使用Java APis验证X509证书 [英] Validate X509 certificates using Java APis
问题描述
我正在尝试针对java密钥库验证证书,这是我使用的代码如下所示。如果它成功完成,那么我假设验证已经正确完成,否则如果抛出异常,则验证失败。
我关注的是:
以下代码是否足以验证证书?因为我在这里缺少一些东西(比如检查计算机签署的数据给我发送证书?)?
2.证书中包含的签名是否应该经过验证?如果有,怎么样?
提前感谢您的回复!
pradeep
//检查日期的有效性
cert.checkValidity();
//检查链
CertificateFactory cf = CertificateFactory.getInstance(X.509);
列表< X509Certificate> mylist = new ArrayList< X509Certificate>();
mylist.add(cert);
CertPath cp = cf.generateCertPath(mylist);
PKIXParameters params = new PKIXParameters(getTrustStore());
params.setRevocationEnabled(false);
CertPathValidator cpv =
CertPathValidator.getInstance(CertPathValidator.getDefaultType());
PKIXCertPathValidatorResult pkixCertPathValidatorResult =
(PKIXCertPathValidatorResult)cpv.validate(cp,params);
通常,证书将由中间人签发权限,而不是根权限(应该在您的信任存储中)。大多数协议鼓励发送证书的链,而不仅仅是实体的证书。
您应该添加所有中间证书,以便形成完整的链。 / p>
为了确保证书仍然有效,您不应禁用撤销检查。如果您不想检索CRL(可能很大),发行者可能会提供OCSP支持。但是,必须通过设置某些系统属性在Java运行时中启用它。
如果路径验证器成功返回,则无需检查其他任何内容。如果证书无效,则会引发异常。
此外,无需明确检查有效日期。这在验证过程中发生(使用当前时间,除非您通过 PKIXParameters 指定时间)。
有关验证的更广泛讨论,包括示例代码,查看我之前的回答。
I am trying to validate a certificate against java key store and this is the code I am using is as below. If it completes succesfully then I assume the validation has gone through correctly, else if an exception is thrown, then the validation fails. My concern is:
Is the code below sufficient to validate a certificate? As in is there something I am missing here (Like checking the data signed by the computer sending me the certificate?)? 2. Should the signature contained within the certificate be verified? If yes, how?
Thanks in advance for the response! pradeep
// To check the validity of the dates
cert.checkValidity();
//Check the chain
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<X509Certificate> mylist = new ArrayList<X509Certificate>();
mylist.add(cert);
CertPath cp = cf.generateCertPath(mylist);
PKIXParameters params = new PKIXParameters(getTrustStore());
params.setRevocationEnabled(false);
CertPathValidator cpv =
CertPathValidator.getInstance(CertPathValidator.getDefaultType());
PKIXCertPathValidatorResult pkixCertPathValidatorResult =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
Normally, a certificate will be issued by an intermediate issuing authority, not a "root" authority (which is all that should be in your trust store). Most protocols encourage sending a "chain" of certificates, not just the entity's certificate.
You should add all of the intermediate certs so that a complete chain can be formed.
In order to be certain that the certificate is still valid, you should not disable revocation checks. If you don't want to retrieve a CRL (which can be large), the issuer may offer OCSP support. But, this has to be enabled in the Java runtime by setting certain system properties.
If the path validator returns successfully, you don't need to check anything else. If the certificate is not valid, an exception will be raised.
Also, an explicit check on the validity date is unnecessary. This occurs during validation (using the current time, unless you specify a time via the PKIXParameters).
For a more extensive discussion of validation, including sample code, see a previous answer of mine.
这篇关于使用Java APis验证X509证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
