我正在嵌入式jetty服务器和客户端之间进行客户端证书身份验证。它们都使用密钥库。客户端证书由服务器的证书签名,该证书由CA签名。Jetty使用2方法来验证客户端证书javax.net.ssl.SSLEngine,该方法似乎有效,他们也使用上面的代码。
List<X509Certificate> certList = Certificate chain sent by the client
KeyStore truststore = server's truststore
//No use of CRL/OSCP/CRLDP
_crls = null;
_enableOCSP = false;
_enableCRLDP = false;
try{
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate((X509Certificate) certList.get(0));
// Configure certification path builder parameters
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(truststore, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
// Set maximum certification path length
pbParams.setMaxPathLength(-1);
// Enable revocation checking
pbParams.setRevocationEnabled(true);
// Set static Certificate Revocation List
if (_crls != null && !_crls.isEmpty())
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
// Enable On-Line Certificate Status Protocol (OCSP) support
if (_enableOCSP)
Security.setProperty("ocsp.enable","true");
// Enable Certificate Revocation List Distribution Points (CRLDP) support
if (_enableCRLDP)
System.setProperty("com.sun.security.enableCRLDP","true");
// Build certification path
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
// Validate certification path
CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
}catch(GeneralSecurityException gse){
...
}
当然我必须用第二种方式。。。因此,让我们集中讨论这段代码,这是验证签名证书的好方法吗?以下是我的密钥库转储:
客户端密钥库:
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=truc@ok.com, CN=Servlet, OU=dev, O=Imbasoft, ST=Ile-de-France, C=FR
Issuer: EMAILADDRESS=contact@greenpacs.com, CN=Greenpacs, OU=dev, O=Imbasoft, L=Bondy, ST=Ile-de-France, C=FR
...
Certificate[2]:
Owner: EMAILADDRESS=contact@greenpacs.com, CN=Greenpacs, OU=dev, O=Imbasoft, L=Bondy, ST=Ile-de-France, C=FR
Issuer: EMAILADDRESS=ghetolay@imbasoft.com, CN=Greenpacs Certificate Authority, OU=dev, O=Imbasoft, ST=Ile-de-France, C=FR
...
服务器信任库:
Entry type: trustedCertEntry
Owner: EMAILADDRESS=contact@greenpacs.com, CN=Greenpacs, OU=dev, O=Imbasoft, L=Bondy, ST=Ile-de-France, C=FR
Issuer: EMAILADDRESS=ghetolay@imbasoft.com, CN=Greenpacs Certificate Authority, OU=dev, O=Imbasoft, ST=Ile-de-France, C=FR
我不确定这些密钥库,但我尝试了不同的密钥库(将CA证书添加到客户端的证书链,将证书添加到信任库),但验证仍然失败。有了这些密钥库,第一种验证方式(SSLEngine)似乎可以工作。
调试输出太大,不能放在这里,但这里是堆栈:
java.security.cert.CertPathValidatorException: Could not determine revocation status
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:153)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:325)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
at MainClass.main(MainClass.java:75)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
at sun.security.provider.certpath.CrlRevocationChecker.buildToNewKey(CrlRevocationChecker.java:583)
at sun.security.provider.certpath.CrlRevocationChecker.verifyWithSeparateSigningKey(CrlRevocationChecker.java:459)
at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:339)
at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:248)
at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:189)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:131)
... 4 more
如果我禁用吊销,或者如果我将最后一个证书(而不是第一个)设置为X509CertSelector,代码会工作,但我不确定我在做什么。
我开始怀疑jetty代码,但我不是证书和SSL握手方面的专家,所以它也可能来自糟糕的密钥库/信任库。这就是为什么我之前没有在jetty的董事会上创建问题,并在这里询问,以确保代码需要更改。
此外,了解如何在Java中验证已签名证书也很有用。
实际上我不需要自己进行验证。
SSLEngine已经在执行此操作。如果客户端发送了有效证书,则可以使用getPeerCertificateChain()获取:如果客户端未发送证书或无效证书,则getPeerCertificateChain()将引发异常。
使用Jetty(或者我猜是任何Java servlet容器),您只需要检查HttpServlet请求的属性["javax.servlet.request.X509Certificate"],就可以知道客户端是否发送了有效的证书。
我仍然不知道如何在Java中验证证书,但这个解决方案对我来说已经足够了:)我不再需要自己做了。感谢布鲁诺!
请检查您的证书CRL或OCSP是否可访问,您可以在证书中找到此类信息,如
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.verisign.com/pca2-g2.crl