Does X509TrustManagerImpl.checkServerTrusted() handle OCSP by itself if the appropriate properties are set?

我是研究僧i 提交于 2019-12-09 07:16:17

问题


    public class CustomTrustManager implements X509TrustManager {

   private X509TrustManager trustManager;
   // If a connection was previously attempted and failed the certificate check, that certificate chain will be saved here.
   private Certificate[] rejectedCertificates = null;
   private Certificate[] encounteredCertificates = null;
   private KeyStore keyStore = null;
   private Logger logger;

   /**
    * Constructor
    *
    * @param loggerFactory
    *           see {@link InstanceLoggerFactory}
    */
   public CustomTrustManager(InstanceLoggerFactory loggerFactory) {
      try {
         this.logger = loggerFactory.getLogger(CustomTrustManager.class);
         keyStore = KeyStore.getInstance("JKS");
         // a keyStore must be initialized with load, even if certificate trust is not file based.
         keyStore.load(null, null);

         System.setProperty("com.sun.net.ssl.checkRevocation", "true");
         Security.setProperty("ocsp.enable", "true");
      } catch (Exception ex) {
         logger.error("Problem initializing keyStore", ex);
      }
   }

   /**
    * Returns the rejected certificate based on the last usage
    */
   public Certificate[] getRejectedCertificateChain() {
      return rejectedCertificates;
   }

   /**
    * Returns the encountered certificates based on the last usage
    */
   public Certificate[] getEncounteredCertificates() {
      return encounteredCertificates;
   }

   @Override
   public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
      if (trustManager != null) {
         trustManager.checkClientTrusted(chain, authType);
      }
   }

   /**
    * Checks if a server is trusted, based on the wrapped keyStore's trust
    * anchors. This will also capture the encountered certificate chain and, if
    * trust fails, the rejected certificate chain.
    */
   @Override
   public void checkServerTrusted(X509Certificate[] chain, String authType) throws CustomCertificateException {
      // Capture the certificate if it fails
      try {
         encounteredCertificates = chain;
         if (trustManager != null) {
            trustManager.checkServerTrusted(chain, authType);
         } else {
            throw new RuntimeException("Trust manager is null");
         }
      } catch (CertificateException ex) {
         rejectedCertificates = chain;
         throw new CustomCertificateException(ex, rejectedCertificates);
      } catch (Exception ex) {
         rejectedCertificates = chain;
         throw new CustomCertificateException(new CertificateException(ex), rejectedCertificates);
      }
   }

   @Override
   public X509Certificate[] getAcceptedIssuers() {
      return trustManager == null ? new X509Certificate[0] : trustManager.getAcceptedIssuers();
   }

   /**
    * initializes the internal trust manager with all known certificates
    * certificates are stored in the keyStore object
    */
   private void initTrustManager() {
      try {
         // initialize a new TMF with our keyStore
         TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");

         // keyStore must not be empty
         CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector());
         ((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true);

         tmf.init(new CertPathTrustManagerParameters(pkixParams));

         // acquire X509 trust manager from factory
         TrustManager tms[] = tmf.getTrustManagers();
         for (TrustManager tm : tms) {
            if (tm instanceof X509TrustManager) {
               trustManager = (X509TrustManager) tm;
               break;
            }
         }
      } catch (Exception ex) {
         logger.error("Problem initializing trust manager", ex);
      }
   }

 ...
}

Here I've implemented X509TrustManager trust manager and tried to delegate the appropriate checking calls to the x509 trust manager found at run time. My question is are the properties I've set regarding to OCSP enough to be sure that Java will also do OCSP while validating the certificate chain? In other words will checkServerTrusted() method handle that by itself if the properties are set?


回答1:


It does not look like you're checking the revocation via OCSP. Here is an example of how to do this. You will need the target certificate and the responder URL. I extracted this from a working example and modified it to be as generic as possible. Have not tested it, but it should work or be very close to working. You might have to tailor it to your needs, but not by much.

    private void validateCertPath(X509Certificate targetCertificate, X509Certificate issuerCertificate, String responderURL, String trustAnchorDirectory) 
            throws  CertPathValidatorException, 
                            InvalidAlgorithmParameterException, 
                            FileNotFoundException, 
                            CertificateException, 
                            NoSuchAlgorithmException {

    List<X509Certificate> certList = new Vector<X509Certificate>();
    certList.add(targetCertificate);
    certList.add(issuerCertificate);

    CertificateFactory cf = CertificateFactory.getInstance("X.509");

    CertPath cp = cf.generateCertPath(certList);

    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

    Set<TrustAnchor> trustStore = new HashSet<TrustAnchor>();
    TrustAnchor anchor = null;
    X509Certificate cacert = null;
    File directory = new File(trustAnchorDirectory);
    String certFileNames[] = directory.list();

    for (String certFile : certFileNames) {
        cacert = readCert(trustAnchorDirectory +"/" + certFile);
        anchor = new TrustAnchor(cacert, null);
        trustStore.add(anchor);
    }

    PKIXParameters params = new PKIXParameters(trustStore);
    params.setRevocationEnabled(true);

    Security.setProperty("ocsp.enable", "true");
    Security.setProperty("ocsp.responderURL", responderUrl);

    PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    System.out.println("Certificate validated");
    System.out.println("Policy Tree:\n" + result.getPolicyTree());

}



来源:https://stackoverflow.com/questions/40914688/does-x509trustmanagerimpl-checkservertrusted-handle-ocsp-by-itself-if-the-appr

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!