读取 PEM 证书链中的数据

Reading data in a PEM certificate chain

我可以使用以下内容轻松读取 PEM 格式的 x509 证书:

assets.open("ca.pem").use {
    val cf = CertificateFactory.getInstance("X.509")
    keystore.setCertificateEntry("server", cf.generateCertificate(it))
}

但是,我现在希望包括多个受信任的服务器证书。附加证书附加到 ca.pem 上,我使用声称读取多个证书的方法:

val certs = cf.generateCertificates(it)

但只有第一个证书被读入(certs 是大小 1)。

 * <p>In the case of a certificate factory for X.509 certificates,
 * <code>inStream</code> may contain a sequence of DER-encoded certificates
 * in the formats described for
 * {@link #generateCertificate(java.io.InputStream) generateCertificate}.
 * In addition, <code>inStream</code> may contain a PKCS#7 certificate
 * chain. This is a PKCS#7 <i>SignedData</i> object, with the only
 * significant field being <i>certificates</i>. In particular, the
 * signature and the contents are ignored. This format allows multiple
 * certificates to be downloaded at once. If no certificates are present,
 * an empty collection is returned.

引用的部分:

 * <p>In the case of a certificate factory for X.509 certificates, the
 * certificate provided in <code>inStream</code> must be DER-encoded and
 * may be supplied in binary or printable (Base64) encoding. If the
 * certificate is provided in Base64 encoding, it must be bounded at
 * the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at
 * the end by -----END CERTIFICATE-----.

ca.pem 看起来像:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

我是不是误解了证书工厂的用法?这可能是不支持标记的输入流的副作用(在这种情况下,整个流在第一个证书后被消耗)?也许换行符是不允许的,解析器将它们解释为数据结束。 PKCS7 会是比 PEM 更自然的选择吗?

确实,删除换行符会让解析器满意。

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

BouncyCastle's CertificateFactory 将忽略条目之间的空格:

import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory

assets.open("ca.pem").use { pem ->
    val certreader = CertificateFactory()
    certreader.engineGenerateCertificates(pem)
              .forEach { cert ->
                  keystore.setCertificateEntry("server", cert)
              }
}

我避免响应引用外部依赖项,但如果您在这方面工作,Bouncy Castle 可能会提供其他实用程序。