具的使用,即签名代码和授予其权限以及交换文件。API usage is demonstrated in the Generating and Verifying Signatures lesson.API的使用在生成和验证签名课程中演示。
This lesson contains the following sections本课程包含以下部分
If you electronically send someone an important document (or documents), or an applet or application to run, the recipient needs a way to verify that the document or code came from you and was not modified in transit (for example, by a malicious user intercepting it). 如果您以电子方式向某人发送了一份(或多份)重要文档,或要运行的小程序或应用程序,收件人需要一种方法来验证该文档或代码是否来自您,并且在传输过程中没有被修改(例如,被恶意用户拦截)。Digital signatures, certificates, and keystores all help ensure the security of the files you send.数字签名、证书和密钥存储都有助于确保您发送的文件的安全性。
The basic idea in the use of digital signatures is as follows.使用数字签名的基本思想如下。
keytool or security API methods. keytool或安全API方法生成私钥。jarsigner tool or Security API methods.jarsigner工具或Security API方法为文档或代码生成数字签名。A recipient needs to ensure that your public key itself is authentic before he/she can use it to verify that your signature is authentic. 收件人需要确保您的公钥本身是真实的,然后才能使用它来验证您的签名是真实的。Therefore, you will usually supply a certificate that contains your public key together with the key of a Certificate Authority who can vouch for your key's authenticity. See the next section for details.因此,您通常会提供一个证书,其中包含您的公钥以及可以保证密钥真实性的证书颁发机构的密钥。有关详细信息,请参阅下一节。
For more information about the terminology and concepts of signing and verification, and further explanation of the benefits, see the Signing JAR Files section of the "The Packaging Programs in JAR Files" lesson.有关签名和验证的术语和概念的更多信息,以及对其好处的进一步解释,请参阅“JAR文件中的打包程序”课程的“签名JAR文件”部分。
A certificate contains:证书包含:
One way for a recipient to check whether a certificate is valid is by verifying its digital signature, using its issuer's (signer's) public key. 收件人检查证书是否有效的一种方法是使用其颁发者(签名者)的公钥验证其数字签名。That key can itself be stored within another certificate whose signature can also be verified by using the public key of that next certificate's issuer, and that key may also be stored in yet another certificate, and so on. 该密钥本身可以存储在另一个证书中,该证书的签名也可以通过使用下一个证书颁发者的公钥进行验证,该密钥也可以存储在又一个证书上,以此类推。You can stop checking when you reach a public key that you already trust and use it to verify the signature on the corresponding certificate.当您到达您已经信任的公钥时,您可以停止检查,并使用它来验证相应证书上的签名。
If the recipient cannot establish a trust chain, then he/she can calculate the certificate fingerprint(s), using the 如果收件人无法建立信任链,那么他/她可以使用keytool -import or -printcert command. keytool -import或-printcert命令计算证书指纹。A fingerprint is a relatively short number that uniquely and reliably identifies the certificate. 指纹是一个相对较短的数字,可以唯一可靠地识别证书。(Technically, the fingerprint is a hash value of the certificate information, using a message digest function.) (从技术上讲,指纹是证书信息的哈希值,使用消息摘要函数。)The recipient can then phone the certificate owner and compare the fingerprint values of the received certificate with the certificate that was sent. 然后,收件人可以给证书所有者打电话,并将收到的证书的指纹值与发送的证书进行比较。If the fingerprints are the same, the certificates are the same.如果指纹相同,证书也相同。
Thus you can ensure that a certificate was not modified in transit. 因此,您可以确保证书在传输过程中没有被修改。One other potential uncertainty when working with certificates is the identity of the sender. 使用证书时的另一个潜在不确定性是发件人的身份。Sometimes a certificate is self-signed, that is, signed using the private key corresponding to the public key in the certificate; the issuer is the same as the subject.有时证书是自签名的,即使用证书中公钥对应的私钥签名;发行人与主体相同。
Self-signing a certificate is useful for developing and testing an application. However, before deploying to users, obtain a certificate from a trusted third party, referred to as a certification authority (CA). 自签名证书对于开发和测试应用程序非常有用。但是,在部署给用户之前,请从受信任的第三方(称为证书颁发机构(CA))获取证书。To do so, you send a self-signed certificate signing request (CSR) to the CA. 为此,您需要向CA发送一个自签名证书签名请求(CSR)。The CA verifies the signature on the CSR and your identity, perhaps by checking your driver's license or other information. CA可能会通过检查您的驾照或其他信息来验证CSR上的签名和您的身份。The CA then vouches for your being the owner of the public key by issuing a certificate and signing it with its own (the CA's) private key. 然后,CA通过颁发证书并用自己的(CA的)私钥签名来保证您是公钥的所有者。Anybody who trusts the issuing CA's public key can now verify the signature on the certificate. 任何信任颁发CA公钥的人现在都可以验证证书上的签名。In many cases the issuing CA itself may have a certificate from a CA higher up in the CA hierarchy, leading to certificate chains.在许多情况下,颁发CA本身可能拥有来自CA层次结构中更高级别的CA的证书,从而形成证书链。
