Java X509证书解析和验证 [英] Java X509 Certificate parsing and validating
问题描述
我正在尝试通过几个步骤处理X509证书并遇到一些问题。我是JCE的新手,所以我还没有完全了解所有内容。
I'm trying to process X509 certificates in several steps and running into a couple of problems. I'm new to JCE so I not completely up to date on everything yet.
我们希望能够根据不同的编码解析几个不同的X509证书(PEM, DER和PCKS7)。我使用FireFox(包括证书链)以PEM和PCKS7格式从 https://belgium.be 导出相同的证书。我已经留下了几行不需要的问题
We want to be able to parse several different X509 certificates based on different encodings (PEM, DER and PCKS7). I've exported the same certificate from https://belgium.be in PEM and PCKS7 format using FireFox (certificate including chain). I've left couple lines out that are not needed for the questions
public List<X509Certificate> parse(FileInputStream fis) {
/*
* Generate a X509 Certificate initialized with the data read from the inputstream.
* NOTE: Generation fails when using BufferedInputStream on PKCS7 certificates.
*/
List<X509Certificate> certificates = null;
log.debug("Parsing new certificate.");
certificates = (List<X509Certificate>) cf.generateCertificates(fis);
return certificates;
}
只要我使用FileInputStream而不是BufferedInputStream,这段代码就可以正常运行对于PCKS7,我觉得这很奇怪?但我可以忍受它。
This code is working fine aslong as I work with a FileInputStream instead of a BufferedInputStream for PCKS7, which is quite strange already I think? But I can live with it.
下一步是验证这些证书链。
1)检查所有证书是否都有有效日期(简单)
2)使用OCSP验证证书链(如果证书中没有找到OCSP URL,则回退到CRL)。这是我不完全确定如何处理这个问题的地方。
The next step is to validate these certificate chains. 1) Check if all certificates have a valid date (easy) 2) Validate certificate chain using OCSP (and fallback to CRL if no OCSP URL is found in the certificate). This is where I'm not completely sure how to handle this.
我正在使用Sun JCE,但似乎没有那么多可用的文档(在示例中)为此?
I'm using the Sun JCE, but it seems there is not that much documentation available (in examples) for this?
我首先做了一个简单的实现,只检查链而不经过OCSP / CRL检查。
I first made a simple implementation that only checks the chain without going through the OCSP/CRL checks.
private Boolean validateChain(List<X509Certificate> certificates) {
PKIXParameters params;
CertPath certPath;
CertPathValidator certPathValidator;
Boolean valid = Boolean.FALSE;
params = new PKIXParameters(keyStore);
params.setRevocationEnabled(false);
certPath = cf.generateCertPath(certificates);
certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)
certPathValidator.validate(certPath, params);
if(null != result) {
valid = Boolean.TRUE;
}
return valid;
}
这适用于我的PEM证书,但不适用于PCKS7证书(相同的证书,仅以其他格式导出)。
java.security.cert.CertPathValidatorException:Path不与任何信任锚链接。
This is working fine for my PEM certificate, but not for the PCKS7 certificate (same certifcate, only exported in other format). java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors.
我唯一的区别是我能看到CertPath形成的顺序是不一样的?我无法弄清楚出了什么问题,所以我现在离开了这个并继续使用PEM证书,但我们可以打电话给这个问题1;)
The only difference I'm able to see is that the order in which the CertPath is formed is not the same? I was not able to figure out what was going wrong so I left this for now and kept on going with the PEM certificate, but lets call this QUESTION 1 ;)
什么我之后想要实施的是OCSP检查。
显然,如果我使用以下命令启用OCSP: Security.setProperty(ocsp.enable,true); 并设置 params.setRevocationEnabled(true);
它应该能够自己找到OCSP URL,但似乎并非如此。应该做的标准实现是什么(问题2)?
java.security.cert.CertPathValidatorException:必须指定OCSP响应者的位置
What I wanted to implement afterwards was the OCSP checking. Apparently if I enable OCSP using: Security.setProperty("ocsp.enable", "true"); and set params.setRevocationEnabled(true); it should be able to find the OCSP URL on its own, but that does not seem to be the case. What is the standard implementation supposed to do (QUESTION 2)? java.security.cert.CertPathValidatorException: Must specify the location of an OCSP Responder
通过这个,我找到了一种方法使用AuthorityInfoAccessExtension等从证书中检索OCSP网址。
Going past this, I found a way to retrieve the OCSP url from the certificate using AuthorityInfoAccessExtension and such.
