问题
Our use-case requires validating certificate revocation via OCSP on a PKIX set-up. My starting point was the code at this related question: OCSP Revocation on client certificate
I'm doing it manually at the application level since tomcat doesn't support it. However, I'm having some trouble building the certPath and I think I'm missing some fundamental understanding.
First I try to create the certPath for the incoming client x509Certificate.
KeyStore store is initialized correctly and contains only the root certificates that match the client x509Certificate.
EDIT: I got the same result after adding the intermediate certificates as well.
X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();
However, I get an error at run-time:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What could be missing?
回答1:
As you have it, I'm not sure how the CPB would find the subject certificate (x509certificate) to build a path to, unless it's in your keystore, which it typically wouldn't be. Simply providing the subject name isn't enough to build a validated path; the discovery & validation algorithm needs the full subject certificate. See what happens if you replace
certSelector.setSubject(x509certificate.getSubjectX500Principal());
with
certSelector.setCertificate(x509certificate);
回答2:
You indicate that you added intermediates certificates. Since you did not update your code snippet I wondered how added these certificates? You should add these certificates as a CertStore
X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */)));
params.addCertStore(cstore);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();
来源:https://stackoverflow.com/questions/5237970/x509certificate-certpath-validation