Certificates of entities you trust are typically imported into your keystore as "trusted certificates." 您信任的实体的证书通常作为“受信任的证书”导入到您的密钥库中The public key in each such certificate may then be used to verify signatures generated using the corresponding private key. Such verifications can be accomplished by:然后,每个此类证书中的公钥可用于验证使用相应私钥生成的签名。此类验证可以通过以下方式完成:
jarsigner tool (if the document/code and signature appear in a JAR file),jarsigner工具(如果文档/代码和签名出现在JAR文件中),If you are sending signed code or documents to others, you need to supply them with the certificate containing the public key corresponding to the private key used to sign the code/document. 如果您要向他人发送已签名的代码或文档,则需要向他们提供包含与用于签名代码/文档的私钥相对应的公钥的证书。The keytool -export command or API methods can export your certificate from your keystore to a file, which can then be sent to anyone needing it. keytool -export命令或API方法可以将证书从密钥库导出到一个文件中,然后可以将该文件发送给任何需要它的人。A person who receives the certificate can import it into the keystore as a trusted certificate, using, for example, API methods or the 接收证书的人可以使用例如API方法或keytool -import command.keytool -import命令将其作为可信证书导入密钥库。
If you use the 如果您使用jarsigner tool to generate a signature for a JAR file, the tool retrieves your certificate and its supporting certificate chain from your keystore. jarsigner工具为JAR文件生成签名,该工具将从密钥库中检索您的证书及其支持证书链。The tool then stores them, along with the signature, in the JAR file.然后,该工具将它们与签名一起存储在JAR文件中。
Private keys and their associated public key certificates are stored in password-protected databases called keystores. 私钥及其关联的公钥证书存储在称为密钥存储库的受密码保护的数据库中。A keystore can contain two types of entries: the trusted certificate entries discussed above, and key/certificate entries, each containing a private key and the corresponding public key certificate. 密钥库可以包含两种类型的条目:上面讨论的可信证书条目和密钥/证书条目,每个条目都包含一个私钥和相应的公钥证书。Each entry in a keystore is identified by an alias.密钥库中的每个条目都由别名标识。
A keystore owner can have multiple keys in the keystore, accessed via different aliases. An alias is typically named after a particular role in which the keystore owner uses the associated key. 密钥库所有者可以在密钥库中拥有多个密钥,通过不同的别名进行访问。别名通常以密钥库所有者使用关联密钥的特定角色命名。An alias may also identify the purpose of the key. For example, the alias 别名也可以标识密钥的用途。例如,别名signPersonalEmail might be used to identify a keystore entry whose private key is used for signing personal e-mail, and the alias signJarFiles might be used to identify an entry whose private key is used for signing JAR files.signPersonalEmail可用于标识其私钥用于签名个人电子邮件的密钥库条目,别名signJarFiles可用于标识私钥用于签名JAR文件的条目。
The keytool tool can be used tokeytool工具可用于
API methods can also be used to access and to modify a keystore.API方法也可以用于访问和修改密钥存储。
Note the following regarding use of the tools and the API related to digital signatures.请注意以下与数字签名相关的工具和API的使用。
jar tool. jarsigner tool to sign a JAR file.jarsigner工具对JAR文件进行签名时,会发生这种情况。jarsigner tool to verify the authenticity of a JAR file signature, the person/organization that received the JAR file first needs to import into their keystore a certificate authenticating the public key corresponding to the private key used to sign the code.jarsigner工具验证JAR文件签名的真实性,收到JAR文件的个人/组织首先需要将一个证书导入到他们的密钥库中,该证书验证与用于签名代码的私钥对应的公钥。The Generating and Verifying Signatures shows you how to use the JDK Security API to sign documents. The lesson shows what one program, executed by the person who has the original document, would do to生成和验证签名向您展示了如何使用JDKSecurity API对文档进行签名。本课展示了由拥有原始文档的人执行的一个程序会对以下内容做什么
