java验证证书againt颁发者证书

ztmd8pv5  于 2021-06-26  发布在  Java
关注(0)|答案(1)|浏览(369)

假设我有根ca->中间ca->叶证书。我需要通过以下代码snipe验证leaf证书:

/**
     * Attempts to build a certification chain for given certificate and to
     * verify it. Relies on a set of root CA certificates (trust anchors) and a
     * set of intermediate certificates (to be used as part of the chain).
     *
     * @param cert              - certificate for validation
     * @param trustAnchors      - set of trust anchors
     * @param intermediateCerts - set of intermediate certificates
     * @param signDate          the date when the signing took place
     * @return the certification chain (if verification is successful)
     * @throws GeneralSecurityException - if the verification is not successful
     *                                  (e.g. certification path cannot be built or some certificate in the chain
     *                                  is expired)
     */
    private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors,
                                                               Set<X509Certificate> intermediateCerts, Date signDate) throws GeneralSecurityException {
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(cert);
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        // Disable CRL checks (this is done manually as additional step)
        pkixParams.setRevocationEnabled(false);
        pkixParams.setPolicyQualifiersRejected(false);
        pkixParams.setDate(signDate);
        // Specify a list of intermediate certificates
        CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
        pkixParams.addCertStore(intermediateCertStore);
        // Build and verify the certification chain
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        return (PKIXCertPathBuilderResult) builder.build(pkixParams);
    }

我可以理解param trustanchors是我的根ca,param intermediatecerts是我的中间ca。但是由于某些原因,根ca是私有的(我的客户将其私有),不能作为trustanchors传递(意味着trustanchors为null/空),这里=>发生异常。它可以通过将中间ca作为信任锚传递来修复(现在intermediatecerts将为null),我可以得到结果。但我不知道这种方式是否正确。有人能帮我克服这个问题吗?

9vw9lbht

9vw9lbht1#

正如@robert所说,我通过“然后使用中间ca作为根ca(trustanchors)”来解决。然后证书验证在“中间证书”处停止。

相关问题