[英]Certificate chain validation using java, checking revokation and OCSP status
I am new to the world of PKI, certificates in general.我是 PKI 世界的新手,一般是证书。 I am writing a service which needs to validate a chain of certiticates.
我正在编写一个需要验证证书链的服务。
The general approach taken is as follows采取的一般做法如下
a) Generate a List of certificates from the data sent a) 从发送的数据生成证书列表
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);
CertPathValidatorResult certPathValidatorResult = null;
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates =
(List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
CertPath certPath = certificateFactory.generateCertPath(x509Certificates);
Load the JDK keystore, with something like this //Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);加载 JDK 密钥库,如下所示 //Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar) ; FileInputStream is = new FileInputStream(filename);
FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
KeyStore 密钥库 = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit";
字符串密码 = "changeit"; keystore.load(is, password.toCharArray());
keystore.load(is, password.toCharArray());
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParameters = new PKIXParameters(keystore); //pkixParameters.setRevocationEnabled(false); PKIXParameters certPathValidatorResult = certPathValidator.validate(certPath, pkixParameters);
I am assuming if this is not a valid chain it would throw an exception.我假设如果这不是一个有效的链,它会抛出一个异常。 Would this validation check expired Certificates, Valid Public Key?
此验证会检查过期的证书、有效的公钥吗?
also I need to be able to find the the OCSP staus of a certificate or check if it is revoked>?我还需要能够找到证书的 OCSP 状态或检查它是否被撤销>? How can this be done using the Cryptography API
如何使用密码学 API 来完成
Is the use fo bouncy castle recommended over the API?是否推荐使用充气城堡而不是 API? Does Bouncy castle have a way to check CRL and OCSP status of a certificate?
Bouncy castle 是否可以检查证书的 CRL 和 OCSP 状态?
Thanks for all the pointers and help in advance.感谢您提前提供的所有指示和帮助。 Appreciate it.
欣赏它。
Best Regards此致
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(chain.getBytes());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates = (List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
x509Certificates.get(1).verify(x509Certificates.get(0).getPublicKey());
x509Certificates.get(1).getNotBefore()
and和
x509Certificates.get(1).getNotAfter()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.