但是在ocsp.url属性中手动设置OCSP网址后,我得到一个 java.security.cert.CertPathValidatorException:OCSP响应错误:未经授权
But after setting the OCSP url manually in the ocsp.url property, I'm getting an java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
似乎我错过了很多必要的步骤,而很多在线参考文献都说设置 ocsp.enable 属性应该只需要做什么?
It seems like I'm missing a lot of necessary steps while alot of online references say setting the ocsp.enable property should be all you need to do?
也许你们中的任何人都不能指导我完成这个过程吗?告诉我我完全错误的地方:)
Perhaps any of you whizkids cant guide me through the process a little bit? Show me where I'm completely wrong :)
如果没有找到OCSP,下一步是实施CRL检查,是否有人可以指出任何例子或给我看一些关于此的文档也将非常感谢!
The next step would be implementing CRL checks if no OCSP was found, if anyone could point out any example or show me some documentation on this it would also be much appreciated!
谢谢!
编辑:
由于它没有单独获取属性,我一直在尝试使用以下方法自行设置所有属性:
Since it's not picking up the properties on its own, I've been trying to set all the properties myself using the following:
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
// Activate CRLDP -- no idea what this is
Security.setProperty("com.sun.security.enableCRLDP", "true");
X509Certificate target = (X509Certificate) certPath.getCertificates().get(0);
Security.setProperty("ocsp.responderURL","http://ocsp.pki.belgium.be/");
Security.setProperty("ocsp.responderCertIssuerName", target.getIssuerX500Principal().getName());
Security.setProperty("ocsp.responderCertSubjectName", target.getSubjectX500Principal().getName());
Security.setProperty("ocsp.responderCertSerialNumber", target.getSerialNumber().toString(16));
这给出了一个例外:
java.security.cert.CertPathValidatorException:找不到响应者的证书(使用OCSP安全属性设置)。
Which gives an exception: java.security.cert.CertPathValidatorException: Cannot find the responder's certificate (set using the OCSP security properties).
推荐答案
为了将来的参考,我会将答案发给我自己的问题(部分至少)
For future reference I'll post the answer to my own question (partly atleast)
OCSP和CRL检查已在标准Java实现中实现,不需要自定义代码或其他提供程序(BC,..)。它们默认是禁用的。
OCSP and CRL checks are implemented in the standard Java implementation already and there is no need for custom code or other providers (BC, ..). They are disabled by default.
要启用此功能,您必须至少设置两个参数:
To enable this, you have to atleast set two parameters:
(PKIXParameters or PKIXParameterBuilder) params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
当您尝试验证证书路径时,这将激活OCSP检查(PKIXCertPathValidatorResult.validate()) 。
This will activate OCSP checking when you are trying to validate the certificate path (PKIXCertPathValidatorResult.validate()).
如果你想在没有OCSP的情况下为CRL添加回退检查,请添加一个aditional属性:
When you want to add the fallback check for CRL if no OCSP is available, add an aditional property:
System.setProperty("com.sun.security.enableCRLDP", "true");
由于我必须支持不同的证书格式(PKCS7),我的很多问题都在发生,PEM)。我的实现对于PEM工作正常,但由于PKCS7不保存链中证书的排序,因此它有点难度( http://bugs.sun.com/view_bug.do?bug_id=6238093 )
A lot of my problems are happening due to the fact that I have to support different certificate formats (PKCS7, PEM). My implementation works fine for PEM, but since PKCS7 does NOT save ordering of the certificates in the chain it is a bit harder (http://bugs.sun.com/view_bug.do?bug_id=6238093)
X509CertSelector targetConstraints = new X509CertSelector();
targetConstraints.setCertificate(certificates.get(0));
// Here's the issue for PKCS7 certificates since they are not ordered,
// but I havent figured out how I can see what the target certificate
// (lowest level) is in the incoming certificates..
PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
希望这对其他人也是有用的评论,或许有人可以阐明如何在无序的PKCS7列表中找到目标证书?
Hope this will be useful remarks for other people as well, perhaps someone can shed a light on how to find the target certificate in an unordered PKCS7 list?
这篇关于Java X509证书解析和验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
