如何使用BouncyCastle获取根CA与最终实体之间的认证路径? [英] How to use BouncyCastle to get the certification path between a root CA and an end entity?
问题描述
我有一个根CA,一组中间CA和一个终端实体。所有实例均表示为 org.bouncycastle.cert.X509CertificateHolder 实例。如何获得根实体与最终实体之间的认证路径(又称证书链),或者如果找不到路径,则获得异常?
这里是使用纯Java代码的方法,但是由于我已经使用BouncyCastle的我,我想也可以使用BouncyCastle来实现更高的性能和可维护性-而且,我更希望避免在Java和BC证书之间进行转换,以便我可以返回原始证书实例的子集。 / p>
我已经找到了包 org.bouncycastle.cert.path ,但是我不知道它是否对我有帮助如何使用它(我找不到任何示例)。
请注意,中间证书集可以为空,也可以包含不属于该链的多余证书。
听起来好像您需要 CertPathBuilder ,因为您没有建议的链,只需证书堆即可。 BC提供者包括 CertPathBuilder 实现(例如 CertPathBuilder.getInstance( PKIX, BC))
BC的pkix jar,虽然具有一些提示性的程序包,但没有可复制 CertPathBuilder的工具(甚至可能不是完整的 CertPathValidator )。一定数量的证书格式转换是事实。可能有一些方法可以将其最小化。如果您有一个可行的示例,也许可以在BC邮件列表中使用它。
I have a root CA, a set of intermediate CAs and an end entity. All represented as org.bouncycastle.cert.X509CertificateHolder instances. How can I get the certification path (aka certificate chain) between the root and the end entity, or get an exception if no path was found?
Here's how to do it with pure Java code, but since I'm already using BouncyCastle, I think it'd be more performant and maintainable to use BouncyCastle for this too -- Also, I'd prefer to avoid converting between Java and BC certificates so that I can return a subset of the original certificate instances.
I've found the package org.bouncycastle.cert.path but I can't figure out if it'd help me or how to use it (I can't find any examples).
Note that the set of intermediate certificates can be empty or contain superfluous certificates that aren't part of the chain. Also, as a set, it won't be ordered.
It sounds like you need a CertPathBuilder since you don't have a proposed chain, just a "pile of certificates". The BC provider includes a CertPathBuilder implementation (e.g. CertPathBuilder.getInstance("PKIX", "BC")), used just as described at the link you gave.
BC's pkix jar, whilst having some suggestively-named packages, doesn't have the tools to replicate a CertPathBuilder (probably not even a complete CertPathValidator). A certain amount of certificate format conversions is a fact of life; there may be ways to minimise it. Perhaps take it up on the BC mailing list once you have a working example.
这篇关于如何使用BouncyCastle获取根CA与最终实体之间的认证路径?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
