我能够与https://google.com/建立TLS连接。远程服务返回3个证书链:
The requested resource does not support http method 'POST'
CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
CN=Google Internet Authority G2, O=Google Inc, C=US
可以像这样检索这些证书:
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
不幸的是,这不是完整的链条。在我的本地SSL上下文的TrustManager中安装了第4个证书。它看起来像这样:
Certificate[] certificates = sslSocket.getSession().getPeerCertificates();
检索其名称很简单:
OU=Equifax Secure Certificate Authority, O=Equifax, C=US
我想要的是String equifax = ((X509Certificate) peerCertificates[2]).getIssuerDN().getName();
实例。 如何获取X509Certificate
握手期间使用的可信CA证书?
请注意,我通过创建SSL上下文来使用系统的SSLSocket
:
TrustManager
答案 0 :(得分:3)
您几乎就在那里,只需使用JVM默认信任管理器:
public static void main(String[] args) throws Exception{
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("www.google.com", 443);
X509Certificate[] chain = socket.getSession().getPeerCertificateChain();
String equifax = chain[2].getIssuerDN().getName();
// JVM Default Trust Managers
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
X509TrustManager manager = (X509TrustManager) trustManagers[0];
for (java.security.cert.X509Certificate x509Certificate : manager.getAcceptedIssuers()) {
if (equifax.equals(x509Certificate.getSubjectDN().getName())) {
System.out.println(x509Certificate);
}
}
}
答案 1 :(得分:0)
永远,我最终得到了dirty reflection所需的数据。我无法控制调用者如何构建SSL上下文,如上所述。