t*******e
发帖数: 684 | 1 Keystore is protected by password. As long as one has the password, he can
export the key pairs and import into another keystore. Does android keystore
have anything unique? |
|
i**p
发帖数: 902 | 2 Do you mean java.security.KeyStore can do whatever android.security.KeyStore
does on Android?
Then why does android provide a new one? |
|
g*****g
发帖数: 34805 | 3 I would think for security reason, Google doesn't want you to
tamper the system keystore but still want to give you some restricted
access. Imagine you install an app from market, it tampers the keystore,
adds a self-signed certificate that shouldn't be trusted, intercept
your connection and start man-in-the-middle attack.
with
products |
|
r*****l
发帖数: 2859 | 4 Can you provide the API and/or source android.security.KeyStore, and specify
which method you plan to use to "read the certificates' info from Android
KeyStore".
I found the source code from GrepCode but I don't think that class is for
this purpose. Maybe you are talking about a totally different animal.
the |
|
i**p
发帖数: 902 | 5 Android provides android.security.KeyStore. What is difference between them? |
|
t*******e
发帖数: 684 | 6 KeyStore is a place to store public-private key pairs, plus the
corresponding certificates. Why is Android different from the one comes with
JDK? App server vendors tend to bundle their own key stores in their products
too. |
|
r*****l
发帖数: 2859 | 7 This is not in the public API. And it does not do what Java KeyStore is
doing. Why do you have to use it?
them? |
|
i**p
发帖数: 902 | 8 Implement an app to read the certificates' info from Android KeyStore on the
phone. |
|
p***p
发帖数: 559 | 9 我是阅读了IBM网站上和本站建立TOMCAT的SSL功能文章,严格按照其中步骤执行。
首先使用本站下载OPENSSL执行版,建立CA自己KEY,自签名做根证书。
使用KEYTOOL生成SERVER的钥匙对,以及待签名证书,COPY然后用OPENSSL证书签名。用OP
ENSSL生产
IE用的PK12证书加签名。
将CA根证书,SERVER证书引回到SERVER的KEYSTORE。将CA根证书和CLIENT证书引入IE,结
果访问8443
时候出现窗口,第三项依然是惊叹号,就是。页面名子和CA认证名字不相符,试验各种方
法都是不成。
请问一般是什么问题呢? 所有一切都是在本地一台机器上实现的。
还有几个问题:
1 如果用KEYTOOL为CLIENT何SERVER在同一机器上生成KEYPAAR,一定要用两个KEYSTORE吧
,请问KEY的ALIAS
到底什么作用呢,是不是要指定比如TOMCAT必须使用那个ALIAS的KEY。如果一个KEYSTORE
里面存在多个KEY PAAR
程序怎么知道该用哪个
2
IBM文章里面讲还要将CA根证书引入JSSE指定KEYSTORE,JDK/JRE/L |
|
j*******y
发帖数: 965 | 10 Today I use keytool to create a keystore file, and import the certificate
they give to me into the keystore. Then I create an assertion. I found an
assertion debug tool online. Now I can read the assertion after decode.
I put the assertion to a test web page and submit the form. I do not think I
got a correct response after submit the form. It shows the login error.
How do I know my assertion correct?
How do I change/define the key name in the keystore file?
thank you a lot.
data
.
assertion
th |
|
y********o
发帖数: 2565 | 11 IIS 可以直接用PKCS #12 keystore 吗?
我用tomcat的时候,得将PFX 文件import到JKS keystore才行。JDK的keytool还不支持
PKCS #12文件。 |
|
g*****g
发帖数: 34805 | 12 You don't get it. Java maintains a keystore, certificate is issued by CA.
Certain CAs (M$, Sun etc.) are automatically trusted, others you need to
implement a trusting process (this is like you ssh to a new site, you need
to manually accept a certificate).
Some of these third party libraries may have implemented this trusting
process. If that's the case, then by calling these libs, you are able
to import certificate to your local keystore, then you can do whatever
you need to. You don't have to |
|
g*****g
发帖数: 34805 | 13 You always need a keystore on server side, which contain
public and private keys. Server sends the public key (certificate)
to client first time the client connects. The client uses
the cert to encrypt the traffic and it can be only decrypted with
the keystore. This is assymetric (actually a random key is generated
to do symmetric entryption and the random key itself is encrypted
assymetrically)
Now the problem is the public key, a public key needs to be signed
by a trusted CA or your browser wi |
|
j**z
发帖数: 109 | 14 1. you are supposed to return the above HTML to the client browser, as the
result/respones when user click the SSO link. The browser will POST the data
to the bank site by .
2. Value of SAMLResponse is based 64 encoded, and url encoded SAML assertion
. SAML Assertion uses XML. You should be able to read it and understand the
structure.
3. You are not sending keystore, you are suppose to send public key file.
Keystore is where Java reads keys f |
|
w*m
发帖数: 1806 | 15 请教大牛,
现有一jar文件,需要签名
java keystore里已经生成了PrivateKeyEntry,并且提交到了Entrust,拿到了public
3rd party certificate,并且已经把这个public certificate导入到了keystore里。
下一步,我用privatekeyentry 对jar文件签名了,也成功了。问题是,这个public
certificate怎么用啊?
jar用在一个tomcat内运行。是不是需要将public certificate放到tomcat里?或是导
入到用户的java console里?
新手,请指点。 多谢。 |
|
p***n
发帖数: 17190 | 16 https://www.inside.com.tw/2018/10/24/google-titan-m-pixel-3
揭秘 Google Titan M 晶片: Pixel 3 的終極保鏢是如何煉成的?
