我使用以下代码将客户端证书插入到我的服务器信任存储中
FileInputStream fileInputStream = new FileInputStream( "c:/server.jks" );
keyStore.load( fileInputStream, "keystore".toCharArray() );
fileInputStream.close();
keyStore.setCertificateEntry( alias, new X509Certificate( trustedCertificate ) );
FileOutputStream fileOutputStream = new FileOutputStream("c:/server.jks" );
keyStore.store( fileOutputStream, "keystore".toCharArray() );
fileOutputStream.close();
现在我看到证书已输入到我的信任库中,但签署客户端证书的 CA 证书不存在于我的信任库中。所以我想知道在将证书输入 keystore 之前,有什么方法可以检查CA的证书是否可用?
最佳答案
我想您需要做的是验证证书是否是由根颁发机构颁发的或者是否是自签名的。我假设您正在使用默认的 java keystore ,即 cacerts。 我尚未测试代码,但我认为这可能是您问题的解决方案:
- 从以下链接获取并修改的代码:
How can I get a list of trusted root certificates in Java?
String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
Set<X509Certificate> additionalCerts = new HashSet<X509Certificate>();
FileInputStream is = new FileInputStream(filename);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "changeit";
keystore.load(is, password.toCharArray());
// This class retrieves the most-trusted CAs from the keystore
PKIXParameters params = new PKIXParameters(keystore);
// Get the set of trust anchors, which contain the most-trusted CA certificates
Iterator it = params.getTrustAnchors().iterator();
while( it.hasNext() ) {
TrustAnchor ta = (TrustAnchor)it.next();
// Get certificate
X509Certificate cert = ta.getTrustedCert();
additionalCerts.add(cert);
}
- 然后您可以使用以下代码将客户端证书和包含所有根 CA 的 Set 传递给以下代码的 verifyCertificate(X509Certificate cert, Set extraCerts) 方法:
关于java - 输入证书之前检查 CA 的证书吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10384669/