仍然是密码学中的一个菜鸟我每天偶然发现简单的事情。今天只是其中的一天。
我想用弹性城堡库验证java中的smime消息,我想我差不多想出来了,但此时的问题是构建PKIX参数对象。 比方说,我有一个具有以下结构的终端实体x509certificate:
root certificate
+->intermediate certificate
+->end-entity certificate
为了验证消息,我需要首先建立一个信任链,但我无法弄清楚如何从最终实体中提取根证书和中间证书。
我尝试以root身份使用end-entity,但它不起作用:
InputStream isCert = GetFISCertificate();
List list = new ArrayList();
X509Certificate rootCert = (X509Certificate) certificateFactory.generateCertificate(isCert);
list.add(rootCert);
CollectionCertStoreParameters params = new CollectionCertStoreParameters(list);
CertStore store = CertStore.getInstance("Collection", params, BC);
//create cert path
List certChain = new ArrayList();
certChain.add(rootCert);
CertPath certPath = certificateFactory.generateCertPath(certChain);
Set trust = Collections.singleton(new TrustAnchor(rootCert, null));
//validation
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BC);
PKIXParameters pKIXParameters = new PKIXParameters(trust);
pKIXParameters.addCertStore(store);
pKIXParameters.setDate(new Date());
try {
CertPathValidatorResult result = certPathValidator.validate(certPath, pKIXParameters);
System.out.println("certificate path validated");
} catch (CertPathValidatorException e) {
System.out.println("validation failed on certificate number " + e.getIndex() + ", details: " + e.getMessage());
}
得到了这个例外:
validation failed on certificate number -1, details: Trust anchor for certification path not found.
顺便说一句,我是否可以只使用最终实体证书来验证邮件,就好像它是自签名证书一样?
答案 0 :(得分:6)
我已经使用 BouncyCastle 1.56 进行此测试。
从终端实体获取颁发者证书的一种方法是查找Authority Information Access extension。
此扩展程序可能存在(它不是强制性的),可能包含获取颁发者证书的网址(颁发者是证书"以上"当前的证书,因此最终实体的发行人是中间人,而中间人的发行人是根证书。
您可以使用BouncyCastle获取此扩展值:
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
X509Certificate cert = // end entity certificate
// get Authority Information Access extension (will be null if extension is not present)
byte[] extVal = cert.getExtensionValue(Extension.authorityInfoAccess.getId());
AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
// check if there is a URL to issuer's certificate
AccessDescription[] descriptions = aia.getAccessDescriptions();
for (AccessDescription ad : descriptions) {
// check if it's a URL to issuer's certificate
if (ad.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_caIssuers)) {
GeneralName location = ad.getAccessLocation();
if (location.getTagNo() == GeneralName.uniformResourceIdentifier) {
String issuerUrl = location.getName().toString();
// http URL to issuer (test in your browser to see if it's a valid certificate)
// you can use java.net.URL.openStream() to create a InputStream and create
// the certificate with your CertificateFactory
URL url = new URL(issuerUrl);
X509Certificate issuer = (X509Certificate) certificateFactory.generateCertificate(url.openStream());
}
}
}
因此,您可以将此代码与最终实体证书一起使用以获取中间体。然后再用中间体来获取根。
然后将 root 添加到TrustAnchor,验证应该有效。
注意:但正如我所说,此扩展名不是强制性的,可能不存在。在这种情况下,getExtensionValue将返回null,我知道的唯一替代方法是在Google中搜索证书并下载它们(这些证书链通常是公开的,不难找到)
答案 1 :(得分:2)
KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null);
String alias = "your alias";
ArrayList<X509Certificate> certsChain = new ArrayList<>();
if (ks.isCertificateEntry(alias)) {
Certificate[] chain = ks.getCertificateChain(alias);
System.out.println("Chain length: " + chain.length);
for(Certificate c : chain) certsChain.add((X509Certificate)c);
}
Collections.reverse(certsChain);
certsChain.forEach(MainClass::printDBG);