实例化 class 的正确方法,以便我能够验证证书中的路径链
Correct way to instantiate class so I'm able to validate path chains in certificate
我有 3d 派对库(Kalkan 提供商的 sdk)。我相信该库的一部分会检查证书路径。问题是我应该传递两个参数来正确实例化 class,这样我就可以使用我需要的其中一种方法。
代码如下:
final PKIXCertPathReviewer checker = new PKIXCertPathReviewer(cp, params);
boolean test = checker.isValidCertPath();
这是构造函数的一部分:
public PKIXCertPathReviewer(CertPath certPath, PKIXParameters params)
关于任务一点。我已经通过客户证书签署了文件。我想验证客户端证书中的路径。所以我有客户端的 X509Certificate 证书实例、一个中间证书和一个根证书。最后两个是磁盘上cer格式的文件。据我了解,我应该将所有这三个证书组合在一起。如果有人告诉我如何创建 cp 和 params ,那将非常有帮助。提前致谢。
所以我已经设法解决了我的问题。如果有人遇到和我一样的问题,这里是代码。
CertificateFactory cf = CertificateFactory.getInstance("X.509", KalkanProvider.PROVIDER_NAME);
java.security.cert.Certificate rootCertificate = /*root certificate*/;
java.security.cert.Certificate clientCertificate = /*client certificate*/;
List mylist = new ArrayList();
mylist.add(clientCertificate);
CertPath cp = cf.generateCertPath(mylist);
TrustAnchor rootAnchor = new TrustAnchor((X509Certificate) rootCertificate, null);
Set<TrustAnchor> trustStore = new HashSet<>();
trustStore.add(rootAnchor);
if (null != /*chain contains middle cert besides root*/) {
java.security.cert.Certificate middleCertificate = /*middle certificate*/;
TrustAnchor middleAnchor = new TrustAnchor((X509Certificate) middleCertificate, null);
trustStore.add(middleAnchor);
}
PKIXParameters params = new PKIXParameters(trustStore);
params.setRevocationEnabled(false);//true - if you need ocsp validation
final PKIXCertPathReviewer checker = new PKIXCertPathReviewer(cp, params);
errors = checker.getErrors();
boolean result = checker.isValidCertPath();
这是更好的解决方案:
Provider p = ProviderUtil.loadKalkanProvider();
X509Certificate ca = X509Util.loadX509Certificate("/tmp/ca/root_ca_rsa.cer", p);
X509Certificate nca = X509Util.loadX509Certificate("/tmp/ca/root_nca_rsa.cer", p);
X509Certificate cert = X509Util.loadX509Certificate("/tmp/cert/user.cer", p);
X509CRL crl = X509Util.loadX509CRL("/tmp/ca/rsa.crl", p);
X509CRL rcrl = X509Util.loadX509CRL("/tmp/ca/root_rsa.crl", p);
ArrayList<X509Extension> list = new ArrayList<X509Extension>();
list.add(nca);
list.add(cert);
list.add(crl);
list.add(rcrl);
CollectionCertStoreParameters certStoreParameters = new CollectionCertStoreParameters(list);
CertStore certStore = CertStore.getInstance("Collection", certStoreParameters, p);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", p);
// проверка до корневого CA, можно сократить до промежуточного NCA
TrustAnchor anchor = new TrustAnchor(ca, null);
Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
anchors.add(anchor);
X509CertSelector selector = new X509CertSelector();
// задаем параметры для селектора конечного сертификата или можно указать полное соответствие сертификата
//selector.setSerialNumber(cert.getSerialNumber());
//selector.setIssuer(cert.getIssuerX500Principal());
selector.setCertificate(cert);
PKIXBuilderParameters builderParameters = new PKIXBuilderParameters(anchors, selector);
// если не добавляли список CRL, то надо отключить проверку
//builderParameters.setRevocationEnabled(false);
builderParameters.addCertStore(certStore);
builderParameters.setSigProvider(p.getName());
PKIXCertPathBuilderResult builderResult = (PKIXCertPathBuilderResult) builder.build(builderParameters);
System.out.println(builderResult);
// можем закодировать и сохранить полученный путь в форматах PkiPath/PKCS7/PEM
