java - OCSP 验证程序检查给定证书
问题描述
我正在尝试实施 OCSP 验证程序来检查给定的证书是否仍然有效或已被吊销。我有以下代码
public class ValidateCertUseOCSP {
/*
* Filename that contains the root CA cert of the OCSP server's cert.
*/
private static final String ROOT_CA_CERT = "C:\\Users\\Computer\\Desktop\\DigiCertSHA2SecureServerCA_cert_out.pem";
/*
* Filename that contains the OCSP server's cert.
*/
private static final String OCSP_SERVER_CERT = "C:\\Users\\Computer\\Desktop\\gearbest_cert_out.pem";
/**
* Checks the revocation status of a public key certificate using OCSP.
*
* Usage: java ValidateCert <cert-file> [<OCSP-server>]
* <cert-file> is the filename of the certificate to be checked.
* The certificate must be in PEM format.
* <OCSP-server> is the URL of the OCSP server to use.
* If not supplied then the certificate must identify an OCSP
* server by means of its AuthorityInfoAccess extension.
* If supplied then it overrides any URL which may be present
* in the certificate's AuthorityInfoAccess extension.
*
* Example: java \
* -Dhttp.proxyHost=proxy.example.net \
* -Dhttp.proxyPort=8080 \
* ValidateCert \
* mycert.pem \
* http://ocsp.openvalidation.org:80
* @param args
*/
public static void main(String[] args) {
try {
CertPath cp = null;
Vector<X509Certificate> certs = new Vector<X509Certificate>();
URI ocspServer = null;
if (args.length == 0 || args.length > 2) {
System.out.println(
"Usage: java ValidateCert <cert-file> [<OCSP-server>]");
System.exit(-1);
}
// load the cert to be checked
certs.add(getCertFromFile(args[0]));
// handle location of OCSP server
if (args.length == 2) {
ocspServer = new URI(args[1]);
System.out.println("Using the OCSP server at: " + args[1]);
System.out.println("to check the revocation status of: " +
certs.elementAt(0));
System.out.println();
} else {
System.out.println("Using the OCSP server specified in the " +
"cert to check the revocation status of: " +
certs.elementAt(0));
System.out.println();
}
// init cert path
CertificateFactory cf = CertificateFactory.getInstance("X509");
cp = (CertPath)cf.generateCertPath(certs);
// load the root CA cert for the OCSP server cert
X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);
// init trusted certs
TrustAnchor ta = new TrustAnchor(rootCACert, null);
Set trustedCertsSet = new HashSet();
trustedCertsSet.add(ta);
// init cert store
Set certSet = new HashSet();
X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
certSet.add(ocspCert);
CertStoreParameters storeParams =
new CollectionCertStoreParameters(certSet);
CertStore store = CertStore.getInstance("Collection", storeParams);
// init PKIX parameters
PKIXParameters params = null;
params = new PKIXParameters(trustedCertsSet);
params.addCertStore(store);
// enable OCSP
Security.setProperty("ocsp.enable", "true");
if (ocspServer != null) {
Security.setProperty("ocsp.responderURL", args[1]);
Security.setProperty("ocsp.responderCertSubjectName",
ocspCert.getSubjectX500Principal().getName());
}
// perform validation
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult cpv_result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
X509Certificate trustedCert = (X509Certificate)
cpv_result.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
System.out.println("Trsuted Cert = NULL");
} else {
System.out.println("Trusted CA DN = " +
trustedCert.getSubjectDN());
}
} catch (CertPathValidatorException e) {
e.printStackTrace();
System.exit(1);
} catch(Exception e) {
e.printStackTrace();
System.exit(-1);
}
System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
System.exit(0);
}
/*
* Read a certificate from the specified filepath.
*/
private static X509Certificate getCertFromFile(String path) {
X509Certificate cert = null;
try {
File certFile = new File(path);
if (!certFile.canRead())
throw new IOException(" File " + certFile.toString() +
" is unreadable");
FileInputStream fis = new FileInputStream(path);
CertificateFactory cf = CertificateFactory.getInstance("X509");
cert = (X509Certificate)cf.generateCertificate(fis);
} catch(Exception e) {
System.out.println("Can't construct X509 Certificate. " +
e.getMessage());
}
return cert;
}
}
当我运行它时,它给了我第一条错误消息:
跑:
Usage: java ValidateCert <cert-file> [<OCSP-server>]
C:\Users\Computer\AppData\Local\NetBeans\Cache\8.2\executor-snippets\run.xml:53:
Java returned: -1
BUILD FAILED (total time: 1 second)
解决方案
推荐阅读
- javascript - 如何调整在 HTML、CSS 和 JavaScript 中创建的图像滑块的大小
- python - 我无法从用户输入中获取 False 布尔值
- symfony - 会话在 MockArraySessionStorage.php:127 开始后无法设置会话 ID
- c++ - 意外的 gcc 警告:函数返回局部变量的地址 - 是编译器错误吗?
- asp.net - 如何在 Visual Studio For Mac 中将 Web API 发布到部署槽?
- reactjs - 使用 PrimeReact DataTable 的 Filter 属性
- sql - 在 oracle 中跟踪查询是否有任何替代方法
- excel - 使用 VBA 从两个不同的工作表复制粘贴单元格
- javascript - 如何在 CSS 中为圆弧的填充设置动画?
- python - Jupyter 笔记本无法转换为 pdf 文件