X.509使用Java和Bouncycastle进行证书验证
透过 bouncycastle wiki页面我能够理解如何创建X.509根证书和认证请求,但我不太明白在此之后如何继续概念和编程。
through the bouncycastle wiki page I was able to understand how to create a X.509 root certificate and a certification request, but I do not quite understand how to proceed concept- and programming wise after that.
假设A方做了证书请求,并从CA获取了客户端证书。 B如何验证A的证书? A需要什么样的证书?根证书? 正常客户端证书?
Lets assume party A does a cert request and gets his client certificate from the CA. How can some party B validate A's certificate? What kind of certificate does A need? A root certificate? A 'normal' client certificate?
如果我们假设A已经成功地将他的证书以DER或PEM格式发送给B,那么验证在编程层面如何工作?
And how does the validation work on programming level, if we assume that A has successfully send his certificate in DER or PEM format to B?
任何帮助都非常感激。
Any help is much appreciated.
最好的问候,
Rob
Best Regards, Rob
程序员的观点,您需要一些东西来验证X.509证书。
From a programmer's perspective, you need a few things to validate an X.509 certificate.
- 一组信任锚的CA依赖。这些应该被保护不受篡改,以便攻击者不会用他自己的假代替CA证书。这些证书中的公钥用于验证其他证书上的数字签名。
- 中间证书的集合。应用程序可能会保留这些集合,但大多数使用证书的协议(如SSL和S / MIME)都有标准方法来提供额外的证书。存储这些不需要任何特殊的照顾;其完整性受到根CA签名的保护。
- 撤销信息。即使证书由CA颁发,它可能已被过早撤销,因为私钥被公开,或者终端实体改变其身份。 (例如,某人切换作业,并且其中包含旧公司名称的证书将被撤销。)CRL或像OCSP这样的网络服务可用于获取有关证书状态的更新。
有了这些输入,您可以使用内置的PKIX支持来构造和验证证书路径。
With these inputs available, you can use the built-in PKIX support to construct and validate a certificate path.
/* Givens. */
InputStream trustStoreInput = ...
char[] password = ...
List<X509Certificate> chain = ...
Collection<X509CRL> crls = ...
/* Construct a valid path. */
KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType());
anchors.load(trustStoreInput, password);
X509CertSelector target = new X509CertSelector();
target.setCertificate(chain.get(0));
PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target);
CertStoreParameters intermediates = new CollectionCertStoreParameters(chain)
params.addCertStore(CertStore.getInstance("Collection", intermediates));
CertStoreParameters revoked = new CollectionCertStoreParameters(crls);
params.addCertStore(CertStore.getInstance("Collection", revoked));
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
/*
* If build() returns successfully, the certificate is valid. More details
* about the valid path can be obtained through the PKIXBuilderResult.
* If no valid path can be found, a CertPathBuilderException is thrown.
*/
PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
需要注意的一点是,如果找不到路径,关于原因。这可以是令人沮丧的,但它是通过设计的方式。一般来说,有许多潜在的路径。如果他们因为不同的原因而失败,那么路径构建器如何决定将报告的内容作为原因?
An important thing to note is that if a path cannot be found, you don't get much information about the reason. This can be frustrating, but it is that way by design. In general, there are many potential paths. If they all fail for different reasons, how would the path builder decide what to report as the reason?