2016-12-01 43 views
0
public class CustomTrustManager implements X509TrustManager { 

    private X509TrustManager trustManager; 
    // If a connection was previously attempted and failed the certificate check, that certificate chain will be saved here. 
    private Certificate[] rejectedCertificates = null; 
    private Certificate[] encounteredCertificates = null; 
    private KeyStore keyStore = null; 
    private Logger logger; 

    /** 
    * Constructor 
    * 
    * @param loggerFactory 
    *   see {@link InstanceLoggerFactory} 
    */ 
    public CustomTrustManager(InstanceLoggerFactory loggerFactory) { 
     try { 
     this.logger = loggerFactory.getLogger(CustomTrustManager.class); 
     keyStore = KeyStore.getInstance("JKS"); 
     // a keyStore must be initialized with load, even if certificate trust is not file based. 
     keyStore.load(null, null); 

     System.setProperty("com.sun.net.ssl.checkRevocation", "true"); 
     Security.setProperty("ocsp.enable", "true"); 
     } catch (Exception ex) { 
     logger.error("Problem initializing keyStore", ex); 
     } 
    } 

    /** 
    * Returns the rejected certificate based on the last usage 
    */ 
    public Certificate[] getRejectedCertificateChain() { 
     return rejectedCertificates; 
    } 

    /** 
    * Returns the encountered certificates based on the last usage 
    */ 
    public Certificate[] getEncounteredCertificates() { 
     return encounteredCertificates; 
    } 

    @Override 
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { 
     if (trustManager != null) { 
     trustManager.checkClientTrusted(chain, authType); 
     } 
    } 

    /** 
    * Checks if a server is trusted, based on the wrapped keyStore's trust 
    * anchors. This will also capture the encountered certificate chain and, if 
    * trust fails, the rejected certificate chain. 
    */ 
    @Override 
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CustomCertificateException { 
     // Capture the certificate if it fails 
     try { 
     encounteredCertificates = chain; 
     if (trustManager != null) { 
      trustManager.checkServerTrusted(chain, authType); 
     } else { 
      throw new RuntimeException("Trust manager is null"); 
     } 
     } catch (CertificateException ex) { 
     rejectedCertificates = chain; 
     throw new CustomCertificateException(ex, rejectedCertificates); 
     } catch (Exception ex) { 
     rejectedCertificates = chain; 
     throw new CustomCertificateException(new CertificateException(ex), rejectedCertificates); 
     } 
    } 

    @Override 
    public X509Certificate[] getAcceptedIssuers() { 
     return trustManager == null ? new X509Certificate[0] : trustManager.getAcceptedIssuers(); 
    } 

    /** 
    * initializes the internal trust manager with all known certificates 
    * certificates are stored in the keyStore object 
    */ 
    private void initTrustManager() { 
     try { 
     // initialize a new TMF with our keyStore 
     TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE"); 

     // keyStore must not be empty 
     CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector()); 
     ((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true); 

     tmf.init(new CertPathTrustManagerParameters(pkixParams)); 

     // acquire X509 trust manager from factory 
     TrustManager tms[] = tmf.getTrustManagers(); 
     for (TrustManager tm : tms) { 
      if (tm instanceof X509TrustManager) { 
       trustManager = (X509TrustManager) tm; 
       break; 
      } 
     } 
     } catch (Exception ex) { 
     logger.error("Problem initializing trust manager", ex); 
     } 
    } 

... 
} 

ここではX509TrustManagerトラストマネージャを実装し、実行時に見つかったx509トラストマネージャに適切なチェックコールを委任しようとしました。 私の質問は、私がOCSPに設定したプロパティーで、Javaが証明書チェーンの検証中にOCSPも確実に行うことができるかどうかです。つまり、プロパティが設定されている場合、checkServerTrusted()メソッド自体がそれを処理しますか?適切なプロパティが設定されている場合、X509TrustManagerImpl.checkServerTrusted()はOCSPを単独で処理しますか?

答えて

1

OCSPを介して取り消しを確認しているようには見えません。これを行う方法の例を次に示します。ターゲット証明書とレスポンダURLが必要です。私はこれを実際の例から抜き出し、可能な限り一般的なものに変更しました。それをテストしていないが、それは動作するか、作業に非常に近いはずです。あなたはそれをあなたのニーズに合わせなければならないかもしれませんが、それほど大したものではありません。

private void validateCertPath(X509Certificate targetCertificate, X509Certificate issuerCertificate, String responderURL, String trustAnchorDirectory) 
      throws CertPathValidatorException, 
          InvalidAlgorithmParameterException, 
          FileNotFoundException, 
          CertificateException, 
          NoSuchAlgorithmException { 

    List<X509Certificate> certList = new Vector<X509Certificate>(); 
    certList.add(targetCertificate); 
    certList.add(issuerCertificate); 

    CertificateFactory cf = CertificateFactory.getInstance("X.509"); 

    CertPath cp = cf.generateCertPath(certList); 

    CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); 

    Set<TrustAnchor> trustStore = new HashSet<TrustAnchor>(); 
    TrustAnchor anchor = null; 
    X509Certificate cacert = null; 
    File directory = new File(trustAnchorDirectory); 
    String certFileNames[] = directory.list(); 

    for (String certFile : certFileNames) { 
     cacert = readCert(trustAnchorDirectory +"/" + certFile); 
     anchor = new TrustAnchor(cacert, null); 
     trustStore.add(anchor); 
    } 

    PKIXParameters params = new PKIXParameters(trustStore); 
    params.setRevocationEnabled(true); 

    Security.setProperty("ocsp.enable", "true"); 
    Security.setProperty("ocsp.responderURL", responderUrl); 

    PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params); 
    System.out.println("Certificate validated"); 
    System.out.println("Policy Tree:\n" + result.getPolicyTree()); 

}

関連する問題