在输入证书之前检查CA的证书？ [英] Checking for CA's certificate before entering a certificate?

问题描述

我使用以下代码将客户端证书插入到我的servertruststore中：

I am inserting a client certificate into my servertruststore using following code

  FileInputStream fileInputStream = new FileInputStream( "c:/server.jks" );
    keyStore.load( fileInputStream, "keystore".toCharArray() );
    fileInputStream.close();
    keyStore.setCertificateEntry( alias, new X509Certificate( trustedCertificate ) );

    FileOutputStream fileOutputStream = new FileOutputStream("c:/server.jks" );
    keyStore.store( fileOutputStream, "keystore".toCharArray() );
    fileOutputStream.close();

现在我看到证书被输入我的信任库，但签署客户证书的CA证书不存在在我的信托库。所以我想知道有什么方法我们可以检查CA的证书是否可用，然后输入证书到密钥库。

Now i see that certificate is entered into my truststore but the CA's certificate which signed client's certificate is not present in my truststore. So I want to know is there any way we can check whether the certificate of CA is available or not before entering a certificate into keystore?

推荐答案

我想你要做的是验证证书是否由根权威机构发出或它已经自签名。我假设你使用的默认java密钥库是cacerts。
我没有测试代码，但我认为这可能是您的问题的解决方案：

I guess what you have to do is to verify if the certificate has been issued by a root authority or it has been self-signed. I presume you are using the default java keystore which is cacerts. I haven't tested the code but I think this may be a solution to your problem:

1. 以下链接：

How can I get a list of trusted root certificates in Java?

        String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
        Set<X509Certificate> additionalCerts = new HashSet<X509Certificate>();
        FileInputStream is = new FileInputStream(filename);
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "changeit";
        keystore.load(is, password.toCharArray());

        // This class retrieves the most-trusted CAs from the keystore
        PKIXParameters params = new PKIXParameters(keystore);

        // Get the set of trust anchors, which contain the most-trusted CA certificates
        Iterator it = params.getTrustAnchors().iterator();
        while( it.hasNext() ) {
            TrustAnchor ta = (TrustAnchor)it.next();
            // Get certificate
            X509Certificate cert = ta.getTrustedCert();
            additionalCerts.add(cert);
        }

1. 然后您可以使用以下代码客户端证书和包含所有根CA的Set集合到verifyCertificate（X509Certificate cert，Set additionalCerts）方法的以下代码：

http://www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-chain-and-verify- clr-with-bouncy-castle /

这篇关于在输入证书之前检查CA的证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！