Does X509TrustManagerImpl.checkServerTrusted() handle OCSP by itself if the appropriate properties are set?

后端 未结 1 656
醉梦人生
醉梦人生 2021-02-11 09:36
    public class CustomTrustManager implements X509TrustManager {

   private X509TrustManager trustManager;
   // If a connection was previously attempted and failed th         


        
相关标签:
1条回答
  • 2021-02-11 10:09

    It does not look like you're checking the revocation via OCSP. Here is an example of how to do this. You will need the target certificate and the responder URL. I extracted this from a working example and modified it to be as generic as possible. Have not tested it, but it should work or be very close to working. You might have to tailor it to your needs, but not by much.

        private void validateCertPath(X509Certificate targetCertificate, X509Certificate issuerCertificate, String responderURL, String trustAnchorDirectory) 
                throws  CertPathValidatorException, 
                                InvalidAlgorithmParameterException, 
                                FileNotFoundException, 
                                CertificateException, 
                                NoSuchAlgorithmException {
    
        List<X509Certificate> certList = new Vector<X509Certificate>();
        certList.add(targetCertificate);
        certList.add(issuerCertificate);
    
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
    
        CertPath cp = cf.generateCertPath(certList);
    
        CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    
        Set<TrustAnchor> trustStore = new HashSet<TrustAnchor>();
        TrustAnchor anchor = null;
        X509Certificate cacert = null;
        File directory = new File(trustAnchorDirectory);
        String certFileNames[] = directory.list();
    
        for (String certFile : certFileNames) {
            cacert = readCert(trustAnchorDirectory +"/" + certFile);
            anchor = new TrustAnchor(cacert, null);
            trustStore.add(anchor);
        }
    
        PKIXParameters params = new PKIXParameters(trustStore);
        params.setRevocationEnabled(true);
    
        Security.setProperty("ocsp.enable", "true");
        Security.setProperty("ocsp.responderURL", responderUrl);
    
        PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
        System.out.println("Certificate validated");
        System.out.println("Policy Tree:\n" + result.getPolicyTree());
    

    }

    0 讨论(0)
提交回复
热议问题