Java 根据颁发者证书验证证书
Java verify certificate againt issuer certificate
假设我有一个根 CA -> 中间 CA -> 叶证书。我需要通过以下代码snipe验证叶证书:
/**
* Attempts to build a certification chain for given certificate and to
* verify it. Relies on a set of root CA certificates (trust anchors) and a
* set of intermediate certificates (to be used as part of the chain).
*
* @param cert - certificate for validation
* @param trustAnchors - set of trust anchors
* @param intermediateCerts - set of intermediate certificates
* @param signDate the date when the signing took place
* @return the certification chain (if verification is successful)
* @throws GeneralSecurityException - if the verification is not successful
* (e.g. certification path cannot be built or some certificate in the chain
* is expired)
*/
private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors,
Set<X509Certificate> intermediateCerts, Date signDate) throws GeneralSecurityException {
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
pkixParams.setPolicyQualifiersRejected(false);
pkixParams.setDate(signDate);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
我可以理解参数 trustAnchors 是我的根 CA,参数 intermediateCerts 是我的中间 CA。但由于某些原因,根 CA 是私有的(我的客户将其保密)并且不能作为 trustAnchors(意味着 trustAnchors 是 null/empty)在这里传递 => 发生异常。它可以通过将中间 CA 作为 trustAnchors 传递来修复(现在 intermediateCerts 将为空),我可以获得结果。但我不知道这种方式是否正确。有人可以帮我解决这个问题吗?
正如@Robert 所说,我解决了“然后使用中间 CA 作为根 CA (trustAnchors)。然后证书验证在中间证书处停止”。
假设我有一个根 CA -> 中间 CA -> 叶证书。我需要通过以下代码snipe验证叶证书:
/**
* Attempts to build a certification chain for given certificate and to
* verify it. Relies on a set of root CA certificates (trust anchors) and a
* set of intermediate certificates (to be used as part of the chain).
*
* @param cert - certificate for validation
* @param trustAnchors - set of trust anchors
* @param intermediateCerts - set of intermediate certificates
* @param signDate the date when the signing took place
* @return the certification chain (if verification is successful)
* @throws GeneralSecurityException - if the verification is not successful
* (e.g. certification path cannot be built or some certificate in the chain
* is expired)
*/
private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors,
Set<X509Certificate> intermediateCerts, Date signDate) throws GeneralSecurityException {
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
pkixParams.setPolicyQualifiersRejected(false);
pkixParams.setDate(signDate);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
我可以理解参数 trustAnchors 是我的根 CA,参数 intermediateCerts 是我的中间 CA。但由于某些原因,根 CA 是私有的(我的客户将其保密)并且不能作为 trustAnchors(意味着 trustAnchors 是 null/empty)在这里传递 => 发生异常。它可以通过将中间 CA 作为 trustAnchors 传递来修复(现在 intermediateCerts 将为空),我可以获得结果。但我不知道这种方式是否正确。有人可以帮我解决这个问题吗?
正如@Robert 所说,我解决了“然后使用中间 CA 作为根 CA (trustAnchors)。然后证书验证在中间证书处停止”。