堆栈内存溢出
  简体   繁体   English

如何在X509TrustManager中启用OCSP?

[英]How to enable OCSP in X509TrustManager?

 原文  2016-11-26 21:13:01       java/ ssl-certificate/ jsse/ ocsp/ certificate-revocation

问题描述

System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");

Is setting these properties really sufficient to enable OCSP? 设置这些属性确实足以启用OCSP吗?

If so, then why we need bouncy castle OCSP support instead of just setting this properties? 如果是这样,那为什么我们需要弹性城堡OCSP支持而不是仅设置此属性?

1 个解决方案

解决方案1
 4 已采纳  2016-11-29 20:15:22

If the certificates containing a Authority Information Access extension (OCSPSigning) then you don't have nothing to do more then set the properties you mentioned. 如果证书包含颁发机构信息访问扩展名(OCSPSigning),则您无事可做,请设置您提到的属性。 

System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");

See RFC3280 and How to up OCSP using OpenSSL for more information. 有关更多信息,请参见RFC3280如何使用OpenSSL升级OCSP

If your CA doesn't provide this extension to the issued certificates then you can configure a responder URL by setting the property 如果您的CA不提供已颁发证书的扩展名,则可以通过设置属性来配置响应者URL 

Security.setProperty("ocsp.responderURL", ...)

By default, the location of the OCSP responder is determined implicitly from the certificate being validated. 默认情况下,OCSP响应程序的位置是根据要验证的证书隐式确定的。 The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding. 当证书中没有颁发机构信息访问扩展名(在RFC 3280中定义)或需要重写时,使用此属性。

If the certificate of your OCSP responder does not match the certificate of the issuer then you can set an alternative subject name by setting 如果OCSP响应者的证书与颁发者的证书不匹配,则可以通过设置 

Security.setProperty("ocsp.responderCertSubjectName", ...);

By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. 默认情况下,OCSP响应者的证书是正在验证的证书的颁发者的证书。 This property identifies the certificate of the OCSP responder when the default does not apply. 当默认值不适用时,此属性标识OCSP响应者的证书。 Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. 它的值是一个字符串专有名称(在RFC 2253中定义),用于在证书路径验证期间提供的一组证书中标识一个证书。 In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties must be used instead. 如果仅主题名称不足以唯一地标识证书,则必须同时使用ocsp.responderCertIssuerName和ocsp.responderCertSerialNumber属性。 When th is property is set, then those two properties are ignored. 设置属性th后,将忽略这两个属性。

For a description of all properties which can be used to configure OCSP see JavaTM PKI Programmer's Guide . 有关可用于配置OCSP的所有属性的说明,请参阅《 JavaTM PKI程序员指南》

Why we need bouncy castle OCSP support instead of just setting this properties? 为什么我们需要弹性城堡OCSP支持而不仅仅是设置此属性?

Nobody saying that you have to use bouncy castle as security provider. 没有人说您必须使用充气城堡作为安全提供者。 Using the default sun JCE is fine at least in case of using JRE 1.8. 至少在使用JRE 1.8的情况下,使用默认的sun JCE很好。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何测试X509TrustManager子类? - How to test X509TrustManager subclass? 实现 X509TrustManager - Implementing X509TrustManager X509TrustManager实现不可用htmlunit - No X509TrustManager implementation available htmlunit 没有X509TrustManager实现可用 - No X509TrustManager Implementation available 在Java中还原SSL X509TrustManager - Restore SSL X509TrustManager in Java X509TrustManager覆盖而不允许所有证书? - X509TrustManager Override without allowing ALL certs? 使用X509TrustManager:checkServerTrusted的自签名证书验证 - Self signed cert validation using X509TrustManager:checkServerTrusted X509TrustManager checkServerTrusted with TLSv1.3 - X509TrustManager checkServerTrusted with TLSv1.3 默认 X509TrustManager 和通配符主机名验证? - Default X509TrustManager and wildcard hostname validation? 在X509TrustManager中,方法“ getAcceptedIssuers”用于什么? - In X509TrustManager, what are method “getAcceptedIssuers” used for?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM