Skip to content
Advertisement

Is truststore a pure Java terminology?

When I search “truststore” on YouTube, I got the following video as the first hit. It is about Java.

https://www.youtube.com/watch?v=Ur9LlNOYnRg

A Google search also mostly returns Java webpages.

Is this a pure Java concept? How can in be explained in the context of SSL/TLS without using Java?

Advertisement

Answer

Note that certificates are not used only for SSL/TLS, and Java used them for codesigning almost a decade before it implemented SSL/TLS, although that has become much less important following the floppage of ‘deployment’ (i.e. automatically download code from everywhere and run it). Also, while Java ‘could just make a wrapper on C code’ (especially since the JVM, without which Java doesn’t really exist, is all C and C++), they didn’t; the SSL/TLS implementation provided by (standard = Sun-now-Oracle or OpenJDK) Java, called JSSE (Java Secure Socket Extension), is written in Java. The cryptographic primitives it uses are accessed using JCA, the Java Cryptography Architecture, and in most cases are also implemented in Java, although JCA providers can use ‘native’ code (C or C++) or external hardware (PKCS11 devices). (However, Apache Tomcat, and TTBOMK things based on it like Jboss Wildfly, has a ‘native’ option that instead of JSSE uses APR, Apache Portable Runtime, which in turn uses OpenSSL, which is C.)

That said, every implementation of anything relying on PKI, including but not limited to SSL/TLS, normally uses and needs something that stores (or otherwise persistently holds) trusted CA certs — sometimes limited to only root certs, and sometimes called ‘root’ certs even when they aren’t actually roots — but I don’t know of anything besides Java that calls this specifically ‘truststore’.

NSS has a ‘certificate database’ usually(?) backed by a ‘module’, Microsoft has a set of ‘certificate stores’ only some of which are ‘trusted’, Apple has a ‘KeyChain’ (although I found a few cases they describe it as a trust store). And GnuPG in S/MIME mode has a ‘keybox’ with an associated but separate ‘trustlist’ (while in PGP mode, which is WoT instead, it has a ‘keyring’ and ‘trustdb’). OpenSSL (and things using it) can have a ‘CA file’ and/or ‘CA directory (or path)’; some things using OpenSSL refer to the CA file as a ‘CA bundle’, ‘CA list’, or ‘root list’.

FWIW, the “Common CA Database” project, an attempt by Mozilla to coordinate the several programs that maintain nearly duplicate lists/stores of CAs, describes them as ‘Root Stores’ or ‘Root Store Operators’, although it explicitly allows (and often requires) the database to include intermediate CAs, i.e. not roots. Bleah.

User contributions licensed under: CC BY-SA
6 People found this is helpful
Advertisement