问题
I have a fresh installation of ubuntu 18.04. I'm having problems with my builds (e.g. Maven and Gradle) accessing a repository https, the message it shows is:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
When I try to access the certificates from my keystore using the following command:
keytool -list -keystore /etc/ssl/certs/java/cacerts
I get prompted with a password, which is not a problem, but if I just press enter without inputting the password It does not show any of the entries.
If I put the password, all the certificates appear normally. What I had to do is add to all my Java applications the following system prop: javax.net.ssl.trustStorePassword=changeit
Then everything works normally. What I'm doing wrong?
EDIT:
This is the permission on the cacerts right now:
-rw-r--r-- 1 root root 167K jun 8 11:21 /etc/ssl/certs/java/cacerts
so everyone can read. If I try to use list without a password:
keytool -list -keystore /etc/ssl/certs/java/cacerts ✔ 308 10:27:15
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries
with the password:keytool -list -keystore /etc/ssl/certs/java/cacerts ✔ 310 10:36:33
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 134 entries
回答1:
read should be password free, only write operations should need a password
You misunderstand the purpose of the password. The password is (in effect) a decryption key for the keystore. It protects against unauthorized reads, irrespective of file system permissions.
If you want / need to allow reads without a password but protect against writes, you need to use file system permissions for that. The following Q&A explains how to remove the default password:
- How do I get into a non-password protected Java keystore or change the password?
Here's an explanation why a password controlling write (and not read) cannot work.
Suppose that the trusted key store is readable without a password. A user could then do the following:
- Read the keys in the keystore
- Create a new (empty) keystore
- Write the keys to the new keystore
- Rename the new keystore so that it replaces the old keystore.
This could be done using a custom Java application or (probably) the standard keytool
utility and the mv
command.
The only way that you can prevent this is to stop the application (or the user) from replacing the old keystore with the new one via file system permissions. If you can't do that (e.g. because the user has admin-level access) then there is no solution that doesn't have security holes.
来源:https://stackoverflow.com/questions/50798434/keytool-asking-for-password-to-read-java-certificates-ubuntu-18-04