Mar*_*kus 7 java bouncycastle certificate-revocation x509
我正在使用充气城堡离线验证X509证书,并且遇到了旧版CRL的问题.我还没有发现有可能接受已过期的CRL,我认为如果证书被撤销,它应该在CRL到期后保持撤销.另外如果CRL是空的我只想接受这个,我现在无法获得更新的CRL.
只是为了澄清,这将是用例:
目前我将撤销检查设置为false并自行执行检查.我在网上找不到任何关于此的信息.
这是我的代码:
final X509CertSelector endConstraints = new X509CertSelector();
endConstraints.setSerialNumber(signer.getSID().getSerialNumber());
final PKIXBuilderParameters buildParams = new PKIXBuilderParameters(trustAnchors, endConstraints);
//a CertStore object with Certificates and CRLs
buildParams.addCertStore(certificates);
//currently deactivated
buildParams.setRevocationEnabled(false);
final CertPathBuilder builder = CertPathBuilder.getInstance(SignedFileVerifier.CERTIFICATE_PATH_ALGORITHM, SignedFileVerifier.PROVIDER);
final CertPathBuilderResult result = builder.build(buildParams);
//here I manually check the CRLs, which I don't want to do
checkRevocation(result.getCertPath().getCertificates(), certificates, trustAnchors);
//if this passes I return the found certificate
return (X509Certificate) result.getCertPath().getCertificates().get(0);
确切的例外是:
Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: No CRLs found for issuer "cn=goodOldIssuerCA0,ou=jUnit Test Issuer,o=BOGO Company,c=AT"
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.build(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.build(Unknown Source)
...
PKIXCRLUtil#findCRLs基本上我的整个问题发生在包中的方法中org.bouncycastle.jce.provider。这是用于加载 CRL 的方法,并且始终在此处检查日期:
if (crl.getNextUpdate().after(validityDate))
{
X509Certificate cert = crlselect.getCertificateChecking();
if (cert != null)
{
if (crl.getThisUpdate().before(cert.getNotAfter()))
{
finalSet.add(crl);
}
}
else
{
finalSet.add(crl);
}
}
我最终使用的代码如下。基本上,我首先将所有公钥按其名称组合到一个映射中(也许序列号会更好?),然后迭代链中的所有证书。首先,我获取证书颁发者公钥,因为我需要它来验证来自同一颁发者的 CRL。然后我创建一个X509CRLSelector颁发者并加载该颁发者的所有 CRL。然后,我迭代在商店中找到的 CRL,通过颁发者公钥验证它们,检查证书是否被吊销,如果是这种情况,则抛出异常。在我当前的实现中,如果没有找到 CRL 也没关系,可以通过检查selectedCRLs不为空来添加它。
private void checkRevocation(final List<X509Certificate> certificates, final CertStore revocationLists, final Set<TrustAnchor> trustAnchors) throws GeneralSecurityException {
final Map<String, PublicKey> publicKeyMap = extractPublicKeys(certificates, trustAnchors);
//check the whole chain, we don't know if the issuer or the signer was revoked
for(final X509Certificate certificate : certificates){
final X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
//get the issuer of this certificate
final PublicKey issuerPublicKey = publicKeyMap.get(issuerX500Principal.getName());
if(issuerPublicKey == null){
throw new GeneralSecurityException("Unable to find issuer for certificate '" + certificate.getSubjectX500Principal() + "'");
}
final X509CRLSelector crlSelector = new X509CRLSelector();
//we only use the issuer, not the date or time, don't want CRLs to expire
crlSelector.addIssuer(issuerX500Principal);
//get all CRLs that match this issuer
final Collection<? extends CRL> selectedCRLs = revocationLists.getCRLs(crlSelector);
for(final CRL crl : selectedCRLs){
final X509CRL x509CRL = (X509CRL)crl;
//check first if the crl is really published by the issuer
x509CRL.verify(issuerPublicKey);
//check if the current certificate was revoked
final X509CRLEntry revokedCertificate = x509CRL.getRevokedCertificate(certificate);
//if we found a revoked certificate throw an exception
if(revokedCertificate != null){
throw new GeneralSecurityException(String.format("Unable to use certificate '%1$s', revocation after %2$tF %2$tT, reason: %3$s",
certificate.getSubjectX500Principal(), revokedCertificate.getRevocationDate(), revokedCertificate.getRevocationReason()));
}
}
}
}
private Map<String, PublicKey> extractPublicKeys(final List<X509Certificate> certificates, final Set<TrustAnchor> trustAnchors) {
final Map<String, PublicKey> certificateMap = new HashMap<>();
for(final X509Certificate certificate : certificates){
certificateMap.put(certificate.getSubjectX500Principal().getName(), certificate.getPublicKey());
}
for(final TrustAnchor trustAnchor : trustAnchors){
final X509Certificate certificate = trustAnchor.getTrustedCert();
certificateMap.put(certificate.getSubjectX500Principal().getName(), certificate.getPublicKey());
}
return certificateMap;
}
| 归档时间: |
|
| 查看次数: |
947 次 |
| 最近记录: |