Then it shows an example of another program, executed by the receiver of the data, signature, and public key. It shows how the program然后,它显示了由数据、签名和公钥的接收者执行的另一个程序的示例。它显示了程序是如何运行的
This lesson also shows you alternative ways to import and supply keys, including certificates.本课程还将向您展示导入和提供密钥(包括证书)的其他方法。
The Signing Code and Granting It Permissions lesson shows how to use Java Security tools to place your code into a JAR file, sign it, and export your public key. 签名代码和授予权限课程展示了如何使用Java安全工具将代码放入JAR文件中,对其进行签名,并导出公钥。Then it shows how your recipient can use these same Java tools to import your public key certificate and then add an entry to a policy file that will grant your code the permission it needs to access system resources controlled by your recipient.然后,它显示了您的收件人如何使用这些相同的Java工具导入您的公钥证书,然后向策略文件添加一个条目,该条目将授予您的代码访问收件人控制的系统资源所需的权限。
The Exchanging Files lesson you how to use Java security tools to sign a document and then export the public key certificate for the public key using 交换文件课程将教您如何使用Java安全工具对文档进行签名,然后使用keytool. keytool导出公钥的公钥证书。corresponding to the private key used to sign that document using 对应于使用keytool. keytool对该文档进行签名的私钥。Then it shows how your recipient can verify your signature by installing your public key certificate and then using the 然后,它显示了您的收件人如何通过安装您的公钥证书,然后使用jarsigner tool to verify your signature.jarsigner工具验证您的签名来验证您的签署。
These two lessons have much in common. In both cases, the first two steps for the code or document sender are to:这两节课有很多共同点。在这两种情况下,代码或文档发送者的前两个步骤是:
jar tool.JAR工具创建一个包含文档或类文件的JAR文件。keytool -genkey command.keytool -genkey命令生成密钥(如果它们不存在)。The next two steps are optional:接下来的两个步骤是可选的:
keytool -certreq command; then send the resulting certificate signing request to a certification authority (CA) such as VeriSign.keytool -certreq命令;然后将得到的证书签名请求发送给诸如VeriSign之类的证书颁发机构(CA)。keytool -import command to import the CA's response.keytool -import命令导入CA的响应。The next two steps are required:接下来需要两个步骤:
jarsigner tool and the private key generated earlier.jarsigner工具和之前生成的私钥对JAR文件进行签名。keytool -export command. Then supply the signed JAR file and the certificate to the receiver.keytool -export命令导出公钥证书。然后将签名的JAR文件和证书提供给接收者。In both cases, the receiver of the signed JAR file and the certificate should import the certificate as a trusted certificate, using the 在这两种情况下,签名的JAR文件和证书的接收者都应该使用keytool -import command. keytool -import命令将证书作为受信任的证书导入。The keytool will attempt to construct a trust chain from the certificate to be imported to an already trusted certificate in the keystore. keytool工具将尝试从要导入的证书到密钥库中已受信任的证书构建信任链。If that fails, the 如果失败,keytool will display the certificate fingerprint and prompt you to verify it.keytool将显示证书指纹并提示您进行验证。
If what was sent was code, the receiver also needs to modify a policy file to permit the required resource accesses to code signed by the private key corresponding to the public key in the imported certificate. The Policy Tool can be used to do this.如果发送的是代码,则接收方还需要修改策略文件,以允许对由与导入证书中的公钥对应的私钥签名的代码进行所需的资源访问。策略工具可用于执行此操作。
If what was sent was one or more documents, the receiver needs to verify the authenticity of the JAR file signature, using the 如果发送的是一个或多个文档,则接收方需要使用jarsigner tool.jarsigner工具验证JAR文件签名的真实性。
This lesson discusses the two optional steps. The other steps are covered in the next two lessons, Signing Code and Granting It Permissions and Exchanging Files .本课讨论两个可选步骤。其他步骤将在接下来的两节课中介绍,签名代码和授予权限以及交换文件。
When 当使用keytool is used to generate public/private key pairs, it creates a keystore entry containing a private key and a self-signed certificate for the public key. (That is, the certificate is signed using the corresponding private key.) This is adequate when developing and testing an application.keytool生成公钥/私钥对时,它会创建一个包含私钥和公钥自签名证书的密钥库条目。(也就是说,证书是使用相应的私钥签名的。)在开发和测试应用程序时,这就足够了。
