根据 Java 中的自定义信任列表检查证书有效性 [英] Check a certificate validity against a custom trust list in Java
问题描述
我有一个使用 CAdES 进行数字签名的文档.我使用 BouncyCastle API 来获取签名者的 X509Certificate[] 实例,但让我们假设列表只包含一个元素.
I have a document that is digitally signed using CAdES. I use BouncyCastle APIs to get the X509Certificate[] instances of the signers, but let's assume the list contains one and one only element.
我需要验证今天这个证书是否可信,我不想使用系统的标准信任库,它通常用于信任 SSL 证书.不,我想用我的类路径中的 .cer 文件列表构建我自己的信任列表.目前,单个 CA 是可信的,但显然未来可能会添加更多证书.
I need to verify whether this certificate is trusted or not at today's date, and I don't want to use the system's standard trust store which is normally used to trust SSL certificates. No, I want to build my own trust list with a list of .cer files in my classpath. At the moment, a single CA is trusted but obviously in the future a few more certificates may be added.
到目前为止,我已经阅读了this并尝试在我的代码中实现.我不需要 SSLContext,我需要检查数字签名文档的有效性.我现在很困惑.
So far I have read this and tried to implement in my code. I need no SSLContext, I need to check the validity of a digitally signed document. I am now confused.
X509TrustManager API 只提供验证客户端/服务器证书的方法,但我的只有数字签名/不可否认使用标志.
X509TrustManager APIs do however provide only methods for validating client/server certificates, but mine only have digital signature/non-repudiation usage flags.
问题可以用两种方式表述,导致相同:
The questions can be formulated in two ways that lead to the same:
- Java 中如何根据可加载到内存中的自定义根 CA 列表检查
X509Certificate实例的有效性? - 如何检查数字签名文档是否使用源自自定义列表的已知 CA 的证书进行签名?
推荐答案
从每个签名者的 CAdES 签名中提取签名者的证书以及中间证书作为 X509Certificate 列表.还构建一个包含所有根 CA 证书的集合
Extract from the CAdES signature for each signer the signer's certificate and also the intermediate certificates as a X509Certificate list. Build also a set with all root CA certificates
那你就可以用这个(稍微改编了)示例代码 使用 Java 和 BouncyCastle 验证和构建认证链.验证成功返回认证链
Then you can use this (slightly adapted) example code to verify and build the certification chain using Java and BouncyCastle. It will return the certification chain if verification is successful
public PKIXCertPathBuilderResult verifyCertificateChain(
X509Certificate cert,
Set<X509Certificate> trustedRootCerts,
Set<X509Certificate> intermediateCerts) throws GeneralSecurityException {
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate trustedRootCert : trustedRootCerts) {
trustAnchors.add(new TrustAnchor(trustedRootCert, null));
}
// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams =
new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
// Specify a list of intermediate certificates
// certificate itself has to be added to the list
intermediateCerts.add(cert);
CertStore intermediateCertStore = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(intermediateCerts), "BC");
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
PKIXCertPathBuilderResult result =
(PKIXCertPathBuilderResult) builder.build(pkixParams);
return result;
}
如果不想处理复杂的CAdES,建议使用SD-DSS打开-源项目
If you do not want to deal with CAdES complexity, I suggest to use SD-DSS open-source project
这篇关于根据 Java 中的自定义信任列表检查证书有效性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
