1

When I search "truststore" on YouTube, I got the following video as the first hit. It is about Java.

https://www.youtube.com/watch?v=Ur9LlNOYnRg

A Google search also mostly returns Java webpages.

Is this a pure Java concept? How can in be explained in the context of SSL/TLS without using Java?

Bruno
  • 119,590
  • 31
  • 270
  • 376
user1424739
  • 11,937
  • 17
  • 63
  • 152
  • I mean, from what I understand, a trust store stores certificates. I'm not sure that I understand your question though. Are you asking whether certificate storage can only be done using Java? – zero298 Dec 09 '21 at 00:38
  • No. I am asking the specific term "truststore", as I only see it in the context of Java, instead of the general context of SSL/TLS. If it is specific to Java, I am wondering why java people create such a unique term whereas SSL/TLS has more general implementation in C. They could just made a wrapper on top of the C code. I don't understand why java people reinvent the wheel and create new terminologies for almost the same thing in other contexts. – user1424739 Dec 09 '21 at 02:23
  • Is "certificate store" an equivalent but more commonly referred terminology outside the scope of java? https://www.ibm.com/docs/en/i/7.3?topic=concepts-certificate-stores – user1424739 Dec 09 '21 at 02:25
  • Or there are many variant terminology that refers basically the same thing? – user1424739 Dec 09 '21 at 02:30
  • Trust store is just a word (or phrase) and anybody is allowed to use it. That said I see it used mainly in Java, and it is specifically used to refer to a keystore containing trusted certificates. Your comments about Java "reinventing" the wheel and about a "general implementation in C" don't make any sense to me. – President James K. Polk Dec 09 '21 at 06:44
  • I took the liberty to rephrase your question a little so that it doesn't look like it's asking for external resources (which seems to have been the reason for closure). – Bruno Dec 10 '21 at 12:04
  • @Bruno zero298, President James K. Polk and Magnas look like a\*s h\*l\*s. They could be more constructive just like you to rephrase it. I am sure many questions got closed can be rephrased in a way that it would not be considered as to be closed. – user1424739 Dec 10 '21 at 12:45

1 Answers1

3

Note that certificates are not used only for SSL/TLS, and Java used them for codesigning almost a decade before it implemented SSL/TLS, although that has become much less important following the floppage of 'deployment' (i.e. automatically download code from everywhere and run it). Also, while Java 'could just make a wrapper on C code' (especially since the JVM, without which Java doesn't really exist, is all C and C++), they didn't; the SSL/TLS implementation provided by (standard = Sun-now-Oracle or OpenJDK) Java, called JSSE (Java Secure Socket Extension), is written in Java. The cryptographic primitives it uses are accessed using JCA, the Java Cryptography Architecture, and in most cases are also implemented in Java, although JCA providers can use 'native' code (C or C++) or external hardware (PKCS11 devices). (However, Apache Tomcat, and TTBOMK things based on it like Jboss Wildfly, has a 'native' option that instead of JSSE uses APR, Apache Portable Runtime, which in turn uses OpenSSL, which is C.)

That said, every implementation of anything relying on PKI, including but not limited to SSL/TLS, normally uses and needs something that stores (or otherwise persistently holds) trusted CA certs -- sometimes limited to only root certs, and sometimes called 'root' certs even when they aren't actually roots -- but I don't know of anything besides Java that calls this specifically 'truststore'.

NSS has a 'certificate database' usually(?) backed by a 'module', Microsoft has a set of 'certificate stores' only some of which are 'trusted', Apple has a 'KeyChain' (although I found a few cases they describe it as a trust store). And GnuPG in S/MIME mode has a 'keybox' with an associated but separate 'trustlist' (while in PGP mode, which is WoT instead, it has a 'keyring' and 'trustdb'). OpenSSL (and things using it) can have a 'CA file' and/or 'CA directory (or path)'; some things using OpenSSL refer to the CA file as a 'CA bundle', 'CA list', or 'root list'.

FWIW, the "Common CA Database" project, an attempt by Mozilla to coordinate the several programs that maintain nearly duplicate lists/stores of CAs, describes them as 'Root Stores' or 'Root Store Operators', although it explicitly allows (and often requires) the database to include intermediate CAs, i.e. not roots. Bleah.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Thanks for the clarification. But it seems the terminology is really a mess :). Without your clarification, it will be very confusing to understand them. But now I know that they are basically the same. – user1424739 Dec 09 '21 at 14:55
  • You should vote open the post. There is no ground to close the question. – user1424739 Dec 09 '21 at 17:31
  • 1
    The closest "official term" for all this I can think of is "trust anchors" as mentioned in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280). That said, every vendor/project has its own terminology indeed. Java itself can use [confusing terminology when it comes to keystores/truststores](https://stackoverflow.com/a/26888423/372643). – Bruno Dec 10 '21 at 12:08