2018/10/24 【合作媒體】雷鋒網 Google、Pixel 3、Titan M、晶片、資安、軟硬
結合
評論
Photo Credit:leiphone
本文獲得合作媒體 雷鋒網 授權轉載。
它比軟體防護更難取得突破,難度高得多了。
2018 年 10 月 9 日, Google Pixel 3/XL 在紐約正式亮相。無論是用單鏡頭吊打(
特指 iPhone XS Max)雙鏡頭的 AI 技術,還是 799 美元的起售價,它都引起了很多
的爭議。不過有一點是無可爭議的, Pixel 3/XL 是一款前所未有的搭載三款獨立晶片
的智慧型手機,三款獨立晶片分別是高通驍龍 845 、 Pixel Visual Core 和 Titan M
。
其中, Titan M 是 Google 專門為智慧型手機安全而打造的一款晶片,雖然在體積上
不大,但它的來頭卻實在不小。
從 Tit... 阅读全帖 |
|
y********o
发帖数: 2565 | 17 What do you want? You'll be in the trusted root CA keystore by default in
all browsers only if you are VeriSign, Thawte or something like these. |
|
b**h
发帖数: 64 | 18 simple socket communication via java applet.
1. write an applet to open socket on port 5000 to write a srting.
2. keytool -genkey to generate keys
3. export key to file *.crt
4. jarsigner jar xxx.crt
5. load the jar file on web server, use |
|
z****u
发帖数: 1 | 19 请教,在双向认证中,服务器端与客护短是怎样交换密钥和传输数据加密的
我使用JDK1.4.1中的KeyStore生成密钥库,取得私钥和公钥,再利用DH密钥,产生双法的密钥抖裕遣恢涝跹芍な椋Ω萌绾尾僮鳎っ魉降纳矸 |
|
|
m******t
发帖数: 2416 | 21
You need to ask that "somewhere" how to convert these bytes into a key. They
can be anything for all we know - exported ascii, raw bytes of a keystore
file, a serialized Key object, etc. |
|
w******c
发帖数: 574 | 22 我现在在用url写一个connection
http的连接没问题 一般的https使用普通的certificate的也没问题
但有时会遇到未知的certificate会有exception
然后这时我只能手动去把那个url上的certificate当下来放到keystore里面
然后就可以连接了
我想问有没有方式可以让java自动下载这些unknown certificate
然后我就不用每次手动去当了
//thx |
|
t*******e
发帖数: 684 | 23 KeyTool有command line和API方法,可以在runtime programmatically往keystore里添加certificates,thus, the approach you proposed is attainable. |
|
w******c
发帖数: 574 | 24
you mean automatically import to your local keystore?
or you need to manually write some code to import?
do you know any such library?
many thanks |
|
g*****g
发帖数: 34805 | 25 I doubt that, PKI always needs a keystore.
side
certification
same
types |
|
T*****e
发帖数: 361 | 26 Hello all,
I am trying to send out some email notification from a windows server to an
email list using our mail server. However, I got the following
certification error (see details below).
My application is a simple java application running every 5 minutes. We use
Java 5 update 16.
I have also added our mail server's certificate to the default keystore of
the user account running this application, according to this page:
http://www.java-samples.com/showtutorial.php?tutorialid=210
I also adde |
|
T*****e
发帖数: 361 | 27 Yes, our certificate is not signed by a trusted CA. That is why I had to
manually add it to Java's keystore using Java's key tool. However, it does
not seem to work. |
|
T*****e
发帖数: 361 | 28 It seems that I had made a mistake. I tried to add the certificate to the
current user's default key store location (c:\Documents and Settings\user.
name\.keystore) but it did not work. Then I tried to add it to JDK_HOME\jre
\lib\security\cacerts and JRE_HOME\lib\security\cacerts. This time it
worked just fine. |
|
c*c
发帖数: 447 | 29 >> java.io.EOFException: SSL peer shut down incorrectly
this sounds like SSL handshake problem。you may need to import HTTPS cert to
the keystore on client side..
You can easily generate webservice client from WSDL with netbeans..
it seems WS-Security is involved, you'll need some kind of framework to put
WS-Sececurity token in to WS header. You can do it in your code, but it'll
be nasty... |
|
g*****g
发帖数: 34805 | 30 wiki上拷的,
http://en.wikipedia.org/wiki/Digital_signature
A digital signature scheme typically consists of three algorithms:
* A key generation algorithm that selects a private key uniformly at
random from a set of possible private keys. The algorithm outputs the
private key and a corresponding public key.
* A signing algorithm that, given a message and a private key, produces
a signature.
* A signature verifying algorithm that, given a message, public key and
a signature, either accep... 阅读全帖 |
|
d**k
发帖数: 1223 | 31 好像不work.....不过,我试着把certificate import 到一个keystore,然后放在JRE
里头,似乎就work了(只是可以跟ad server 建立connection)。不过,我看到有人说
可以用java code import certificate at run time, 如果这样的话,我就不用每次都
用keytool了。。。。有谁做过这个?给个提示什么的?谢谢啦。 |
|
t*******e
发帖数: 684 | 32 just pick whichever you like. |
|
c********l
发帖数: 8138 | 33 Tomcat有两种不同的connector.
一种是NIO/BIO,如果用这种connector,需要用Java cipher suite
采用java keystore方式
另一种是APR,
在用APR时,需要单纯配置一个dll(windows环境下)
APR读取OpenSSL格式的Key file / Cert file
OpenSSL格式与Java的keytool并不兼容 |
|
