我想验证客户端针对CRL提供的X509证书,看看它是否已被撤销。
我已成功实现java.security.cert.X509CRL
,但我在检索会话证书时遇到问题:
try {
SSLSocket s = (SSLSocket) serverSocket.accept();
s.setSoTimeout(TIMEOUT_RW * 1000);
s.startHandshake();
SSLSession session = s.getSession();
X509Certificate[] cert = session.getPeerCertificateChain();
if (crl.isRevoked(cert[0])) {
System.err.println("Attempted to stablish connection using revoked certificate");
} else {
...
}
} catch (Exception ex) {
System.err.println("Something went wrong");
}
SSLSession属于javax.net.ssl
包,其方法getPeerCertificateChain()
返回javax.security.cert.X509Certificate[]
,无法转换为我需要提供java.security.cert.X509Certificate[]
的{{1}} }}。
怎么办呢?
答案 0 :(得分:9)
javax.security.cert.X509Certificate
已弃用。从java.security.cert.Certificate[]
获取session.getPeerCertificates();
,然后将其传递给crl.isRevoked
实施。
另见:
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificateChain()
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificates()
包javax.security.cert中的类存在 与早期版本的Java安全套接字兼容 扩展(JSSE)。新应用程序应该使用该标准 Java SE证书类位于java.security.cert。
中
您可以将java.security.cert.Certificate
转换为java.security.cert.X509Certificate
(source):
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(certificate.getEncoded());
X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais);