OCSP验证程序检查给定证书

时间:2018-11-25 01:51:38

标签: java validation certificate ocsp

我正在尝试实施OCSP验证程序,以检查给定的证书是否仍然有效或已被吊销。我有以下代码

public class ValidateCertUseOCSP {

/*
 * Filename that contains the root CA cert of the OCSP server's cert.
 */
private static final String ROOT_CA_CERT = "C:\\Users\\Computer\\Desktop\\DigiCertSHA2SecureServerCA_cert_out.pem";

/*
 * Filename that contains the OCSP server's cert.
 */
private static final String OCSP_SERVER_CERT = "C:\\Users\\Computer\\Desktop\\gearbest_cert_out.pem";



/**
 * Checks the revocation status of a public key certificate using OCSP.
 *
 * Usage:  java ValidateCert <cert-file> [<OCSP-server>]
 *     <cert-file> is the filename of the certificate to be checked.
 *            The certificate must be in PEM format.
 *     <OCSP-server> is the URL of the OCSP server to use.
 *            If not supplied then the certificate must identify an OCSP
 *            server by means of its AuthorityInfoAccess extension.
 *            If supplied then it overrides any URL which may be present
 *            in the certificate's AuthorityInfoAccess extension.
 *
 * Example:  java \
 *             -Dhttp.proxyHost=proxy.example.net \
 *             -Dhttp.proxyPort=8080 \
 *             ValidateCert \
 *             mycert.pem \
 *             http://ocsp.openvalidation.org:80
 * @param args
 */
public static void main(String[] args) {

try {
    CertPath cp = null;
    Vector<X509Certificate> certs = new Vector<X509Certificate>();
    URI ocspServer = null;



    if (args.length == 0 || args.length > 2) {
    System.out.println(
        "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
    System.exit(-1);
    }

        // load the cert to be checked
    certs.add(getCertFromFile(args[0]));


    // handle location of OCSP server
    if (args.length == 2) {
    ocspServer = new URI(args[1]);
        System.out.println("Using the OCSP server at: " + args[1]);
        System.out.println("to check the revocation status of: " +
        certs.elementAt(0));
        System.out.println();
    } else {
        System.out.println("Using the OCSP server specified in the " +
        "cert to check the revocation status of: " +
        certs.elementAt(0));
        System.out.println();
    }

    // init cert path
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    cp = (CertPath)cf.generateCertPath(certs);

    // load the root CA cert for the OCSP server cert
    X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);

    // init trusted certs
    TrustAnchor ta = new TrustAnchor(rootCACert, null);
    Set trustedCertsSet = new HashSet();
    trustedCertsSet.add(ta);

    // init cert store
    Set certSet = new HashSet();
    X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
    certSet.add(ocspCert);
    CertStoreParameters storeParams =
    new CollectionCertStoreParameters(certSet);
    CertStore store = CertStore.getInstance("Collection", storeParams);

    // init PKIX parameters
        PKIXParameters params = null;
    params = new PKIXParameters(trustedCertsSet);
    params.addCertStore(store);

    // enable OCSP
    Security.setProperty("ocsp.enable", "true");
    if (ocspServer != null) {
    Security.setProperty("ocsp.responderURL", args[1]);
    Security.setProperty("ocsp.responderCertSubjectName",
        ocspCert.getSubjectX500Principal().getName());
    }

    // perform validation
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    PKIXCertPathValidatorResult cpv_result  =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    X509Certificate trustedCert = (X509Certificate)
    cpv_result.getTrustAnchor().getTrustedCert();

    if (trustedCert == null) {
    System.out.println("Trsuted Cert = NULL");
    } else {
    System.out.println("Trusted CA DN = " +
        trustedCert.getSubjectDN());
    }

} catch (CertPathValidatorException e) {
    e.printStackTrace();
    System.exit(1);

} catch(Exception e) {
    e.printStackTrace();
    System.exit(-1);
}
System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
System.exit(0);
}

/*
 * Read a certificate from the specified filepath.
 */
private static X509Certificate getCertFromFile(String path) {
    X509Certificate cert = null;
    try {

        File certFile = new File(path);
        if (!certFile.canRead())
            throw new IOException(" File " + certFile.toString() +
        " is unreadable");

        FileInputStream fis = new FileInputStream(path);
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        cert = (X509Certificate)cf.generateCertificate(fis);

    } catch(Exception e) {
    System.out.println("Can't construct X509 Certificate. " +
    e.getMessage());
}
    return cert;
}

}

当我运行它时,它会给我第一条错误消息:

运行:

Usage: java ValidateCert <cert-file> [<OCSP-server>]
C:\Users\Computer\AppData\Local\NetBeans\Cache\8.2\executor-snippets\run.xml:53:
Java returned: -1 
BUILD FAILED (total time: 1 second)

0 个答案:

没有答案