客户端证书上的 OCSP 吊销

security java tomcat x509certificate ocsp

2022-09-03 06:01:09

如何使用OCSP手动检查java中的证书吊销状态，只要给定客户端的java.security.cert.X509Certificate？我看不到一个明确的方法来做到这一点。

或者，我可以让tomcat自动为我做这件事吗，你怎么知道你的解决方案是真的？

答案 1

我找到了一个最优秀的解决方案：

http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html

        /**
   54    * This is a class that checks the revocation status of a certificate(s) using
   55    * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
   56    * the CertPathValidator framework. It is useful when you want to
   57    * just check the revocation status of a certificate, and you don't want to
   58    * incur the overhead of validating all of the certificates in the
   59    * associated certificate chain.
   60    *
   61    * @author Sean Mullan
   62    */

它有一个方法检查（X509Certificate clientCert，X509Certificate IssuerCert）可以解决问题！

答案 2

这里似乎有一个Tomcat的补丁来启用ocsp验证。

如果您选择手动执行此操作：

Security.setProperty("ocsp.enable", "true")

或者通过命令行参数进行设置。请参阅此处：

此属性的值为 true 或 false。如果为 true，则在执行证书吊销检查时启用 OCSP 检查;如果为 false 或未设置，则禁用 OCSP 检查。

以下是我认为有效的一些代码：

interface ValidationStrategy {
    boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException;
}


class SunOCSPValidationStrategy implements ValidationStrategy {
    @Override
    public boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException {
        try {
            CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
            PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv
                    .validate(certPath, parameters);
            Signature.LOG.debug("Validation result is: " + result);
            return true; // if no exception is thrown
        } catch (CertPathValidatorException cpve) {

            // if the exception is (or is caused by)
            // CertificateRevokedException, return false;
            // otherwise re-throw, because this indicates a failure to perform
            // the validation
            Throwable cause = ExceptionUtils.getRootCause(cpve);
            Class<? extends Throwable> exceptionClass = cause != null ? cause.getClass()
                    : cpve.getClass();
            if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) {
                return false;
            }
            throw cpve;
        }
    }

}