我可以使用以下方式轻松读取 PEM 格式的 x509 证书:
assets.open("ca.pem").use {
val cf = CertificateFactory.getInstance("X.509")
keystore.setCertificateEntry("server", cf.generateCertificate(it))
}
但是,我现在希望包括多个受信任的服务器证书。附加证书附加到 ca.pem 上,我使用声称读取多个证书的方法:
val certs = cf.generateCertificates(it)
但只有第一个证书被读入(certs 大小为 1)。
* <p>In the case of a certificate factory for X.509 certificates,
* <code>inStream</code> may contain a sequence of DER-encoded certificates
* in the formats described for
* {@link #generateCertificate(java.io.InputStream) generateCertificate}.
* In addition, <code>inStream</code> may contain a PKCS#7 certificate
* chain. This is a PKCS#7 <i>SignedData</i> object, with the only
* significant field being <i>certificates</i>. In particular, the
* signature and the contents are ignored. This format allows multiple
* certificates to be downloaded at once. If no certificates are present,
* an empty collection is returned.
引用部分:
* <p>In the case of a certificate factory for X.509 certificates, the
* certificate provided in <code>inStream</code> must be DER-encoded and
* may be supplied in binary or printable (Base64) encoding. If the
* certificate is provided in Base64 encoding, it must be bounded at
* the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at
* the end by -----END CERTIFICATE-----.
ca.pem 看起来像:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
我是否误解了证书工厂的用法?这可能是不支持标记的输入流的副作用(在这种情况下,整个流在第一个证书后被消耗)?也许换行符是不允许的,解析器将它们解释为数据结束。 PKCS7 会是比 PEM 更自然的选择吗?
最佳答案
确实,删除换行符会让解析器开心。
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
关于java - 读取 PEM 证书链中的数据,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48083276/