OCSP吊销客户端证书

时间:2011-03-01 23:05:29

标签: java security tomcat x509certificate ocsp

如果仅使用客户端的java.security.cert.X509Certificate,如何使用OCSP手动检查java中的证书撤销状态?我看不清楚这样做的明确方法。

或者,我可以让tomcat自动为我做,你怎么知道你的解决方案是真的?

4 个答案:

答案 0 :(得分:16)

我找到了一个最优秀的解决方案:

http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html 

        /**
   54    * This is a class that checks the revocation status of a certificate(s) using
   55    * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
   56    * the CertPathValidator framework. It is useful when you want to
   57    * just check the revocation status of a certificate, and you don't want to
   58    * incur the overhead of validating all of the certificates in the
   59    * associated certificate chain.
   60    *
   61    * @author Sean Mullan
   62    */

它有一个方法检查(X509Certificate clientCert,X509Certificate issuerCert)可以做到这一点!

答案 1 :(得分:3)

以下是Jetty 7中的相关代码,它从servletRequest请求中获取一系列证书,并通过带有OCSP的certpath API验证它们。

http://grepcode.com/file/repo1.maven.org/maven2/org.eclipse.jetty/jetty-util/7.4.0.v20110414/org/eclipse/jetty/util/security/CertificateValidator.java#189

答案 2 :(得分:2)

似乎有一个patch for Tomcat here来启用ocsp验证。

如果您选择手动执行此操作:

Security.setProperty("ocsp.enable", "true")

或者通过命令行参数设置它。 See here

  

此属性的值为true或false。如果为true,则在进行证书吊销检查时启用OCSP检查;如果设置为false或未设置,则禁用OCSP检查。

以下是我认为有用的代码:

interface ValidationStrategy {
    boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException;
}


class SunOCSPValidationStrategy implements ValidationStrategy {
    @Override
    public boolean validate(X509Certificate certificate, CertPath certPath,
            PKIXParameters parameters) throws GeneralSecurityException {
        try {
            CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
            PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv
                    .validate(certPath, parameters);
            Signature.LOG.debug("Validation result is: " + result);
            return true; // if no exception is thrown
        } catch (CertPathValidatorException cpve) {

            // if the exception is (or is caused by)
            // CertificateRevokedException, return false;
            // otherwise re-throw, because this indicates a failure to perform
            // the validation
            Throwable cause = ExceptionUtils.getRootCause(cpve);
            Class<? extends Throwable> exceptionClass = cause != null ? cause.getClass()
                    : cpve.getClass();
            if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) {
                return false;
            }
            throw cpve;
        }
    }

}

答案 3 :(得分:0)

select *
from my_table
where attribute_a ~ concat('^', attribute_b)
-- where attribute_a ~ format('^%s', attribute_b)
相关问题
最新问题