该方法将获取证书作为输入(证书转换为 byte[])并根据 cacerts 验证请求的证书,应用程序将配置证书的别名以查看 cacerts 以进行验证。
>public static void main(String[] a) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
byte[] in = Files.readAllBytes(Paths.get("request.crt"));
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
InputStream is = new ByteArrayInputStream(in);
Certificate certificate = certificateFactory.generateCertificate(is);
is.close();
X509Certificate requestCert = (X509Certificate)certificate;
KeyStore keystore = KeyStore.getInstance(new File("cacertspath"), "changeit".toCharArray());
Certificate certFromTrustStore = (Certificate)keystore.getCertificate("certAliasAtServertruststore");
certFromTrustStore.verify(requestCert.getPublicKey());
}
以上部分适用于自签名证书,而对于签名我得到以下例外
Exception in thread "main" java.security.SignatureException: Signature length not correct: got 512 but was expecting 256
at java.base/sun.security.rsa.RSASignature.engineVerify(RSASignature.java:212)
at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1416)
at java.base/java.security.Signature.verify(Signature.java:790)
at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:451)
at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:390)
at ValidateCertTest.main(ValidateCertTest.java:44)
====已编辑== 我的程序尝试验证请求的证书链对密钥库是否有效。
使用 CertPathValidator 来验证证书链。下面的程序可以根据密钥库验证请求的证书链。 Keystore 是否加载了 Root、Intermedia 和 child 证书?
public static void main(String[] a) 抛出 IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException、InvalidKeyException、NoSuchProviderException、SignatureException、 InvalidAlgorithmParameterException、CertPathBuilderException、CertPathValidatorException {
byte[] in = Files
.readAllBytes(Paths.get("request.crt"));
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
InputStream is = new ByteArrayInputStream(in);
List<X509Certificate> certificateToCheck = (List<X509Certificate>) certificateFactory.generateCertificates(is);
is.close();
final KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream(
"verificationKeystore"),
"keystorePass".toCharArray());
for (X509Certificate requestCert : certificateToCheck) {
System.out.println("Request Cert DN>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" + requestCert.getSubjectDN().getName());
final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
final X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(requestCert);
final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector);
final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters);
final CertPath certPath = certPathBuilderResult.getCertPath();
final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
final PKIXParameters validationParameters = new PKIXParameters(trustStore);
validationParameters.setRevocationEnabled(true); // if you want to check CRL
final X509CertSelector keyUsageSelector = new X509CertSelector();
keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits
validationParameters.setTargetCertConstraints(keyUsageSelector);
final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator
.validate(certPath, validationParameters);
}
}