However, a certificate is more likely to be trusted by others if it is signed by a certification authority (CA). To get a certificate signed by a CA, you first generate a certificate signing request (CSR), via a command such as the following:但是,如果证书由证书颁发机构(CA)签名,则更有可能被其他人信任。要获取由CA签名的证书,您首先需要通过以下命令生成证书签名请求(CSR):
keytool -certreq -alias alias -file csrFile
Here alias is used to access the keystore entry containing the private key and the public key certificate, and csrFile specifies the name to be used for the CSR created by this command.这里alias用于访问包含私钥和公钥证书的密钥库条目,csrFile指定此命令创建的CSR要使用的名称。
You then submit this file to a CA, such as VeriSign, Inc. The CA authenticates you, the requestor ("subject"), and then signs and returns a certificate authenticating your public key. By signing the certificate, the CA vouches that you are the owner of the public key.然后,您将此文件提交给CA,如VeriSign,股份有限公司。CA对您(请求者(“主体”)进行身份验证,然后签名并返回验证您公钥的证书。通过签署证书,CA保证您是公钥的所有者。
In some cases, the CA will return a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.在某些情况下,CA将返回一个证书链,每个证书链都对链中前一个证书的签名者的公钥进行身份验证。
After submitting a certificate signing request (CSR) to a certification authority (CA), you need to replace the original self-signed certificate in your keystore with a certificate chain by importing the certificate (or chain of certificates) returned to you by the CA.向证书颁发机构(CA)提交证书签名请求(CSR)后,您需要通过导入CA返回给您的证书(或证书链),将密钥库中的原始自签名证书替换为证书链。
But first you need a "trusted certificate" entry in your keystore (or in the 但首先,您需要在密钥库(或下文所述的cacerts keystore file, described below) that authenticates the CA's public key. cacerts密钥库文件)中有一个“可信证书”条目,用于验证CA的公钥。With such an entry the CA's signature can be verified. That is, the CA's signature on the certificate, or on the final certificate in the chain the CA sends to you in response to your CSR, can be verified.通过这样的条目,可以验证CA的签名。也就是说,可以验证CA在证书上的签名,或者CA为响应您的CSR而发送给您的链中的最终证书的签名。
Before you import the certificate reply from a CA, you need one or more "trusted certificates" in your keystore or in the 在从CA导入证书回复之前,您需要在密钥库或cacerts file.cacerts文件中有一个或多个“受信任的证书”。
The cacerts file represents a system-wide keystore with CA certificates. This file resides in the JRE security properties directory, java.home/lib/security, where java.home is the JRE installation directory.cacerts文件表示具有CA证书的系统范围密钥库。此文件位于JRE安全属性目录java.home/lib/security中,其中java.home是JRE安装目录。
IMPORTANT: Verify Your 重要提示:验证您的cacerts Filecacerts文件
Since you trust the CAs in the 由于您信任cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. cacerts文件中的CA作为向其他实体签名和颁发证书的实体,因此必须仔细管理cacerts档案。The cacerts file should contain only certificates of the CAs you trust. cacerts文件应仅包含您信任的CA的证书。It is your responsibility to verify the trusted root CA certificates bundled in the 您有责任验证cacerts file and make your own trust decisions.cacerts文件中捆绑的受信任根CA证书,并做出自己的信任决定。 To remove an untrusted CA certificate from the 要从cacerts file, use the delete option of the keytool command. cacerts文件中删除不受信任的CA证书,请使用keytool命令的delete选项。You can find the 您可以在JRE安装目录中找到cacerts file in the JRE installation directory. Contact your system administrator if you do not have permission to edit this file.cacerts文件。如果您没有编辑此文件的权限,请与系统管理员联系。
The cacerts file contains a number of trusted CA certificates. cacerts文件包含许多受信任的CA证书。If you sent your CSR to one of these trusted vendors (such as VeriSign), you won't need to import the vendor's root certificate as a trusted certificate in your keystore; you can go on to the next section to see how to import the certificate reply from the CA.如果您将CSR发送给这些受信任的供应商之一(如VeriSign),则不需要将供应商的根证书作为受信任的证书导入密钥库;您可以继续下一节,了解如何从CA导入证书回复。
A certificate from a CA is usually either self-signed or signed by another CA, in which case you also need a certificate authenticating that CA's public key. 来自CA的证书通常是自签名的或由另一个CA签名的,在这种情况下,您还需要一个证书来验证该CA的公钥。Suppose that company ABC, Inc., is a CA and that you obtain a file named 假设ABC,股份有限公司公司是一个CA,并且您获得了一个名为ABCCA.cer, purportedly a self-signed certificate from ABC, authenticating that CA's public key.ABCCA.cer的文件,据称是来自ABC的自签名证书,用于验证该CA的公钥。
