关于过期证书的Java的TrustManager行为 [英] Java trustmanager behavior on expired certificates

问题描述

请问Java的实现的TrustManager忽略，如果证书已过期？结果
我试过如下：结果
  - 以code>密钥工具和参数 -startdate1970/01/01 00:00:00我创建了一个P12密钥库用过期的证书。结果
- 我导出的证书：

 仓库类型：PKCS12
密钥库提供：SunJSSE您的密钥存储库包含1项别名：假的
创建日期：5╠ά±2011
条目类型：PrivateKeyEntry
证书链长：1
证书[1]：
业主：CN =恶意，OU =马累，O =马累，L =假，ST = GR，C = GR
发行人：CN ​​=恶意，OU =马累，O =马累，L =假，ST = GR，C = GR
编号：-1c20
有效期从：星期四1月1日00:00:00 EET 1970年至：周五02年1月00:00:00 EET 1970年
证书指纹：
         MD5：A9：BE：3A：3D：45：24：1B：4F：3C：9B：2E：02：E3：57：86：11
         SHA1：21：9D：E1：04：09：CF：10：58：73：C4：62：3C：46：4C：76：A3：81：56：88：4D
         签名算法名：SHA1withRSA
         版本：3
*******************************************
 

我用这个证书作为Tomcat服务器证书。结果
然后使用Apache的HttpClient我连接到Tomcat，但首先我添加了过期的证书给客户的信赖店（使用的TrustManager

 的TrustManagerFactory TMF = TrustManagerFactory.getInstance（TrustManagerFactory.getDefaultAlgorithm（））;
 

和加载过期的证书）。结果
我期待连接失败。结果
相反，连接成功。结果
使用 System.setProperty（javax.net.debug，SSL）; 结果
我看到：

  ***
发现受信任的证书：
[
[
  版本：V3
  主题：CN =恶意，OU =马累，O =马累，L =假，ST = GR，C = GR
  签名算法：SHA1withRSA，OID = 1.2.840.113549.1.1.5  重点：孙RSA公共密钥，1024位
  模量： 10350555024148635338735220482157687267055139906998169922552357357346372886164908067983097037540922519808845662295379579697361784480052371935565129553860304254832565723373586277732296157572040989796830623403187557540749531267846797324326299709274902019299
  公用指数：65537
  有效性：[来源：星期四1月1日00:00:00 EET 1970年，
               要：周五02年1月00:00:00 EET 1970年]
  发行人：CN ​​=恶意，OU =马累，O =马累，L =假，ST = GR，C = GR
  的SerialNumber：[-1c20]]
 

我看到，在TLS握手过期的证书是由Tomcat的连接器发送。结果
但是，客户端（即的TrustManager）不会拒绝连接。结果
这是默认的行为？结果
是我想以某种方式配置的TrustManager检查过期？

更新：结果
我发现，用实际的TrustManager是X509TrustManagerImpl。在这里，<一个href=\"http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun/security/ssl/X509TrustManagerImpl.java.java-doc.htm\">X509TrustManagerImpl说这个类有一个最小的logic.May是我使用了错误的TrustManager？

UPDATE2：
从javadoc的<一个href=\"http://download.oracle.com/javase/6/docs/api/javax/net/ssl/X509TrustManager.html\">X509TrustManager目前尚不清楚它是否检查证书过期

 无效checkServerTrusted（x509证书[]链，字符串的authType）
                                抛出CertificateException
 

  

鉴于部分或完全
  由提供的证书链
  同行，构建证书路径到
  受信任的根，并且返回是否可以
  验证，是受信任的服务器
  基于该SSL认证
  验证type.The认证
  类型是密钥交换算法
  密码套件的一部分
  再presented为字符串，如
  RSA，DHE_DSS。注：对于某些
  导出密码套件的关键
  交换算法在确定
  握手期间运行时间。对于
  例如，对于
  TLS_RSA_EXPORT_WITH_RC4_40_MD5中，
  的authType应RSA_EXPORT当
  短暂的RSA密钥被用于关键
  交换，和RSA当从键
  服务器证书使用。
  检查是区分大小写的。

