发表新帖
发表新帖

Validate X509 certificates using Java APis

后端 未结
关注
3 980
闹比i
闹比i 2020-12-01 12:50

I am trying to validate a certificate against java key store and this is the code I am using is as below. If it completes succesfully then I assume the validation has gone t

相关标签:
3条回答
  • 慢半拍i
    2020-12-01 13:10

    Normally, a certificate will be issued by an intermediate issuing authority, not a "root" authority (which is all that should be in your trust store). Most protocols encourage sending a "chain" of certificates, not just the entity's certificate.

    You should add all of the intermediate certs so that a complete chain can be formed.

    In order to be certain that the certificate is still valid, you should not disable revocation checks. If you don't want to retrieve a CRL (which can be large), the issuer may offer OCSP support. But, this has to be enabled in the Java runtime by setting certain system properties.

    If the path validator returns successfully, you don't need to check anything else. If the certificate is not valid, an exception will be raised.

    Also, an explicit check on the validity date is unnecessary. This occurs during validation (using the current time, unless you specify a time via the PKIXParameters).

    For a more extensive discussion of validation, including sample code, see a previous answer of mine.

    0 讨论(0)
  • 抹茶落季
    2020-12-01 13:14

    What you are doing here is verifying if a certificate (in your example cert) has been signed (directly) by any of the trusted CA's in the truststore.
    Additionally you check for expiration but no revocation checking is performed.
    So if the cert has not been signed by any of the trusted CA's you will get an exception.
    So the code is sufficient to verify if cert has been signed by any of the trusted CAs

    If you are refering to server authentication, then the code in the post is not sufficient.
    This code just verifies that a specific certificate is signed by a trusted CA.
    You have no indication though if the "entity" that send you this certificate is actually the owner of the certificate (i.e. they own the private key associated with this certificate).
    This is part of the SSL authentication, where e.g. the client sends the ClientKeyExchange message encrypted with the remote server's public key and is certain that if the other party is fake then it will not be possible to decrypt the message

    0 讨论(0)
  • 南旧
    2020-12-01 13:29

    If you're happy with the default trust settings (as they would be used for the default SSLContext), you could build an X509TrustManager independently of SSL/TLS and use if to verify your certificate independently.

    It would look like this:

    TrustManagerFactory trustManagerFactory =
    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore)null);
// you could use a non-default KeyStore as your truststore too, instead of null.

for (TrustManager trustManager: trustManagerFactory.getTrustManagers()) {  
    if (trustManager instanceof X509TrustManager) {  
        X509TrustManager x509TrustManager = (X509TrustManager)trustManager;  
        x509TrustManager.checkServerTrusted(...);
    }  
}

    (You should also check the server's identity and the certificate match, see RFC 6125 (Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)).)

    0 讨论(0)
 看不清?
提交回复
热议问题