OCSP吊銷客戶端證書

Question

如果僅使用客戶端的java.security.cert.X509Certificate，如何使用OCSP手動檢查java中的證書撤銷狀態？ 我看不清楚這樣做的明確方法。

或者，我可以讓tomcat自動為我做，你怎么知道你的解決方案是真的？

Answer 1

我發現了一個最優秀的解決方案

http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html

        /**
   54    * This is a class that checks the revocation status of a certificate(s) using
   55    * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
   56    * the CertPathValidator framework. It is useful when you want to
   57    * just check the revocation status of a certificate, and you don't want to
   58    * incur the overhead of validating all of the certificates in the
   59    * associated certificate chain.
   60    *
   61    * @author Sean Mullan
   62    */

它有一個方法檢查（X509Certificate clientCert，X509Certificate issuerCert），它可以做到這一點！

Answer 2

以下是Jetty 7中的相關代碼，它從servletRequest請求中獲取一系列證書，並通過帶有OCSP的certpath API驗證它們。

http://grepcode.com/file/repo1.maven.org/maven2/org.eclipse.jetty/jetty-util/7.4.0.v20110414/org/eclipse/jetty/util/security/CertificateValidator.java#189

Answer 3

看來這里有一個Tomcat補丁來啟用ocsp驗證。

如果您選擇手動執行此操作：

Security.setProperty("ocsp.enable", "true")

或者通過命令行參數設置它。 看到這里 ：

此屬性的值為true或false。 如果為true，則在進行證書吊銷檢查時啟用OCSP檢查; 如果設置為false或未設置，則禁用OCSP檢查。

這里有一些我覺得有用的代碼：

interface ValidationStrategy {
    boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException;
}


class SunOCSPValidationStrategy implements ValidationStrategy {
    @Override
    public boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException {
        try {
            CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
            PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv
                    .validate(certPath, parameters);
            Signature.LOG.debug("Validation result is: " + result);
            return true; // if no exception is thrown
        } catch (CertPathValidatorException cpve) {

            // if the exception is (or is caused by)
            // CertificateRevokedException, return false;
            // otherwise re-throw, because this indicates a failure to perform
            // the validation
            Throwable cause = ExceptionUtils.getRootCause(cpve);
            Class<? extends Throwable> exceptionClass = cause != null ? cause.getClass()
                    : cpve.getClass();
            if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) {
                return false;
            }
            throw cpve;
        }
    }

}

Answer 4

import org.bouncycastle.util.io.pem.PemReader;
import sun.security.provider.certpath.OCSP;
import sun.security.x509.X509CertImpl;
import java.io.IOException;
import java.io.StringReader;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;

public void test() throws IOException, CertPathValidatorException, java.security.cert.CertificateException {
        X509Certificate userCert = getX509Cert("path_to_user_cert");
        X509Certificate caCert = getX509Cert("path_to_CA_cert");
        OCSP.RevocationStatus ocsp = OCSP.check(userCert, caCert, URI.create("URL to OCSP, but this can be read from USER Cert(AuthorityInfoAccess) As well"), caCert, new Date());
        System.out.println(ocsp);
    }

    private X509CertImpl getX509Cert(final String path) throws CertificateException, IOException {
        return new X509CertImpl(
                new PemReader(
                        new StringReader(
                                new String(
                                        Files.readAllBytes(
                                                Paths.get(path)))))
                        .readPemObject()
                        .getContent());
    }