Java中的CRL验证 [英] CRL Verification in Java

问题描述

我有一个 CRL 和一个用作 CA 证书的自签名证书.我需要验证同一个 CA 是否已在 Java 中颁发了 CRL 和根证书.我想到的方法是这样的:

I have a CRL and a self-signed certificate that acts as a CA Certificate. I need to verify that the same CA has issued both the CRL and the root certificate in Java. The way I thought of was this:

X500Principal rootCertIssuer = rootCertificate.getIssuerX500Principal();
X500Principal crlIssuer = crl.getIssuerX500Principal();
    if(rootCertIssuer.getName().equals(crlIssuer.getName()))
    System.out.println("Issuer same!");
else
    System.out.println("Issuer different!");

这似乎不对，因为如果 CRL 或根证书之一中缺少国家/州信息，equals() 将返回 false.我该如何进行?或者，与我的想法相反，这种方法对吗?

This does not seem right, because in case Country/State information is missing in one of either the CRL or the root certificate, equals() will return a false. How do I proceed? Or, opposed to what I think, is this approach right?

谢谢！

推荐答案

正如@frasertweedale 所提到的，证书颁发者和 CRL 颁发者不一定需要相同.尽管如此，没有太多理由将 CRL 发布委托给另一个机构，而且并非所有系统都支持这一点.例如，Windows 链验证代码仅支持由颁发 CRL 涵盖的证书的同一 CA 颁发(签名)的 CRL.

As it was mentioned by @frasertweedale, certificate issuer and CRL issuer not necessarily need to be the same. Though, there is no much reason to delegate CRL issuance to another authority and not all systems support that. For example, Windows chain validation code only supports CRLs issued by (signed by) the same CA that issued the cert covered by the CRL.

通常，验证逻辑由两部分组成，如下所示:

In general, validation logic consist of two parts and looks like this:

1. 读取证书(非根)的 CDP(CRL 分发点)扩展并循环遍历 CRLDistributionPoints 序列.如果存在具有呈现的 cRLIssuer 结构的条目，则此分发点引用的 CRL 由 cRLIssuer 字段中指定的实体签名.如果未显示 cRLIssuer 字段，则证书和 CRL 由同一 CA 签名，并且 CRL 位置在 distributionPointName 字段中指定.
2. 下载(或使用其他方式下载 CRL)CRL(以及 CRL 颁发者证书，如有必要)并启动 CRL 验证例程.

1. Read CDP (CRL Distribution Points) extension of the certificate (non-root) and loop over CRLDistributionPoints sequence. If there is an entry with presented cRLIssuer structure, then CRL referenced by this distribution point is signed by an entity specified in the cRLIssuer field. If cRLIssuer field is not presented, then certificate and CRL are signed by the same CA and CRL location is specified in the distributionPointName field.
2. Download (or use other means to download the CRL) CRL (and CRL issuer certificate if necessary) and start CRL validation routine.

针对发行人的 CRL 验证分两步执行:

CRL validation against issuer is performed in two steps:

1. 首先，您需要对 CRL 中提交的 Issuer 和 CRL 颁发者证书的 Subject 字段进行二进制(非字符串)比较.如果比较失败，则 CRL 无效.
2. 使用 CRL 颁发者证书的公钥来验证 CRL 签名.如果签名验证失败，则 CRL 无效.

1. first, you need to make binary (not string) comparison of Issuer filed in CRL and Subject field of CRL issuer certificate. If comparison fails, CRL is invalid.
2. use CRL issuer certificate's public key to validate CRL signature. If signature verification fails, CRL is invalid.

有关 CRL 分发点扩展组成和处理规则的更多信息:RFC 5280 §4.2.1.13

more information about CRL Distribution Points extension composition and processing rules: RFC 5280 §4.2.1.13

这篇关于Java中的CRL验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！