x509certificate证书路径验证
[英]x509certificate certpath validation
问题描述
Our use-case requires validating certificate revocation via OCSP on a PKIX set-up. 
我们的用例要求通过PKIX设置上的OCSP来验证证书吊销。 My starting point was the code at this related question: OCSP Revocation on client certificate 我的起点是以下相关问题的代码: 客户端证书上的OCSP吊销
I'm doing it manually at the application level since tomcat doesn't support it. 我在应用程序级别手动执行此操作,因为tomcat不支持它。 However, I'm having some trouble building the certPath and I think I'm missing some fundamental understanding. 但是,我在构建certPath时遇到了一些麻烦,我想我缺少一些基本的了解。
First I try to create the certPath for the incoming client x509Certificate. 首先,我尝试为传入客户端x509Certificate创建certPath。
KeyStore store is initialized correctly and contains only the root certificates that match the client x509Certificate. KeyStore存储已正确初始化,并且仅包含与客户端x509Certificate匹配的根证书。
EDIT: I got the same result after adding the intermediate certificates as well. 编辑:添加中间证书后,我也得到相同的结果。
X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();
However, I get an error at run-time: 但是,在运行时出现错误:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What could be missing? 可能缺少什么?
2 个解决方案
解决方案1
3 2011-03-09 04:07:54
As you have it, I'm not sure how the CPB would find the subject certificate (x509certificate) to build a path to, unless it's in your keystore, which it typically wouldn't be. 有了它,我不确定CPB将如何找到主题证书(x509certificate)来构建路径,除非它位于您的密钥库中(通常不会)。 Simply providing the subject name isn't enough to build a validated path; 仅提供主题名称还不足以建立经过验证的路径。 the discovery & validation algorithm needs the full subject certificate. 发现和验证算法需要完整的主题证书。 See what happens if you replace 看看更换后会发生什么
certSelector.setSubject(x509certificate.getSubjectX500Principal());
with 同
certSelector.setCertificate(x509certificate);
解决方案2
3 2011-03-18 18:06:43
You indicate that you added intermediates certificates. 您指示您添加了中间证书。 Since you did not update your code snippet I wondered how added these certificates? 由于您未更新代码段,所以我想知道如何添加这些证书? You should add these certificates as a CertStore 您应该将这些证书添加为CertStore
X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */)));
params.addCertStore(cstore);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.