1. 首頁
  2. 問答
  3. 驗證來自truststore的Java證書鏈

驗證來自truststore的Java證書鏈

2015-04-29 67 views
2

我有一個證書鏈作爲der編碼的byte [] []數組來驗證。我也有一個信任庫文件。驗證來自truststore的Java證書鏈

當我從該字節數組[] []創建X509Certificate []並初始化trustmanager後,如何告訴TrustManager驗證X509Certificate []?什麼是正確的方法來做到這一點?

謝謝。

示例代碼:

int certVerify(byte certChain[][]) 
{ 
    CertificateFactory cf = CertificateFactory.getInstance("X509"); 
    X509Certificate certx[] = new X509Certificate[10]; 
    for(int i=0;i<certChain.length;i++) 
    { 
    certx[i] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certChain[i])); 
    } 

    KeyStore keyStore = KeyStore.getInstance("JKS"); 
    keyStore.load(new FileInputStream("cacerts.jks"),"123456".toCharArray()); 

    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 
    trustManagerFactory.init(keyStore); 
}

來源

2015-04-29 vkx

回答

4

您需要啓用OCSP一些好的信息具有必要的系統屬性,或獲得鏈中每個證書的CRL,以檢查撤銷狀態。 (或者,您可以禁用撤銷檢查,並附帶相關風險。)

CertificateFactory cf = CertificateFactory.getInstance("X.509"); 
List<Certificate> certx = new ArrayList<>(certChain.length); 
for (byte[] c : certChain) 
    certx.add(cf.generateCertificate(new ByteArrayInputStream(c))); 
CertPath path = cf.generateCertPath(certx); 
CertPathValidator validator = CertPathValidator.getInstance("PKIX"); 
KeyStore keystore = KeyStore.getInstance("JKS"); 
try (InputStream is = Files.newInputStream(Paths.get("cacerts.jks"))) { 
    keystore.load(is, "changeit".toCharArray()); 
} 
Collection<? extends CRL> crls; 
try (InputStream is = Files.newInputStream(Paths.get("crls.p7c"))) { 
    crls = cf.generateCRLs(is); 
} 
PKIXParameters params = new PKIXParameters(keystore); 
CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)); 
/* If necessary, specify the certificate policy or other requirements 
* with the appropriate params.setXXX() method. */ 
params.addCertStore(store); 
/* Validate will throw an exception on invalid chains. */ 
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) validator.validate(path, params);

來源

2015-04-29 20:21:19 erickson

1

有關於如何實現一個here

或者你可以使用BouncyCastle的API,作爲解釋here

來源

2015-04-29 18:54:52 kjp

相關問題

 相關問題