假设我有一个根 CA -> 中间 CA -> 叶证书。我需要通过下面的代码狙击来验证叶子证书:
/**
* Attempts to build a certification chain for given certificate and to
* verify it. Relies on a set of root CA certificates (trust anchors) and a
* set of intermediate certificates (to be used as part of the chain).
*
* @param cert - certificate for validation
* @param trustAnchors - set of trust anchors
* @param intermediateCerts - set of intermediate certificates
* @param signDate the date when the signing took place
* @return the certification chain (if verification is successful)
* @throws GeneralSecurityException - if the verification is not successful
* (e.g. certification path cannot be built or some certificate in the chain
* is expired)
*/
private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors,
Set<X509Certificate> intermediateCerts, Date signDate) throws GeneralSecurityException {
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
pkixParams.setPolicyQualifiersRejected(false);
pkixParams.setDate(signDate);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
我可以理解参数 trustAnchors 是我的根 CA,参数中间证书是我的中间 CA。但是由于某些原因,根 CA 是私有的(我的客户将其私下保存)并且不能作为 trustAnchors(意味着 trustAnchors 为空/空)传递在这里 => 发生异常。可以通过将中间 CA 作为 trustAnchors 传递(现在中间证书将为空)来修复它,我可以获得结果。但我不知道这种方式是否正确。有人能帮我解决这个问题吗?
答案 0 :(得分:0)
正如@Robert 所说,我通过“然后使用中间 CA 作为根 CA(trustAnchors)来解决。然后证书验证在中间证书处停止”。