OCSP检入Java安全套接字 [英] OCSP check in Java secure sockets

问题描述

如果我设置 Security.setProperty（ocsp.enable，true），那么 SSLSocket 或 SSLServerSocket 连接使用OCSP自动检查证书撤销？

If I set Security.setProperty("ocsp.enable", "true"), will an SSLSocket or SSLServerSocket connection automatically check for certificate revocation using OCSP?

创建时是否必须手动执行OCSP检查插座？ （我没有使用CRL。）

Do I have to do the OCSP check manually when creating the socket? (I'm not using CRLs.)

推荐答案

你可以使用这个TrustManager实现我掀起了一些基于的测试 XueLei.Fan的博客上的OCSP检查代码。

You can use this TrustManager implementation I whipped up for some testing which is based on the OCSP checking code on XueLei.Fan's blog.

我已经将它用于 Netty ，基于他们的 HttpSnoopClient 点击 https://www.mozilla.org/en-US/ 并且有效。

I have used this with Netty based on the their HttpSnoopClient hitting https://www.mozilla.org/en-US/ and it works.

import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;

import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.*;
import java.util.*;

/**
 * TrustManager that verifies server certs using OCSP using the code found at
 * https://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
 */
public class OCSPTrustManagerFactory extends SimpleTrustManagerFactory {
    private static final InternalLogger logger = InternalLoggerFactory
            .getInstance(OCSPTrustManagerFactory.class);
    public static final TrustManagerFactory INSTANCE = new OCSPTrustManagerFactory();
    private static final TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String s) {
            OCSPTrustManagerFactory.logger.debug("Accepting a client certificate: " + chain[0].getSubjectDN());
        }

        public void checkServerTrusted(X509Certificate[] chain, String s) {
            try {

                logger.debug("Certs size:{}", chain.length);
                logger.debug("Accepting a server certificate:{} ", chain[0].getSubjectDN());

                // if you work behind proxy, configure the proxy.
               // System.setProperty("http.proxyHost", "proxyHost");
                //System.setProperty("http.proxyPort", "proxyPort");

                CertPath path = generateCertificatePath(chain);
                Set anchors = generateTrustAnchors();

                PKIXParameters params = new PKIXParameters(anchors);

                // Activate certificate revocation checking
                params.setRevocationEnabled(true);

                // Activate OCSP
                Security.setProperty("ocsp.enable", "true");

                // Activate CRLDP
                System.setProperty("com.sun.security.enableCRLDP", "true");

                // Ensure that the ocsp.responderURL property is not set.
                if (Security.getProperty("ocsp.responderURL") != null) {
                    throw new
                            Exception("The ocsp.responderURL property must not be set");
                }

                CertPathValidator validator = CertPathValidator.getInstance("PKIX");

                validator.validate(path, params);
                logger.info("OCSP validation successful for Server certificate: {}", chain[0].getSubjectDN());
            } catch (Exception ex) {
                logger.error("Exception checking Server certificates", ex);
            }
        }

        public X509Certificate[] getAcceptedIssuers() {
            return EmptyArrays.EMPTY_X509_CERTIFICATES;
        }


    };

    private static CertPath generateCertificatePath(X509Certificate[] certs)
            throws CertificateException {
        // generate certificate from cert strings
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        return cf.generateCertPath(Arrays.asList(certs));
    }

    private static Set generateTrustAnchors() throws Exception {
        // generate certificate from cert string
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        // Load the JDK's cacerts keystore file
        String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
        FileInputStream is = new FileInputStream(filename);
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "changeit";
        keystore.load(is, password.toCharArray());

        // This class retrieves the most-trusted CAs from the keystore
        PKIXParameters params = new PKIXParameters(keystore);


        return params.getTrustAnchors();
    }

    private OCSPTrustManagerFactory() {
    }

    protected void engineInit(KeyStore keyStore)
            throws Exception {

        logger.debug("KeyStore is: {}", keyStore.toString());
    }

    protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
            throws Exception {
    }

    protected TrustManager[] engineGetTrustManagers() {
        return new TrustManager[]{tm};
    }
}

我相信你可以使用SSLSocket使用示例代码此处

I am sure you can get this to work with SSLSocket using using sample code here

这篇关于OCSP检入Java安全套接字的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！