我想根據Oracle official guide使用sun.security.validator.PKIXValidator驗證X509證書鏈。驗證中的一個步驟是檢查CRL。我正在提供LDAPCertStore以從LDAP獲取CRL。但LDAPCertStore無法處理服務器關閉連接,因爲缺少LDAPConnection的設置java.security.cert.LDAPCertStoreParameters
。如何修改LDAPCertStore中用於X509證書鏈驗證的LDAP連接屬性
是否有可能修改LDAP連接屬性,例如使用LDAP Connection Pooling(系統屬性沒有幫助,彈性城堡有關於連接的相同實現)? 請參閱下面的代碼重現:
@Test
public void testRevocationListValidation() throws Exception {
String trustStoreFile = "trustStoreFilePath";
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream is = getClass().getResourceAsStream(trustStoreFile);
if (is == null) {
throw new FileNotFoundException(String.format("KeyStore file '%s' is not found on classpath", trustStoreFile));
}
trustStore.load(is, "password".toCharArray());
Set<TrustAnchor> trustedAnchors = new HashSet<TrustAnchor>();
for (String caCertificateAlias : new String[]{"ca"}) {
X509Certificate certificate = (X509Certificate) trustStore.getCertificate(caCertificateAlias);
trustedAnchors.add(new TrustAnchor(certificate, null));
}
PKIXParameters parameters = new PKIXParameters(trustedAnchors);
CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters("ldapHost", 389));
parameters.setCertStores(Collections.singletonList(certStore));
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream("keystore.jks"), "password".toCharArray());
String keyStoreAlias = "dev-test";
Certificate[] userCertificateChain = keyStore.getCertificateChain(keyStoreAlias);
for (int i = 0; i < 3; i++) {
System.out.println("Starting validation " + i);
CertPath userCertificatePath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(userCertificateChain));
CertPathValidator.getInstance("PKIX").validate(userCertificatePath, parameters);
System.out.println("Validation " + i + " succeeded");
if (i == 1) {
System.out.println("Sleeping after second validation");
TimeUnit.SECONDS.sleep(90); // Server connection timeout ~ 60 sec
}
}
}
輸出示例:
開始驗證0
驗證0成功
開始驗證1
驗證1得手
java.security.cert.CertStoreException: javax.naming.CommunicationException:第二確認開始驗證2
java.security.cert.CertPathValidatorException後
睡眠連接關閉[根異常 是用java。 io.IOException:連接關閉];剩餘名稱
看起來像根:https://stackoverflow.com/questions/8787577/how-to-reconnect-when-the -ldap-server-is-restarted – ichaki5748 2014-09-23 18:23:31
我創建了票證:https://bugs.openjdk.java.net/browse/JDK-8059009 – ichaki5748 2014-10-03 14:12:30