我希望仅列出我们应用程序的签名证书,而不是来自 java 商店的链签名证书,即
<jdk_home>/jre/lib/security/cacerts我想到的想法是,我将从
CN=Owner: Issuer: keytool -v -list -keystore cacerts -storepass "changeit"
输出:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 107 entries
*******************************************
*******************************************
Alias name: verisignuniversalrootca [jdk]
Creation date: Aug 25, 2016
Entry type: trustedCertEntry
Owner: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 401ac46421b31321030ebbe4121ac51d
Valid from: Tue Apr 01 19:00:00 CDT 2008 until: Tue Dec 01 17:59:59 CST 2037
Certificate fingerprints:
SHA1: 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
SHA256: 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
0000: 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 69 6D 0_.].[0Y0W0U..im
0010: 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 05 2B age/gif0!0.0...+
0020: 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E 6B C3 ..............k.
0030: CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 68 74 ..j.H.,...0%.#ht
0040: 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 73 69 tp://logo.verisi
0050: 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E 67 69 gn.com/vslogo.gi
0060: 66 f
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B6 77 FA 69 48 47 9F 53 12 D5 C2 EA 07 32 76 07 .w.iHG.S.....2v.
0010: D1 97 07 19 ....
]
]
*******************************************
*******************************************
Alias name: xrampglobalca [jdk]
Creation date: Aug 25, 2016
Entry type: trustedCertEntry
Owner: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
Serial number: 50946cec18ead59c4dd597ef758fa0ad
Valid from: Mon Nov 01 11:14:04 CST 2004 until: Sun Dec 31 23:37:19 CST 2034
Certificate fingerprints:
SHA1: B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
SHA256: CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
我需要两步解决方案...
第 1 步:确定所有
Owner: CN=Alias name:CN=Issuer: CN=第 2 步:一旦确定了第 1 步中的
Alias name`Alias name: ` value
`Owner: CN=` value
`Signature algorithm name:` value
`Subject Public Key Algorithm:` value
`Valid from:` value
`until:` value
预期输出:
verisignuniversalrootca [jdk]
VeriSign Universal Root Certification Authority
SHA256withRSA
2048-bit RSA key
Tue Apr 01 19:00:00 CDT 2008
Tue Dec 01 17:59:59 CST 2037
注:以上只是示例数据,并不完整。
您可以在系统上选择
<jdk_home>/jre/lib/security/cacerts到目前为止,我尝试了以下方法,但它看起来越来越不干净,所以我正在询问专家。
keytool -v -list -keystore cacerts -storepass "changeit" | awk '/Alias name:/ {print $3} /Owner: CN=/ {print substr($0, index($0,$4))}' | awk -F, '{print $1}'
我尝试将 cacerts 转换为 pkcs12 格式,然后使用 openssl 打印所有客户端证书,但它不显示所有客户端证书信息。
转换为 PKCS12:
keytool -importkeystore -srckeystore cacerts -srcstorepass "changeit" -destkeystore my_cert.p12 -deststoretype PKCS12 -deststorepass "changeit" -noprompt
显示客户端证书:
openssl pkcs12 -in /home/wladmin/my_cert.p12 -passin pass:'changeit' -passout pass:'changeit' -info -nokeys -clcerts -legacy
MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
请推荐。
使用此脚本:
#!/bin/bash
aliases=($(keytool -v -list -keystore cacerts.jks -storepass "changeit" | grep 'Alias name:' | awk -F: '{print $2}'))
for i in "${aliases[@]}"; do
cn_owner=$(keytool -v -list -keystore cacerts.jks -storepass "changeit" -alias $i | awk 'NR==5 {print $2}' | sed 's/,//g' | awk -F= '{print $2}')
cn_issuer=$(keytool -v -list -keystore cacerts.jks -storepass "changeit" -alias $i | awk 'NR==6 {print $2}' | sed 's/,//g' | awk -F= '{print $2}')
if [ $cn_owner != $cn_issuer ]; then
continue
else
echo $i
echo $cn_owner
keytool -v -list -keystore cacerts.jks -storepass "changeit" -alias $i | awk 'NR==8 {print $3, $4, $5, $6, $7, $8}'
keytool -v -list -keystore cacerts.jks -storepass "changeit" -alias $i | awk 'NR==8 {print $10, $11, $12, $13, $14, $15}'
keytool -v -list -keystore cacerts.jks -storepass "changeit" -alias $i | awk 'NR==12 {print $4}'
keytool -v -list -keystore cacerts.jks -storepass "changeit" -alias $i | awk 'NR==13 {print $5, $6, $7}'
fi
echo "---------"
done
我本地的输出:
alias-1
localhost-1
Mon Aug 26 12:48:12 IST 2024
Sun Nov 24 12:48:12 IST 2024
SHA384withRSA
3072-bit RSA key
---------
server-alias
localhost
Mon Aug 26 12:24:54 IST 2024
Sun Nov 24 12:24:54 IST 2024
SHA384withRSA
3072-bit RSA key
---------