如何检查X509证书是否已在Java中被撤销? [英] How do I check if an X509 certificate has been revoked in Java?
问题描述
我已经在这里搜索了所有地方,并在其他社区询问,我不断转发到讨论规范的oracle文档。但是,该文档更多地涉及方法的命名和整体架构,并且实际上没有提出一种方法来讨论如何实际编写一些代码来检查x509证书是否被撤销。
I have googled around all over the place for this, and asked in other communities, and I keep getting forwarded to the oracle document that discusses the spec. However, that document more covers the naming of methods, and the overall architecture, and doesn't actually come up with a way to discuss how to actually write some code to check if an x509 cert is revoked or not.
也许这只是我的头脑?但我绝对会感激,如果有人可以用一个片段来帮我解决这个问题,我已经在这个墙上撞了一个星期大约一个星期。
Maybe this one is just way over my head? But I would definitely appreciate if someone could just help me out with a snippet, I have been banging my head against a wall on this for about a week.
推荐答案
每个CA都会发布已撤销的证书列表。
此列表包括证书的序列号和撤销日期
Every CA publishes the list of the certificates it has revoked. This list includes the serial number of the certificates and the revocation date
以获取证书吊销列表(CRL)的URL遵循以下步骤
to get the url of the certificate revocation list (CRL) follow the below steps
- 打开证书
- 转到详细信息选项卡,在详细信息中找到CRL分发点字段list
它会显示类似这样的值
[1 ] CRL分发点
分发点名称:
全名:
URL = mscrl.microsoft.com / pki / mscorp / crl / msitwww2.crl
URL = crl.microsoft。 com / pki / mscorp / crl / msitwww2.crl
[1]CRL Distribution Point Distribution Point Name: Full Name: URL=mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl URL=crl.microsoft.com/pki/mscorp/crl/msitwww2.crl
因此,在您的代码中,您需要下载这些文件并检查其中的证书序列号,看它是否被撤销或不
So in your code you need to download these files and check for the certificate serial number in them to see if it's revoked or not
在下面找到它的示例代码
Find below the sample code for it
public class CertVerification {
public static void main(String[] args) throws Exception {
String certificatePath = "C:\\Users\\user1\\Desktop\\test.cer";
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate certificate = null;
X509CRLEntry revokedCertificate = null;
X509CRL crl = null;
certificate = (X509Certificate) cf.generateCertificate(new FileInputStream(new File(certificatePath)));
URL url = new URL("http://<someUrl from certificate>.crl");
URLConnection connection = url.openConnection();
try(DataInputStream inStream = new DataInputStream(connection.getInputStream())){
crl = (X509CRL)cf.generateCRL(inStream);
}
revokedCertificate = crl.getRevokedCertificate(certificate.getSerialNumber());
if(revokedCertificate !=null){
System.out.println("Revoked");
}
else{
System.out.println("Valid");
}
}
}
请参阅
这些列表会定期更新
您也可以从证书中获取这些撤销网址,我刚刚举了一个例子
这只是一个让您先行一步的基本示例
更新
我发现这个样本类来检查证书,它还使用证书的CA和认证链发布的CRL进行验证,因此您也不需要提供CRL URL
I found this sample class to check certificate, it also verifies with the CRL issued by the certificate's CA and certification chain, so you don't need to provide the CRL url as well
这篇关于如何检查X509证书是否已在Java中被撤销?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
