获取证书链 [英] Obtaining the certificate chain
问题描述
我正在使用Java中的X509证书.给出证书,是否有可能在签名层次结构中找到所有其他证书,直到您获得根证书?
I am working with X509 certificates in Java. Given a certificate is it possible to find all other certificates in the signing hierarchy until you reach the root certificate?
我有一个证书文件(带有 .cer
扩展名),我想提取父签名证书.我要一直寻找该证书的父级,直到获得最终的根证书,该证书是自签名的.
I have a certificate file (with a .cer
extension) and I want to extract the parent signing certificate. I want to keep finding the parent of that certificate untill I get the final root certificate, which is self signed.
我已经在 java.security.cert
中检查了X509Certificate证书API和相关API,但是找不到有用的东西.
I have checked the X509Certificate certificate APIs and relevant APIs in java.security.cert
but could not find anything useful.
推荐答案
这并不难-假设您以某种方式/带外将所有中间证书和根证书都放在一个或多个钥匙串中.
That is not hard - assuming you've somehow/out of band got all the intermediate certificates and the root cert in one or more keychains.
看看
http://codeautomate.org/blog/2012/02/certificate-validation-using-java/
截断的代码就是这样做的.关键位在validateKeyChain()中,基本上由
for a code snipped which does just that. The key bit is in validateKeyChain() and basically consists of
cert = cert-to-validate
while(not self signed) {
extract issuer from cert
scan keychain(s) to find cert with a subject equal to the issuer
if none found - error
check if the signature is correct.
cert = issuers_cert
}
if not at the top/root - error
关于方法,您将获得中间/根证书-这是一个不同的问题.请注意,此代码有点天真-并不太了解交叉签名.尽管有Java pkix调用-BouncyCastle有一个例子.
As to how you get the intermediate/root certificates - that is a different issue. Note that this code is a little bit naive - and does not quite understand cross-signing. The java pkix calls though though - BouncyCastle has an example.
通常,您可以将根证书构建到密钥链中;但是通常需要收集"或更加动态地发现中间证书.通常,这需要在TLS或类似期间查询SSL堆栈.
You can generally build the root certs into a key chain; but the intermediate certificates often need to be 'gathered' or discovered more dynamically. This generally requires querying the SSL stack during TLS or similar.
这篇关于获取证书链的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!