SCEP CertRep SUCCESS:响应中有多少证书?
SCEP CertRep SUCCESS: how many certs are in the response?
我正在研究 SCEP 实施(请求者和权威)。该项目使用 JScep 作为库。
在 PKCSReq 通信期间,客户端收到 CertRep SUCCESS。草案内容如下:
+----------------+--------------------------------------------------+
| Request-type | Reply-contents |
+----------------+--------------------------------------------------+
| PKCSReq | the reply MUST contain at least the issued |
| | certificate in the certificates field of the |
| | Signed-Data. The reply MAY contain additional |
| | certificates, but the issued certificate MUST be |
| | the first in the list. The reply MUST NOT |
| | contain a CRL. All returned certificates MUST |
| | conform to [RFC5280]. |
我有点看不懂MAY contain additional certificates。
这是否意味着整个证书链将在响应中显示为 Collection (JScep)?
可能会提供整个证书链,但不一定。通常我希望 SCEP 服务器提供建立信任链所需的一切。
如果调用 enrol 并且结果 EnrollmentResponse 成功 (isSuccess()),则可以调用 getCertStore 访问 java.security.cert.CertStore。 CertStore 将包含服务器发送的所有证书。
您可以使用 jscep 中的 CertStoreInspector 直接提取相关证书,如下所示:
CertStoreInspector inspector = DefaultCertStoreInspectorFactory.getInstance(certStore);
X509Certificate ca = inspector.getIssuer();
X509Certificate signer_ra = inspector.getSigner();
X509Certificate recipient_ra = inspector.getSigner();
我正在研究 SCEP 实施(请求者和权威)。该项目使用 JScep 作为库。
在 PKCSReq 通信期间,客户端收到 CertRep SUCCESS。草案内容如下:
+----------------+--------------------------------------------------+
| Request-type | Reply-contents |
+----------------+--------------------------------------------------+
| PKCSReq | the reply MUST contain at least the issued |
| | certificate in the certificates field of the |
| | Signed-Data. The reply MAY contain additional |
| | certificates, but the issued certificate MUST be |
| | the first in the list. The reply MUST NOT |
| | contain a CRL. All returned certificates MUST |
| | conform to [RFC5280]. |
我有点看不懂MAY contain additional certificates。
这是否意味着整个证书链将在响应中显示为 Collection (JScep)?
可能会提供整个证书链,但不一定。通常我希望 SCEP 服务器提供建立信任链所需的一切。
如果调用 enrol 并且结果 EnrollmentResponse 成功 (isSuccess()),则可以调用 getCertStore 访问 java.security.cert.CertStore。 CertStore 将包含服务器发送的所有证书。
您可以使用 jscep 中的 CertStoreInspector 直接提取相关证书,如下所示:
CertStoreInspector inspector = DefaultCertStoreInspectorFactory.getInstance(certStore);
X509Certificate ca = inspector.getIssuer();
X509Certificate signer_ra = inspector.getSigner();
X509Certificate recipient_ra = inspector.getSigner();