//builderResult.getCertPath().getEncoded("PkiPath");
我有 3d 派对库(Kalkan 提供商的 sdk)。我相信该库的一部分会检查证书路径。问题是我应该传递两个参数来正确实例化 class,这样我就可以使用我需要的其中一种方法。
代码如下:
final PKIXCertPathReviewer checker = new PKIXCertPathReviewer(cp, params);
boolean test = checker.isValidCertPath();
这是构造函数的一部分:
public PKIXCertPathReviewer(CertPath certPath, PKIXParameters params)
关于任务一点。我已经通过客户证书签署了文件。我想验证客户端证书中的路径。所以我有客户端的 X509Certificate 证书实例、一个中间证书和一个根证书。最后两个是磁盘上cer格式的文件。据我了解,我应该将所有这三个证书组合在一起。如果有人告诉我如何创建 cp 和 params ,那将非常有帮助。提前致谢。
所以我已经设法解决了我的问题。如果有人遇到和我一样的问题,这里是代码。
CertificateFactory cf = CertificateFactory.getInstance("X.509", KalkanProvider.PROVIDER_NAME);
java.security.cert.Certificate rootCertificate = /*root certificate*/;
java.security.cert.Certificate clientCertificate = /*client certificate*/;
List mylist = new ArrayList();
mylist.add(clientCertificate);
CertPath cp = cf.generateCertPath(mylist);
TrustAnchor rootAnchor = new TrustAnchor((X509Certificate) rootCertificate, null);
Set<TrustAnchor> trustStore = new HashSet<>();
trustStore.add(rootAnchor);
if (null != /*chain contains middle cert besides root*/) {
java.security.cert.Certificate middleCertificate = /*middle certificate*/;
TrustAnchor middleAnchor = new TrustAnchor((X509Certificate) middleCertificate, null);
trustStore.add(middleAnchor);
}
PKIXParameters params = new PKIXParameters(trustStore);
params.setRevocationEnabled(false);//true - if you need ocsp validation
final PKIXCertPathReviewer checker = new PKIXCertPathReviewer(cp, params);
errors = checker.getErrors();
boolean result = checker.isValidCertPath();
这是更好的解决方案:
Provider p = ProviderUtil.loadKalkanProvider();
X509Certificate ca = X509Util.loadX509Certificate("/tmp/ca/root_ca_rsa.cer", p);
X509Certificate nca = X509Util.loadX509Certificate("/tmp/ca/root_nca_rsa.cer", p);
X509Certificate cert = X509Util.loadX509Certificate("/tmp/cert/user.cer", p);
X509CRL crl = X509Util.loadX509CRL("/tmp/ca/rsa.crl", p);
X509CRL rcrl = X509Util.loadX509CRL("/tmp/ca/root_rsa.crl", p);
ArrayList<X509Extension> list = new ArrayList<X509Extension>();
list.add(nca);
list.add(cert);
list.add(crl);
list.add(rcrl);
CollectionCertStoreParameters certStoreParameters = new CollectionCertStoreParameters(list);
CertStore certStore = CertStore.getInstance("Collection", certStoreParameters, p);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", p);
// проверка до корневого CA, можно сократить до промежуточного NCA
TrustAnchor anchor = new TrustAnchor(ca, null);
Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
anchors.add(anchor);
X509CertSelector selector = new X509CertSelector();
// задаем параметры для селектора конечного сертификата или можно указать полное соответствие сертификата
//selector.setSerialNumber(cert.getSerialNumber());
//selector.setIssuer(cert.getIssuerX500Principal());
selector.setCertificate(cert);
PKIXBuilderParameters builderParameters = new PKIXBuilderParameters(anchors, selector);
// если не добавляли список CRL, то надо отключить проверку
//builderParameters.setRevocationEnabled(false);
builderParameters.addCertStore(certStore);
builderParameters.setSigProvider(p.getName());
PKIXCertPathBuilderResult builderResult = (PKIXCertPathBuilderResult) builder.build(builderParameters);
System.out.println(builderResult);
// можем закодировать и сохранить полученный путь в форматах PkiPath/PKCS7/PEM
//builderResult.getCertPath().getEncoded("PkiPath");