使用 java 进行证书链验证,检查吊销和 OCSP 状态
[英]Certificate chain validation using java, checking revokation and OCSP status
问题描述
I am new to the world of PKI, certificates in general.
我是 PKI 世界的新手,一般是证书。 I am writing a service which needs to validate a chain of certiticates.我正在编写一个需要验证证书链的服务。
The general approach taken is as follows采取的一般做法如下
a) Generate a List of certificates from the data sent a) 从发送的数据生成证书列表
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);
CertPathValidatorResult certPathValidatorResult = null;
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates =
(List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
CertPath certPath = certificateFactory.generateCertPath(x509Certificates);
Load the JDK keystore, with something like this //Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
加载 JDK 密钥库,如下所示 //Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar) ; FileInputStream is = new FileInputStream(filename); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); KeyStore 密钥库 = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit";字符串密码 = "changeit"; keystore.load(is, password.toCharArray()); keystore.load(is, password.toCharArray());CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParameters = new PKIXParameters(keystore); //pkixParameters.setRevocationEnabled(false); PKIXParameters certPathValidatorResult = certPathValidator.validate(certPath, pkixParameters);I am assuming if this is not a valid chain it would throw an exception.
我假设如果这不是一个有效的链,它会抛出一个异常。 Would this validation check expired Certificates, Valid Public Key?此验证会检查过期的证书、有效的公钥吗?also I need to be able to find the the OCSP staus of a certificate or check if it is revoked>?
我还需要能够找到证书的 OCSP 状态或检查它是否被撤销>? How can this be done using the Cryptography API如何使用密码学 API 来完成Is the use fo bouncy castle recommended over the API?
是否推荐使用充气城堡而不是 API? Does Bouncy castle have a way to check CRL and OCSP status of a certificate? Bouncy castle 是否可以检查证书的 CRL 和 OCSP 状态?
Thanks for all the pointers and help in advance.感谢您提前提供的所有指示和帮助。 Appreciate it.欣赏它。
Best Regards此致
1 个解决方案
解决方案1
0 2020-12-22 00:06:11
- It's correct, you can use CertificateFactory to load certificates chain.没错,你可以使用 CertificateFactory 来加载证书链。
- If you want validate a chain of certiticates, you don't need a KeyStore.如果要验证证书链,则不需要 KeyStore。 The certificates are validated with the certificate of autority who emit that certificate.证书通过发出该证书的权威证书进行验证。
For example:例如:
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(chain.getBytes());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates = (List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
x509Certificates.get(1).verify(x509Certificates.get(0).getPublicKey());
- In this case you can use it to validate a certificate if you don't know the root ca.在这种情况下,如果您不知道根 ca,则可以使用它来验证证书。
- You can check the period with您可以使用
x509Certificates.get(1).getNotBefore()
and和
x509Certificates.get(1).getNotAfter()
- Is important validate the status of certificate.验证证书的状态很重要。
- Yes BouncyCastle is great library for it.是的,BouncyCastle 是一个很棒的图书馆。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.