如果设置了适当的属性,X509TrustManagerImpl.checkServerTrusted()是否自行处理OCSP?
问题描述:
public class CustomTrustManager implements X509TrustManager {
private X509TrustManager trustManager;
// If a connection was previously attempted and failed the certificate check, that certificate chain will be saved here.
private Certificate[] rejectedCertificates = null;
private Certificate[] encounteredCertificates = null;
private KeyStore keyStore = null;
private Logger logger;
/**
* Constructor
*
* @param loggerFactory
* see {@link InstanceLoggerFactory}
*/
public CustomTrustManager(InstanceLoggerFactory loggerFactory) {
try {
this.logger = loggerFactory.getLogger(CustomTrustManager.class);
keyStore = KeyStore.getInstance("JKS");
// a keyStore must be initialized with load, even if certificate trust is not file based.
keyStore.load(null, null);
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
} catch (Exception ex) {
logger.error("Problem initializing keyStore", ex);
}
}
/**
* Returns the rejected certificate based on the last usage
*/
public Certificate[] getRejectedCertificateChain() {
return rejectedCertificates;
}
/**
* Returns the encountered certificates based on the last usage
*/
public Certificate[] getEncounteredCertificates() {
return encounteredCertificates;
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
if (trustManager != null) {
trustManager.checkClientTrusted(chain, authType);
}
}
/**
* Checks if a server is trusted, based on the wrapped keyStore's trust
* anchors. This will also capture the encountered certificate chain and, if
* trust fails, the rejected certificate chain.
*/
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CustomCertificateException {
// Capture the certificate if it fails
try {
encounteredCertificates = chain;
if (trustManager != null) {
trustManager.checkServerTrusted(chain, authType);
} else {
throw new RuntimeException("Trust manager is null");
}
} catch (CertificateException ex) {
rejectedCertificates = chain;
throw new CustomCertificateException(ex, rejectedCertificates);
} catch (Exception ex) {
rejectedCertificates = chain;
throw new CustomCertificateException(new CertificateException(ex), rejectedCertificates);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return trustManager == null ? new X509Certificate[0] : trustManager.getAcceptedIssuers();
}
/**
* initializes the internal trust manager with all known certificates
* certificates are stored in the keyStore object
*/
private void initTrustManager() {
try {
// initialize a new TMF with our keyStore
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
// keyStore must not be empty
CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector());
((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true);
tmf.init(new CertPathTrustManagerParameters(pkixParams));
// acquire X509 trust manager from factory
TrustManager tms[] = tmf.getTrustManagers();
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
trustManager = (X509TrustManager) tm;
break;
}
}
} catch (Exception ex) {
logger.error("Problem initializing trust manager", ex);
}
}
...
}
在这里,我已经实现了X509TrustManager信任管理器,并试图将相应的检查调用委托给在运行时发现的x509信任管理器。 我的问题是,我已经设置了关于OCSP的属性,足以确保Java在验证证书链时也可以执行OCSP?换句话说,checkServerTrusted()方法自己处理,如果属性设置?如果设置了适当的属性,X509TrustManagerImpl.checkServerTrusted()是否自行处理OCSP?
答
它看起来不像你通过OCSP检查撤销。这里是一个如何做到这一点的例子。您将需要目标证书和响应者URL。我从一个工作示例中提取了它,并将其修改为尽可能通用。没有测试过,但它应该工作或者非常接近工作。您可能不得不根据您的需求量身定制,但不是太多。
private void validateCertPath(X509Certificate targetCertificate, X509Certificate issuerCertificate, String responderURL, String trustAnchorDirectory)
throws CertPathValidatorException,
InvalidAlgorithmParameterException,
FileNotFoundException,
CertificateException,
NoSuchAlgorithmException {
List<X509Certificate> certList = new Vector<X509Certificate>();
certList.add(targetCertificate);
certList.add(issuerCertificate);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
Set<TrustAnchor> trustStore = new HashSet<TrustAnchor>();
TrustAnchor anchor = null;
X509Certificate cacert = null;
File directory = new File(trustAnchorDirectory);
String certFileNames[] = directory.list();
for (String certFile : certFileNames) {
cacert = readCert(trustAnchorDirectory +"/" + certFile);
anchor = new TrustAnchor(cacert, null);
trustStore.add(anchor);
}
PKIXParameters params = new PKIXParameters(trustStore);
params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
System.out.println("Certificate validated");
System.out.println("Policy Tree:\n" + result.getPolicyTree());
}