gpt4 book ai didi

java - Java 如何验证证书是否为 EV 证书?

转载 作者:搜寻专家 更新时间:2023-11-01 01:58:46 25 4
gpt4 key购买 nike

考虑以下示例代码,它使用 TrustManager 记录传出连接是否使用了有效证书(但在所有情况下都接受连接):

import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;

public class CertChecker implements X509TrustManager {

private final X509TrustManager defaultTM;

public CertChecker() throws GeneralSecurityException {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore)null);
defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
}

public void checkServerTrusted(X509Certificate[] certs, String authType) {
if (defaultTM != null) {
try {
defaultTM.checkServerTrusted(certs, authType);
System.out.println("Certificate valid");
} catch (CertificateException ex) {
System.out.println("Certificate invalid: " + ex.getMessage());
}
}
}

public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
public X509Certificate[] getAcceptedIssuers() { return null;}

public static void main(String[] args) throws Exception {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
}
}

我必须在 checkClientTrusted 方法中做什么来检查该证书是扩展验证证书(现代浏览器中的绿色地址栏)还是普通证书(黄色地址栏)?

编辑:

我正在尝试让 CertPathValidator 工作,但不知何故我只得到关于证书不是 CA 证书的异常...有什么想法吗?

edit2: 使用 PKIXParameters 而不是 PKIXBuilderParameters

private boolean isEVCertificate(X509Certificate[] certs, String authType) {
try {
CertPath cp = new X509CertPath(Arrays.asList(certs));
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);
PKIXParameters cpp = new PKIXParameters(ks);
cpp.setRevocationEnabled(false);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult res = (PKIXCertPathValidatorResult) cpv.validate(cp, cpp);
System.out.println(res.getTrustAnchor().getCAName());
System.out.println(res.getPolicyTree().getValidPolicy());
System.out.println(cp);
return false;
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
}

我正在针对真实世界的 EV 证书进行测试。该代码现在适用于 www.paypal.com(从某种意义上说它不会抛出异常),但不适用于 banking.dkb.de。 :-(

但即使使用 Paypal.com,信任 anchor getCAName 也会返回 null,所以我如何知道它是针对哪个 CA 进行验证的,以便我可以查找正确的 EV 策略?

最佳答案

首先,您需要一张发行人名称及其对应的 EV 保单标识符表。

当 CA 颁发证书时,他们可以记录颁发证书所依据的策略。发行人为此政策分配的标识符,因此您需要一份发行人及其 EV 政策列表。

然后您需要从服务器证书中获取策略。 Refer to RFC 5280, § 4.1.2.4详细了解一般政策及其运作方式。

您需要验证证书链以获得 PKIXCertPathValidatorResult。 结果的一部分是 policy tree.您可以浏览策略树以确定它是否包含目标证书颁发者的 EV 策略。


下面是检查证书路径结果的详细示例。

private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();

static {
/*
* It would make sense to populate this map from Properties loaded through
* Class.getResourceAsStream().
*/
policies.put(
new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"),
"2.16.840.1.113733.1.7.23.6"
);
// ...
}

static boolean isEV(PKIXCertPathValidatorResult result)
{
/* Determine the policy to look for. */
X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
String policy = policies.get(root);
if (policy == null)
/* The EV policy for this issuer is unknown (or there is none). */
return false;
/* Traverse the tree, looking at its "leaves" to see if the end-entity
* certificate was issued under the corresponding EV policy. */
PolicyNode tree = result.getPolicyTree();
Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
stack.push(tree);
while (!stack.isEmpty()) {
PolicyNode current = stack.pop();
Iterator<? extends PolicyNode> children = current.getChildren();
int leaf = stack.size();
while (children.hasNext())
stack.push(children.next());
if (stack.size() == leaf) {
/* If the stack didn't grow, there were no "children". I.e., the
* current node is a "leaf" node of the policy tree. */
if (current.getValidPolicy().equals(policy))
return true;
}
}
/* The certificate wasn't issued under the authority's EV policy. */
return false;
}

关于java - Java 如何验证证书是否为 EV 证书?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/1694466/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com