感谢

解决方案

我没有尝试你的榜样，但是我现在我经常要重新生成我的服务器证书（为我们的发展服务器），因为他们的证书有相当短的有效期倍。

在我们的情况下，客户端不具有在信任的服务器证书本身，而是我们的CA的唯一的证书（用较长的有效），并且当客户端试图连接到服务器时，双方获得构造异常SSLException（其可包裹在另一个异常你的情况）。

我想，信任管理器假设类似如果你给我过期的证书信任，我会做到这一点。
试试我们的方法，而不是（这也可以节省您的每一个服务器证书到期时更新客户端）。

Does java's TrustManager implementation ignore if a certificate has expired?
I tried the following:
- Using keytool and parameter -startdate "1970/01/01 00:00:00" I created a P12 keystore with an expired certificate.
- I exported the certificate:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: fake
Creation date: 5 ╠ά± 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Malicious, OU=Mal, O=Mal, L=Fake, ST=GR, C=GR
Issuer: CN=Malicious, OU=Mal, O=Mal, L=Fake, ST=GR, C=GR
Serial number: -1c20
Valid from: Thu Jan 01 00:00:00 EET 1970 until: Fri Jan 02 00:00:00 EET 1970
Certificate fingerprints:
         MD5:  A9:BE:3A:3D:45:24:1B:4F:3C:9B:2E:02:E3:57:86:11
         SHA1: 21:9D:E1:04:09:CF:10:58:73:C4:62:3C:46:4C:76:A3:81:56:88:4D
         Signature algorithm name: SHA1withRSA
         Version: 3


*******************************************

I used this certificate as server certificate for Tomcat.
Then using an apache httpClient I connected to tomcat, but first I added the expired certificate to the client's trust-store (using a TrustManager

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

and loading the expired certificate).
I was expecting the connection to fail.
Instead the connection succeeds.
Using System.setProperty("javax.net.debug", "ssl");
I see:

***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=Malicious, OU=Mal, O=Mal, L=Fake, ST=GR, C=GR
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 10350555024148635338735220482157687267055139906998169922552357357346372886164908067983097037540922519808845662295379579697361784480052371935565129553860304254832565723373586277732296157572040989796830623403187557540749531267846797324326299709274902019299
  public exponent: 65537
  Validity: [From: Thu Jan 01 00:00:00 EET 1970,
               To: Fri Jan 02 00:00:00 EET 1970]
  Issuer: CN=Malicious, OU=Mal, O=Mal, L=Fake, ST=GR, C=GR
  SerialNumber: [   -1c20]

]

I see that in TLS handshake the expired certificate is send by Tomcat connector.
But the client (i.e. the TrustManager) does not reject the connection.
Is this the default behavior?
Am I suppose to configure the trustmanager somehow to check for expiration?

UPDATE:
I found that the actual TrustManager used is X509TrustManagerImpl. Here X509TrustManagerImpl says that this class has a minimal logic.May be I am using the wrong TrustManager?

UPDATE2: From the javadoc X509TrustManager it is not clear if it checks for certificate expiration

void checkServerTrusted(X509Certificate[] chain,String authType)
                                throws CertificateException  

Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for server SSL authentication based on the authentication type.The authentication type is the key exchange algorithm portion of the cipher suites represented as a String, such as "RSA", "DHE_DSS". Note: for some exportable cipher suites, the key exchange algorithm is determined at run time during the handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5, the authType should be RSA_EXPORT when an ephemeral RSA key is used for the key exchange, and RSA when the key from the server certificate is used. Checking is case-sensitive.

Thanks

解决方案

I did not try your example, but I now I regularly have to regenerate my server certificates (for our development server) since their certificates have quite short validity times.

In our case the client does not have the server certificates themselves in the truststore, but only the certificate of our CA (with longer validity), and when the client tries to connect to the server, both sides get a SSLException (which may be wrapped in another exception in your case).

I guess that the trust manager assumes something like "if you give me expired certificates to trust in, I'll do it". Try our approach instead (it also saves you to update the client each time the server certificate expires).

这篇关于关于过期证书的Java的TrustManager行为的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！