OCSP吊销客户端证书

Question

如果仅使用客户端的java.security.cert.X509Certificate，如何使用OCSP手动检查java中的证书撤销状态？我看不清楚这样做的明确方法。

或者，我可以让tomcat自动为我做，你怎么知道你的解决方案是真的？

Answer 1

我找到了一个最优秀的解决方案：

http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html

        /**
   54    * This is a class that checks the revocation status of a certificate(s) using
   55    * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
   56    * the CertPathValidator framework. It is useful when you want to
   57    * just check the revocation status of a certificate, and you don't want to
   58    * incur the overhead of validating all of the certificates in the
   59    * associated certificate chain.
   60    *
   61    * @author Sean Mullan
   62    */

它有一个方法检查（X509Certificate clientCert，X509Certificate issuerCert）可以做到这一点！

Answer 2

以下是Jetty 7中的相关代码，它从servletRequest请求中获取一系列证书，并通过带有OCSP的certpath API验证它们。

http://grepcode.com/file/repo1.maven.org/maven2/org.eclipse.jetty/jetty-util/7.4.0.v20110414/org/eclipse/jetty/util/security/CertificateValidator.java#189

Answer 3

似乎有一个patch for Tomcat here来启用ocsp验证。

如果您选择手动执行此操作：

Security.setProperty("ocsp.enable", "true")

或者通过命令行参数设置它。 See here：

  

此属性的值为true或false。如果为true，则在进行证书吊销检查时启用OCSP检查;如果设置为false或未设置，则禁用OCSP检查。

以下是我认为有用的代码：

interface ValidationStrategy {
    boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException;
}


class SunOCSPValidationStrategy implements ValidationStrategy {
    @Override
    public boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException {
        try {
            CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
            PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv
                    .validate(certPath, parameters);
            Signature.LOG.debug("Validation result is: " + result);
            return true; // if no exception is thrown
        } catch (CertPathValidatorException cpve) {

            // if the exception is (or is caused by)
            // CertificateRevokedException, return false;
            // otherwise re-throw, because this indicates a failure to perform
            // the validation
            Throwable cause = ExceptionUtils.getRootCause(cpve);
            Class<? extends Throwable> exceptionClass = cause != null ? cause.getClass()
                    : cpve.getClass();
            if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) {
                return false;
            }
            throw cpve;
        }
    }

}

Answer 4

select *
from my_table
where attribute_a ~ concat('^', attribute_b)
-- where attribute_a ~ format('^%s', attribute_b)