Be very careful to ensure that the certificate is valid prior to importing it as a "trusted" certificate! 在将证书作为“受信任”证书导入之前,请务必确保其有效!View it first (using the 首先查看它(使用keytool -printcert command or the keytool -import command without the -noprompt option), and make sure that the displayed certificate fingerprint(s) match the expected ones. keytool -printcert命令或不带-noprompt选项的keytool -import命令),并确保显示的证书指纹与预期的指纹匹配。You can call the person who sent the certificate and compare the fingerprint(s) that you see with the ones that they show or that a secure public key repository shows. 您可以致电发送证书的人,将您看到的指纹与他们显示的指纹或安全公钥存储库显示的指纹进行比较。Only if the fingerprints are equal is it guaranteed that the certificate has not been replaced in transit with somebody else's (for example, an attacker's) certificate. 只有当指纹相等时,才能保证证书在传输过程中没有被其他人(例如攻击者)的证书替换。If such an attack took place and you did not check the certificate before you imported it, you would end up trusting anything the attacker has signed.如果发生了这样的攻击,并且您在导入证书之前没有检查它,您最终将信任攻击者签名的任何内容。
If you trust that the certificate is valid, you can add it to your keystore via a command such as the following:如果您相信证书有效,则可以通过以下命令将其添加到密钥库中:
keytool -import -alias alias -file ABCCA.cer -keystore storefile
This command creates a "trusted certificate" entry in the keystore whose name is that specified in storefile. The entry contains the data from the file 此命令在密钥库中创建一个“受信任的证书”条目,其名称与storefile中指定的名称相同。该条目包含文件ABCCAcer中的数据,并被分配了指定的别名。ABCCA.cer, and it is assigned the specified alias.
Once you've imported the required trusted certificate(s), as described in the previous section, or they are already in your keystore or in the 如前一节所述,一旦导入了所需的受信任证书,或者它们已经在您的密钥库或cacerts file, you can import the certificate reply and thereby replace your self-signed certificate with a certificate chain. cacerts文件中,您就可以导入证书回复,从而用证书链替换您的自签名证书。This chain will be either the one returned by the CA in response to your request (if the CA reply is a chain) or one constructed (if the CA reply is a single certificate) by using the certificate reply and trusted certificates that are already available in the keystore or in the 此链将是CA响应您的请求而返回的链(如果CA回复是链),或者是使用证书回复和密钥库或cacerts keystore file.cacerts密钥库文件中已有的受信任证书构建的链(若CA回复是单个证书)。
As an example, suppose that you sent your certificate signing request to VeriSign. You can then import the reply via the following, which assumes that the returned certificate is in the file specified by certReplyFile:例如,假设您向VeriSign发送了证书签名请求。然后,您可以通过以下方式导入回复,前提是返回的证书在certReplyFile指定的文件中:
keytool -import -trustcacerts
-keystore storefile
-alias alias
-file certReplyFileType this command on one line.在一行中键入此命令。
The certificate reply is validated by using trusted certificates from the keystore and optionally by using the certificates configured in the 通过使用密钥库中的受信任证书以及可选地使用cacerts密钥库文件中配置的证书(如果指定了-trustcacerts选项)来验证证书回复。cacerts keystore file (if the -trustcacerts option is specified). Each certificate in the chain is verified, using the certificate at the next level higher in the chain. 使用链中下一级的证书验证链中的每个证书。You need to trust only the top-level "root" CA certificate in the chain. 您只需要信任链中的顶级“根”CA证书。If you do not already trust the top-level certificate, 如果您还不信任顶级证书,keytool will display the fingerprint of that certificate and ask you whether you want to trust it.keytool将显示该证书的指纹,并询问您是否要信任它。
The new certificate chain of the specified (by alias) entry replaces the old certificate (or chain) associated with this entry. 指定(通过别名)条目的新证书链将替换与此条目的旧证书(或链)。The old chain can be replaced only if a valid keypass, the password used to protect the private key of the entry, is supplied. If no password is provided and if the private key password is different from the keystore password, the user is prompted for it.只有提供了有效的密钥,即用于保护条目的私钥的密码,才能替换旧链。如果没有提供密码,并且私钥密码与密钥库密码不同,则会提示用户输入密码。
For more detailed information about generating CSRs and importing certificate replies, see the 有关生成CSR和导入证书回复的更多详细信息,请参阅keytool documentation:keytool文档: