android安全学习之3—java中的Key Management常用的一些概念

本文借助java中的key Management继续理解加解密中数字证书等概念。

• keystore

  The keystore is the file that actually holds the set of keys and certificates. By convention, this file is called.keystoreand is held in the user’s home directory ($HOME n Unix systems,C:\WINDOWS on icrosoft Windows systems, and so on).

就是放key和证书的文件。

• alias

  Every key in the keystore belongs to an entity. An alias is a shortened, keystore−specific name for an entity that has a key or certificate in the keystore. I choose to store my public and private key in my local keystore under the alias “sdo”; if you have a copy of my public key certificate, you may use that alias, or you may use another alias (like “ScottOaks”). The alias used for a particular entity is completely up to the discretion of the individual who first enters that entity into the keystore.

Keystore中的每个key都属于一个entity，这个entity可以解释为实体，比如你自己。如果你在keystore中存了key或者证书, alias就是你在keystore中的别名。比如我在keystore中保存了key和certificate，别名为sdo，而你保存了你自己的，别名为scott，这个主要用来区分。

• DN (distinguished name)

  The distinguished name for an entity in the keystore is a subset of its full X.500 name. This is a long string; for example, my DN is:
  CN=Scott Oaks, OU=JSD, O=Sun Microsystems, L=New York, S=NY, C=US
  DNs are used by certificate authorities to refer to the entities to whom they supply a certificate.Hence, unlike an alias, the DN for a particular key is the same no matter what keystore it is located in:if I send you my public key, it will have the DN encoded in the public key’s certificate.

就是一个长的字符串，主要是证书签发者用来区分它所要签发的证书的实体对象。如果给你签发了一个证书，这一长串的DN就是你的标志。

X509 certificates (and many other ANSI standards) make use of the idea of a distinguished name(usually referred to as a DN). The distinguished name of an individual includes these fields:
Common name (CN)
The (full) common nameof the individual.
Organizational unit (OU)
The unit the individual isassociated with.
Organization (O)
The organization the individual isassociated with.
Location (L)
The citywhere the individual is located.
State (S)
Thestate/province where the individual is located.
Country (C)
Thecountry where the individual is located.

一般DN由以上属性构成

• key entries

  A keystore may hold two types of entries. The first type of entry is called a key entry. A key entry may hold either an asymmetric key pair (private key and public key certificate) or a single secret key.
  If the entry holds a key pair, it may store a chain of certificates: the first certificate always contains the public key of the entity. Other certificates may be present that establish a chain to the root certificate of the CA that issued the entity’s certificate.

一个keystore中有两种类型的entry。第一种就是key entry，里面放着非对称密钥(private key and public key)或者对称密钥(secret key)。
如果这个entry中放置的是一个密钥对，即非对称密钥。它应该也会包含一个证书链。第一个证书中放着这个entry的public key，其他证书形成一个链式的结构，直到签发该证书的CA的证书(root certificate)。
另外一种是证书entry。

• certificate entries

  A certificate entry contains only a public key certificate; there is no private key associated with this entry. Certificate entries hold a single certificate rather than a chain, and the certificate is self−signed.
  These certificates are generally the root certificates of certificate authorities that you trust to issue certificates.

一个证书entry为只包含public key的数字证书，没有private key。证书entry只保存单个证书，而不是一个证书链，而且证书是自签名的。
这里不知道理解的对不对，当你想让你所信任的CA给你签发证书的时候，这些certificate就是提供给他们的东西(root certificate)。

• JKS, JCEKS, and PKCS12

  The keystore is an engine within the Java API, and Sun’s various security providers supply three different algorithms of the keystore. The default algorithm is JKS and is supplied by the security manager within the core API. It is capable of reading and storing key entries and certificate entries; however, the key entries can store only private keys. If you want to use the keystore for secret keys,you must use the JCEKS implementation, which is supplied by the security provider that comes with JCE. The JCEKS keystore can hold either private or secret keys for each key entry.
  The private keys held by JKS or JCEKS are encrypted. The encryption used by JKS is weaker than that used by JCEKS; it was designed to pass the old export restrictions of the U.S. The JCEKS keystore provides a much stronger encryption.

keystore其实也是java 提供的一个engine，肯定有很多种算法可以实现keystore的功能。很多java的security provider提供了三种算法，分别是JKS,JCEKS,和PKCS12。
JKS可以读和保存key entry和certificate entry，但是key entry只能保存private key。但是JCEKS可以。

ThePKCS12 algorithm does not supply a fully−functional keystore. You can read a keystore in this format and export information (such as the encoded certificate) from that keystore, but you cannot write or modify a keystore in that format. This format is used to import certificates from your Netscape browser into your Java keystore, as we'll show a little later.

这里描述的PKCS12是一种格式，而不是算法。主要是用来输出keystore给其他地方用。PKCS #12在前面文章已经介绍过，可以点击了解。