x509certificate certpath 验证 [英] x509certificate certpath validation
问题描述
我们的用例需要在 PKIX 设置上通过 OCSP 验证证书吊销.我的出发点是这个相关问题的代码:OCSP 撤销客户端证书
我是在应用程序级别手动完成的,因为 tomcat 不支持它.但是,我在构建 certPath 时遇到了一些麻烦,我认为我缺少一些基本的理解.
首先,我尝试为传入的客户端 x509Certificate 创建 certPath.
KeyStore 存储已正确初始化并且仅包含与客户端 x509Certificate 匹配的根证书.
我在添加中间证书后也得到了相同的结果.
X509CertSelector certSelector = new X509CertSelector();certSelector.setSubject(x509certificate.getSubjectX500Principal());PKIXParameters params = new PKIXBuilderParameters(store,certSelector);CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());CertPath certPath = cpb.build(params).getCertPath();但是,我在运行时遇到错误:
sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径可能缺少什么?
您表明您添加了中间证书.由于您没有更新您的代码片段,我想知道如何添加这些证书?您应该将这些证书添加为 CertStore
X509CertSelector certSelector = new X509CertSelector();certSelector.setSubject(x509certificate.getSubjectX500Principal());PKIXParameters params = new PKIXBuilderParameters(store,certSelector);CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2/*, other certs... */));params.addCertStore(cstore);CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());CertPath certPath = cpb.build(params).getCertPath();Our use-case requires validating certificate revocation via OCSP on a PKIX set-up. My starting point was the code at this related question: OCSP Revocation on client certificate
I'm doing it manually at the application level since tomcat doesn't support it. However, I'm having some trouble building the certPath and I think I'm missing some fundamental understanding.
First I try to create the certPath for the incoming client x509Certificate.
KeyStore store is initialized correctly and contains only the root certificates that match the client x509Certificate.
EDIT: I got the same result after adding the intermediate certificates as well.
X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();
However, I get an error at run-time:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What could be missing?
You indicate that you added intermediates certificates. Since you did not update your code snippet I wondered how added these certificates? You should add these certificates as a CertStore
X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */)));
params.addCertStore(cstore);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();
这篇关于x509certificate certpath 验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
