在OpenJDK 11中启用SSL证书吊销检查 [英] Enable SSL certificate revocation checking in OpenJDK 11

问题描述

Java 11中是否有一些快速的声明式"方法，而不是乏味的手动实现，可以检查证书是否被吊销?

Is there some quick "declarative" way in Java 11, instead of a tedious manual implementation, to enable checking if a certificate is revoked?

我尝试使用此答案中的属性: 在Spring-身份验证之前的安全性 带有此虚拟吊销证书: https://revoked.badssl.com 但是代码始终接受证书.我是在做错什么，还是这些属性不再适用于Java 11?如果是这样，我们还有其他选择吗?

I tried to use properties from this answer: Check X509 certificate revocation status in Spring-Security before authenticating with this dummy revoked certificate: https://revoked.badssl.com but the code always accepts the certificate. Am I doing something wrong or these properties are no more actual for Java 11? If so, do we have any alternatives?

下面是我的代码:

public static void validateOnCertificateRevocation(boolean check) {
    if (check) {
        System.setProperty("com.sun.net.ssl.checkRevocation", "true");
        System.setProperty("com.sun.security.enableCRLDP", "true");

        Security.setProperty("ocsp.enable", "true");
    }

    try {
        new URL("https://revoked.badssl.com").openConnection().connect();
    } catch (IOException e) {
        e.printStackTrace();
    }
}

推荐答案

似乎必须在执行第一个请求之前设置这些选项.

It seems like those options have to be set before the first request has been performed.

因此，以下代码作为独立的Java程序抛出CertPathValidatorException: Certificate has been revoked(在Windows上使用OpenJDK 11.0.2 x64测试):

Therefore the following code as standalone Java program throws an CertPathValidatorException: Certificate has been revoked (tested using OpenJDK 11.0.2 x64 on Windows):

public static void main(String[] args) {
    validateOnCertificateRevocation(true); // throws CertPathValidatorException
}

但是以下代码不会引起任何错误/异常:

However the following code does not cause any errors/Exceptions:

public static void main(String[] args) {
    validateOnCertificateRevocation(false);
    validateOnCertificateRevocation(true); // nothing happens
}

您可以看到在处理完第一个请求后更改选项无效.我假设这些选项是在某些与证书验证相关的类的static { ... }块中处理的.

You can see the changing the options after the first request has been processed isn't effective. I assume that those options are processed in a static { ... } block of some certificate validation related class.

如果您仍想基于每个请求启用/禁用证书吊销检查，则可以通过实现自己的

If you still want to enable/disable certificate revocation checking on a per-request base you can do so by implementing your own X509TrustManager that uses CertPathValidator (for which you can enable/disable certificate revocation checking via PKIXParameters.setRevocationEnabled(boolean).

或者，有一种解决方案可以全局启用证书吊销检查并显式处理CertificateRevokedException:

Alternatively there is the solution to globally enable certificate revocation checking and explicitly handle the CertificateRevokedException:

private boolean checkOnCertificateRevocation;

@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
    try {
        getDefaultTrustManager().checkServerTrusted(certs, authType);
    } catch (CertificateException e) {
        if (checkOnCertificateRevocation) {
            if (getRootCause(e) instanceof CertificateRevokedException) {
                throw e;
            }
        }
    }
}

这篇关于在OpenJDK 11中启用SSL证书吊销检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！