Java SSL证书撤销检查 [英] Java SSL Certificate Revocation Checking
问题描述
我目前正在使用SSL编写网络TCP服务器。在生产中,我们最终要求客户使用证书进行身份验证。
I'm currently writing a network TCP server using SSL. In production, we'll finally require clients to authenticate with a certificate.
为了在紧急情况下撤销证书,我们还希望建立一个CRL。
In order to revoke certificates in case of a emergency, we would also like to establish a CRL.
我的问题是:Java是否开箱即用检查CRL(如果提供证书)或我是否需要手动执行此类检查?
My question is: Does Java check CRLs (if provided with the certificate) out of the box or do I need to manually implement such checks?
为了进行测试,我准备了一个带有CRL集的证书,但Java似乎没有尝试验证它(我将它放入本地Web服务器并且没有访问权限) 。
For testing, I prepared a certificate with a CRL set but Java does not seem to try to validate it (I dropped it into a local web server and there's no access).
我只找到 com.sun.net.ssl.checkRevocation = true VM选项,但显然它不查询CRL。设置为 java.security.debug = certpath 的VM调试不会生成任何输出...
I only found the com.sun.net.ssl.checkRevocation=true VM option, but apparently it doesn't query the CRL. VM debugging set to java.security.debug=certpath does not generate any output, either...
Java似乎有相关的类它的子系统(例如 java.security.cert.X509CRLSelector ),但它显然没有发挥作用。
Java seems to have related classes in its subsystems (e.g. java.security.cert.X509CRLSelector), but it does not come into play, obviously.
我使用Apache Mina作为客户端服务器编写了一个小型maven风格的项目,它基于密钥/信任库和客户端/服务器的自签名证书来初始化SSLContext,这可以是这里以ZIP存档的形式下载: https://www.dropbox.com/s /3fqmd1v9mn2a5ve/ssltest.zip?dl=0
I wrote a small maven-style project using Apache Mina as client server that initializes a SSLContext based on key/truststores and self-signed certificates for client/server which can be downloaded here as ZIP archive: https://www.dropbox.com/s/3fqmd1v9mn2a5ve/ssltest.zip?dl=0
推荐答案
我想了解如何在没有SSLContext的情况下启用CRL检查实现自定义验证器,如评论中所示。
I figured how to enable CRL checking within a SSLContext without implementing a custom validator, as suggested in the comments.
主要是通过撤销检查器正确初始化SSLContext的TrustManagers,只有几行,没有自定义检查逻辑和现在自动检查CRL以及验证路径。
It is mainly about properly initializing the SSLContext's TrustManagers with a revocation checker, only a few lines, no custom check logic and the CRL is now checked automatically as well as the verification path.
这是一个片段......
Here's a snippet...
KeyStore ts = KeyStore.getInstance("JKS");
FileInputStream tfis = new FileInputStream(trustStorePath);
ts.load(tfis, trustStorePass.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// initialize certification path checking for the offered certificates and revocation checks against CLRs
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
PKIXRevocationChecker.Option.ONLY_END_ENTITY,
PKIXRevocationChecker.Option.SOFT_FAIL, // handshake should not fail when CRL is not available
PKIXRevocationChecker.Option.NO_FALLBACK)); // don't fall back to OCSP checking
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ts, new X509CertSelector());
pkixParams.addCertPathChecker(rc);
tmf.init( new CertPathTrustManagerParameters(pkixParams) );
// init KeyManagerFactory
kmf.init(...)
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers), tmf.getTrustManagers(), null);
这基本上完成了我在申请中所需的工作,检查发给客户的证书是否已被撤销我们的CRL。只接受检查最终实体并允许CRL检查失败,因为它是我们所有的基础设施。
That essentially did what I needed in my application, checking whether a certificate issued to a client is revoked in our CRL. Only checking the end entity and allowing the CRL check to fail is accepted because its all our infrastructure.
这篇关于Java SSL证书撤销检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
