2

如何让 Jetty 9 在访问密钥库时忽略密钥传递?

这是我所做的:

  • 我在startssl.com 为我的域生成了证书
  • 我像这样生成了链式证书(mine + sub.class1.server.ca.pem + ca.pem)openssl pkcs12 -export -inkey ssl.key -in /home/ubuntu/bundle.crt -out /home/ubuntu/bundle.pkcs12
  • 像这样将它们导入新的密钥库:keytool -importkeystore -srckeystore /home/ubuntu/bundle.pkcs12 -srcstoretype PKCS12 -destkeystore /opt/jetty/etc/keystore
  • 出于某种原因,别名是“1”,所以我将其重命名为“jetty”,如下所示keytool -changealias -alias "1" -destalias "jetty" -keystore /opt/jetty/etc/keystore -storepass storepwd
  • 请注意,我使用storepwd的是 Jetty 发行版的默认密码

我的jetty-ssl.xml包含这个

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>
</Configure>

现在,当我启动所有这些美丽 Jetty 崩溃并出现以下错误

2013-07-11 21:34:01.984:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@e45a028(/opt/jetty/etc/keystore,/opt/jetty/etc/keystore): java.security.UnrecoverableKeyException: Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
    at java.security.KeyStore.getKey(KeyStore.java:792)
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)

这显然是密码不匹配,因为它期望/传递keypwd来自 Jetty 附带的默认密钥库的密钥传递。

这是我的证书: http ://pastebin.com/raw.php?i=p8LhT50P 它的输出来自keytool -list -keystore /opt/jetty/etc/keystore -storepass storepwd -storetype JKS -v

它在哪里设置?我该如何解决这个错误?

谢谢!

4

1 回答 1

7

涉及两个密码:密钥库密码 ( KeyStorePassword) 和密钥密码 ( KeyManagerPassword)。对于 PKCS#12 存储,它们是相同的。

由于您已使用密钥库的密码将密钥从 PKCS#12 存储库导入 JKS 存储库,这并不意味着密钥本身的密码已更改,而且可能没有更改"keypwd"(Jetty 的默认设置)。尝试KeyManagerPassword用您的 PKCS#12 商店的密码替换 的值。

(请注意,一般情况下,您不需要转换密钥库,您可以将其用作PKCS12KeyStoreType。)

于 2013-07-12T00:28:43.860 回答