OCSP check in Java secure sockets

一世执手 提交于 2019-12-20 05:01:27

问题


If I set Security.setProperty("ocsp.enable", "true"), will an SSLSocket or SSLServerSocket connection automatically check for certificate revocation using OCSP?

Do I have to do the OCSP check manually when creating the socket? (I'm not using CRLs.)


回答1:


You can use this TrustManager implementation I whipped up for some testing which is based on the OCSP checking code on XueLei.Fan's blog.

I have used this with Netty based on the their HttpSnoopClient hitting https://www.mozilla.org/en-US/ and it works.

import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;

import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.*;
import java.util.*;

/**
 * TrustManager that verifies server certs using OCSP using the code found at
 * https://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
 */
public class OCSPTrustManagerFactory extends SimpleTrustManagerFactory {
    private static final InternalLogger logger = InternalLoggerFactory
            .getInstance(OCSPTrustManagerFactory.class);
    public static final TrustManagerFactory INSTANCE = new OCSPTrustManagerFactory();
    private static final TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String s) {
            OCSPTrustManagerFactory.logger.debug("Accepting a client certificate: " + chain[0].getSubjectDN());
        }

        public void checkServerTrusted(X509Certificate[] chain, String s) {
            try {

                logger.debug("Certs size:{}", chain.length);
                logger.debug("Accepting a server certificate:{} ", chain[0].getSubjectDN());

                // if you work behind proxy, configure the proxy.
               // System.setProperty("http.proxyHost", "proxyHost");
                //System.setProperty("http.proxyPort", "proxyPort");

                CertPath path = generateCertificatePath(chain);
                Set anchors = generateTrustAnchors();

                PKIXParameters params = new PKIXParameters(anchors);

                // Activate certificate revocation checking
                params.setRevocationEnabled(true);

                // Activate OCSP
                Security.setProperty("ocsp.enable", "true");

                // Activate CRLDP
                System.setProperty("com.sun.security.enableCRLDP", "true");

                // Ensure that the ocsp.responderURL property is not set.
                if (Security.getProperty("ocsp.responderURL") != null) {
                    throw new
                            Exception("The ocsp.responderURL property must not be set");
                }

                CertPathValidator validator = CertPathValidator.getInstance("PKIX");

                validator.validate(path, params);
                logger.info("OCSP validation successful for Server certificate: {}", chain[0].getSubjectDN());
            } catch (Exception ex) {
                logger.error("Exception checking Server certificates", ex);
            }
        }

        public X509Certificate[] getAcceptedIssuers() {
            return EmptyArrays.EMPTY_X509_CERTIFICATES;
        }


    };

    private static CertPath generateCertificatePath(X509Certificate[] certs)
            throws CertificateException {
        // generate certificate from cert strings
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        return cf.generateCertPath(Arrays.asList(certs));
    }

    private static Set generateTrustAnchors() throws Exception {
        // generate certificate from cert string
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        // Load the JDK's cacerts keystore file
        String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
        FileInputStream is = new FileInputStream(filename);
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "changeit";
        keystore.load(is, password.toCharArray());

        // This class retrieves the most-trusted CAs from the keystore
        PKIXParameters params = new PKIXParameters(keystore);


        return params.getTrustAnchors();
    }

    private OCSPTrustManagerFactory() {
    }

    protected void engineInit(KeyStore keyStore)
            throws Exception {

        logger.debug("KeyStore is: {}", keyStore.toString());
    }

    protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
            throws Exception {
    }

    protected TrustManager[] engineGetTrustManagers() {
        return new TrustManager[]{tm};
    }
}

I am sure you can get this to work with SSLSocket using using sample code here



来源:https://stackoverflow.com/questions/34140869/ocsp-check-in-java-secure-sockets

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!