我有一连串的X509证书,以用户证书开头,以受信任的CA证书结尾。为了进行测试,我正在尝试使用Google证书。
我想检查证书链中每个证书的吊销状态。
我正在使用以下代码:
public static boolean isCertChainValid(ArrayList<X509Certificate> certificateList) {
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
CertPath certPath = certificateFactory.generateCertPath(certificateList);
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
KeyStore keystore = KeyStore.getInstance("JKS");
InputStream is = new FileInputStream(System.getProperty("java.home") + "/lib/security/" + "cacerts");
keystore.load(is, "changeit".toCharArray());
PKIXParameters params = new PKIXParameters(keystore);
params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) validator.validate(certPath, params);
return true;
} catch (CertificateException e) {
throw new RuntimeException(e);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
} catch (KeyStoreException e) {
throw …