假设我有根ca->中间ca->叶证书。我需要通过以下代码snipe验证leaf证书:
/**
* Attempts to build a certification chain for given certificate and to
* verify it. Relies on a set of root CA certificates (trust anchors) and a
* set of intermediate certificates (to be used as part of the chain).
*
* @param cert - certificate for validation
* @param trustAnchors - set of trust anchors
* @param intermediateCerts - set of intermediate certificates
* @param signDate the date when the signing took place
* @return the certification chain (if verification is successful)
* @throws GeneralSecurityException - if the verification is not successful
* (e.g. certification path cannot be built or some certificate in the chain
* is expired)
*/
private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors,
Set<X509Certificate> intermediateCerts, Date signDate) throws GeneralSecurityException {
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
pkixParams.setPolicyQualifiersRejected(false);
pkixParams.setDate(signDate);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}我可以理解param trustanchors是我的根ca,param intermediatecerts是我的中间ca。但是由于某些原因,根ca是私有的(我的客户将其私有),不能作为trustanchors传递(意味着trustanchors为null/空),这里=>发生异常。它可以通过将中间ca作为信任锚传递来修复(现在intermediatecerts将为null),我可以得到结果。但我不知道这种方式是否正确。有人能帮我克服这个问题吗?
1条答案
按热度按时间9vw9lbht1#
正如@robert所说,我通过“然后使用中间ca作为根ca(trustanchors)”来解决。然后证书验证在“中间证书”处停止。