考虑以下示例代码,它使用 TrustManager
记录传出连接是否使用了有效证书(但在所有情况下都接受连接):
import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;
public class CertChecker implements X509TrustManager {
private final X509TrustManager defaultTM;
public CertChecker() throws GeneralSecurityException {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore)null);
defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
if (defaultTM != null) {
try {
defaultTM.checkServerTrusted(certs, authType);
System.out.println("Certificate valid");
} catch (CertificateException ex) {
System.out.println("Certificate invalid: " + ex.getMessage());
}
}
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
public X509Certificate[] getAcceptedIssuers() { return null;}
public static void main(String[] args) throws Exception {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
}
}
我必须在 checkClientTrusted
方法中做什么来检查该证书是扩展验证证书(现代浏览器中的绿色地址栏)还是普通证书(黄色地址栏)?
编辑:
我正在尝试让 CertPathValidator
工作,但不知何故我只得到关于证书不是 CA 证书的异常...有什么想法吗?
edit2: 使用 PKIXParameters
而不是 PKIXBuilderParameters
private boolean isEVCertificate(X509Certificate[] certs, String authType) {
try {
CertPath cp = new X509CertPath(Arrays.asList(certs));
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);
PKIXParameters cpp = new PKIXParameters(ks);
cpp.setRevocationEnabled(false);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult res = (PKIXCertPathValidatorResult) cpv.validate(cp, cpp);
System.out.println(res.getTrustAnchor().getCAName());
System.out.println(res.getPolicyTree().getValidPolicy());
System.out.println(cp);
return false;
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
}
我正在针对真实世界的 EV 证书进行测试。该代码现在适用于 www.paypal.com
(从某种意义上说它不会抛出异常),但不适用于 banking.dkb.de
。 :-(
但即使使用 Paypal.com,信任 anchor getCAName 也会返回 null,所以我如何知道它是针对哪个 CA 进行验证的,以便我可以查找正确的 EV 策略?
最佳答案
首先,您需要一张发行人名称及其对应的 EV 保单标识符表。
当 CA 颁发证书时,他们可以记录颁发证书所依据的策略。发行人为此政策分配的标识符,因此您需要一份发行人及其 EV 政策列表。
然后您需要从服务器证书中获取策略。 Refer to RFC 5280, § 4.1.2.4详细了解一般政策及其运作方式。
您需要验证证书链以获得 PKIXCertPathValidatorResult。
结果的一部分是 policy tree.您可以浏览策略树以确定它是否包含目标证书颁发者的 EV 策略。
下面是检查证书路径结果的详细示例。
private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();
static {
/*
* It would make sense to populate this map from Properties loaded through
* Class.getResourceAsStream().
*/
policies.put(
new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"),
"2.16.840.1.113733.1.7.23.6"
);
// ...
}
static boolean isEV(PKIXCertPathValidatorResult result)
{
/* Determine the policy to look for. */
X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
String policy = policies.get(root);
if (policy == null)
/* The EV policy for this issuer is unknown (or there is none). */
return false;
/* Traverse the tree, looking at its "leaves" to see if the end-entity
* certificate was issued under the corresponding EV policy. */
PolicyNode tree = result.getPolicyTree();
Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
stack.push(tree);
while (!stack.isEmpty()) {
PolicyNode current = stack.pop();
Iterator<? extends PolicyNode> children = current.getChildren();
int leaf = stack.size();
while (children.hasNext())
stack.push(children.next());
if (stack.size() == leaf) {
/* If the stack didn't grow, there were no "children". I.e., the
* current node is a "leaf" node of the policy tree. */
if (current.getValidPolicy().equals(policy))
return true;
}
}
/* The certificate wasn't issued under the authority's EV policy. */
return false;
}
关于java - Java 如何验证证书是否为 EV 证书?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/1694466/