stackoom
  简体   繁体   中英

x509certificate certpath validation

 原文  2011-03-08 20:31:07       java/ security/ tomcat/ x509certificate/ pki

Question

Our use-case requires validating certificate revocation via OCSP on a PKIX set-up. My starting point was the code at this related question: OCSP Revocation on client certificate

I'm doing it manually at the application level since tomcat doesn't support it. However, I'm having some trouble building the certPath and I think I'm missing some fundamental understanding.

First I try to create the certPath for the incoming client x509Certificate.

KeyStore store is initialized correctly and contains only the root certificates that match the client x509Certificate.

EDIT: I got the same result after adding the intermediate certificates as well. 

X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();

However, I get an error at run-time: 

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What could be missing?

2 answers

solution1
 3  2011-03-09 04:07:54

As you have it, I'm not sure how the CPB would find the subject certificate (x509certificate) to build a path to, unless it's in your keystore, which it typically wouldn't be. Simply providing the subject name isn't enough to build a validated path; the discovery & validation algorithm needs the full subject certificate. See what happens if you replace 

certSelector.setSubject(x509certificate.getSubjectX500Principal());

with 

certSelector.setCertificate(x509certificate);

solution2
 3  2011-03-18 18:06:43

You indicate that you added intermediates certificates. Since you did not update your code snippet I wondered how added these certificates? You should add these certificates as a CertStore 

X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */)));
params.addCertStore(cstore);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Generate x509certificate certpath in JAVA Java X509Certificate issuer validation JSCEP with X509Certificate and Attribute Certificate Generating X509Certificate with BouncyCastle with Java Getting from CertificationRequest to X509Certificate Convert x509Certificate into byte[] and reverse Is there a way to pretty print an X509Certificate? Generate X509Certificate from byte[]? get X509Certificate serial number how to serialize/deserialize X509Certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM