检查checkServerTrusted中的服务器证书时出现问题 [英] Issue in checking server certificate in checkServerTrusted
问题描述
我指的是中的建议。
I am referring Validate X.509 certificate against CA in Java this post.
My implementation of checkServerTrusted
look like:
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException{
InputStream inStream;
try {
inStream = new FileInputStream("E:\\Desktop\\cert\\domain.crt");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate Mycert = (X509Certificate)cf.generateCertificate(inStream);
inStream.close();
if (certs == null || certs.length == 0 || authType == null
|| authType.length() == 0) {
throw new IllegalArgumentException("null or zero-length parameter");
}
for (X509Certificate cert : certs) {
cert.verify(Mycert.getPublicKey());
}
} catch (Exception e) {
// TODO Auto-generated catch block
throw new CertificateException("error in validating certificate" , e);
}
}
file domain.crt is exported from browser after opening website. certificate path look like .
If i open this file in notepad only one BEGIN CERTIFICATE
and END CERTIFICATE
is their so its not chain of certificate.
If I debug code then, in for
loop @ LOC cert.verify(Mycert.getPublicKey());
at the very first cert[0] certificate I got exception as java.security.SignatureException: Signature does not match.
Where I am doing wrong?
It doesn't make sense to try to verify all the certificates in the chain against a single public key. Most of them won't have been signed by it, so the procedure is bound to fail, and throw an exception to the caller.
You need to review what it is you're supposed to do in this method. See the Javadoc. You're trying to establish a certificate path from this chain to a trusted root certificate.
In this case the trusted root certificate is presumably the one you loaded from the file.
What you should be doing therefore is:
- Look for that certificate in the chain, and if not found
- Verify the last certificate in the chain against this public key, as that is the topmost signer, and that's the only one you need to trust. The rest of them are trusted by their respective sucessors in the chain, and none of their successors are this trusted root certificate, by (1).
- If the certificate is found in the chain, verify the previous certificate. i.e. the one signed by this certificate, with this public key.
It isn't clear to me whether you need to also verify each certificate in the chain, except the last, with the next one's public key, but it can't hurt.
EDIT You should also implement the suggestion in this answer.
这篇关于检查checkServerTrusted中的服务器证书时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!