问题
I am making a web service that will store public and private keys for each record in a database table.
The keys are made using Java, but I am unsure weather to create a keystore or place the keys inside fields in the databbase directly.
What option would you recommend and what are the benefits of each method?
回答1:
If you use a keystore, you'll be using a database that has been designed to keep encrypted items, such as keys and certificates.
Wherever possible, you shouldn't try and re-invent the wheel. Will a keystore suffice in your problem? If you try and design your own database for storing these artefacts, you're going to have to re-solve problems and issues which were taken into account already when creating databases such as Java's keystore.
回答2:
You can provide keystores to already existing implementations for data sending over http, which will fetch the keystore and perform all the necessary stuff so you don't have to. For server-side authentication this would be a keystore = KeyStore.getInstance("JKS"), containing all the trusted certificates.
For client-side authentication, if applicable (you need to verify yourself) also such implementation already exist where you just provide your client 'keystore' => this one will contain your certificate and it's private key => KeyStore.getInstance("PKCS12")
Then finally you want to store these stuff to database, here it gets a bit tricky.. Keystores are secured, so you can not just write it away.. you have to use the keystore.store(OutPutstream, password)..
What I find best is for instance:
@Entity
public class MyKeyStoreClass {
private Long id;
@Transient
private KeyStore keystore;
private String passwordForKeyStore;
private Byte[] keyStoreAsBytes;
@PreUpdate
@PrePersist
public void concertKeyStoreToBytes() {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
keystore.store(byteArrayOutputStream,
passwordForKeyStore.toCharArray());
keyStoreAsBytes = byteArrayOutputStream.toByteArray();
}
@PostLoad
public void getKeyStore() {
if (keystore == null && keyStoreAsBytes != null) {
keyStore = KeyStore.getInstance(getKeystoreType().getType());
keyStore.load(new ByteArrayInputStream(keystoreAsBytes), passwordForKeyStore.toCharArray());
}
}
The above code is not 100% correct, but it gives you a good idea of what I mean, If you don't work with annotations, you can do it using another approach but I think my point is clear ;)
回答3:
Why does each record have a private key? This is very strange design. Private keys see generally held by entities, e.g. People, or servers acting on their behalf.
回答4:
you can have a database to store userinfo not keys, for keys it is better to use keystore. so userinfo may contain {name, symmetric pass / hash, ...} and using the name you should be able to identify the key-record in the keystore. Again remember, do not use a global (user,pass) to read the keystore, use the user grant instead.
来源:https://stackoverflow.com/questions/3184502/storing-public-and-private-keys-in-a-database-or-keystore