stackoom
  简体   繁体   中英

Certificate chain validation using java, checking revokation and OCSP status

 原文  2020-12-21 22:58:04       java/ certificate/ x509certificate/ ocsp

Question

I am new to the world of PKI, certificates in general. I am writing a service which needs to validate a chain of certiticates.

The general approach taken is as follows

a) Generate a List of certificates from the data sent 

ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);

CertPathValidatorResult certPathValidatorResult = null;
try {

  CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
  List<X509Certificate> x509Certificates =
      (List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);

  CertPath certPath = certificateFactory.generateCertPath(x509Certificates);

  1. Load the JDK keystore, with something like this //Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit"; keystore.load(is, password.toCharArray()); 

  2.  CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParameters = new PKIXParameters(keystore); //pkixParameters.setRevocationEnabled(false); PKIXParameters certPathValidatorResult = certPathValidator.validate(certPath, pkixParameters);

  3. I am assuming if this is not a valid chain it would throw an exception. Would this validation check expired Certificates, Valid Public Key?

  4. also I need to be able to find the the OCSP staus of a certificate or check if it is revoked>? How can this be done using the Cryptography API

  5. Is the use fo bouncy castle recommended over the API? Does Bouncy castle have a way to check CRL and OCSP status of a certificate?

Thanks for all the pointers and help in advance. Appreciate it.

Best Regards

1 answers

solution1
 0  2020-12-22 00:06:11

  1. It's correct, you can use CertificateFactory to load certificates chain.
  2. If you want validate a chain of certiticates, you don't need a KeyStore. The certificates are validated with the certificate of autority who emit that certificate.
    For example:
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(chain.getBytes());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates = (List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
x509Certificates.get(1).verify(x509Certificates.get(0).getPublicKey());
  1. In this case you can use it to validate a certificate if you don't know the root ca.
  2. You can check the period with
x509Certificates.get(1).getNotBefore()

and

x509Certificates.get(1).getNotAfter()
  1. Is important validate the status of certificate.
  2. Yes BouncyCastle is great library for it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Getting certificate chain from TLS for using OCSP How to cache and update CRL (certificate revokation list)/OCSP responses in SSL configured tomcat? Validation of a certificate chain when opening a SSLSocket in Java How to check revocation status of X509Certificate chain using JAVA? Certificate chain validation Generate certificate chain in java Java - Get Certificate Chain Why is it that bouncycastle needs the issuer certificate in order to check the OCSP status of a given certificate? OCSP Revocation on client certificate How to get the OCSP url from the server certificate in java?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM