OCSP签入Java安全套接字
如果我设置了OCSP签入Java安全套接字,java,ssl,java-8,tls1.2,ocsp,Java,Ssl,Java 8,Tls1.2,Ocsp,如果我设置了Security.setProperty(“ocsp.enable”、“true”),那么SSLSocket或SSLServerSocket连接是否会使用ocsp自动检查证书吊销 创建套接字时是否必须手动执行OCSP检查?(我没有使用CRLs。)您可以使用我为一些测试准备的这个TrustManager实现,它基于上的OCSP检查代码 根据他们的击球,我用过这个,效果很好 import io.netty.handler.ssl.util.SimpleTrustManagerFactor
Security.setProperty(“ocsp.enable”、“true”)SSLSocketSSLServerSocket创建套接字时是否必须手动执行OCSP检查?(我没有使用CRLs。)您可以使用我为一些测试准备的这个TrustManager实现,它基于上的OCSP检查代码 根据他们的击球,我用过这个,效果很好
import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.*;
import java.util.*;
/**
* TrustManager that verifies server certs using OCSP using the code found at
* https://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
*/
public class OCSPTrustManagerFactory extends SimpleTrustManagerFactory {
private static final InternalLogger logger = InternalLoggerFactory
.getInstance(OCSPTrustManagerFactory.class);
public static final TrustManagerFactory INSTANCE = new OCSPTrustManagerFactory();
private static final TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String s) {
OCSPTrustManagerFactory.logger.debug("Accepting a client certificate: " + chain[0].getSubjectDN());
}
public void checkServerTrusted(X509Certificate[] chain, String s) {
try {
logger.debug("Certs size:{}", chain.length);
logger.debug("Accepting a server certificate:{} ", chain[0].getSubjectDN());
// if you work behind proxy, configure the proxy.
// System.setProperty("http.proxyHost", "proxyHost");
//System.setProperty("http.proxyPort", "proxyPort");
CertPath path = generateCertificatePath(chain);
Set anchors = generateTrustAnchors();
PKIXParameters params = new PKIXParameters(anchors);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
// Activate CRLDP
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(path, params);
logger.info("OCSP validation successful for Server certificate: {}", chain[0].getSubjectDN());
} catch (Exception ex) {
logger.error("Exception checking Server certificates", ex);
}
}
public X509Certificate[] getAcceptedIssuers() {
return EmptyArrays.EMPTY_X509_CERTIFICATES;
}
};
private static CertPath generateCertificatePath(X509Certificate[] certs)
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
return cf.generateCertPath(Arrays.asList(certs));
}
private static Set generateTrustAnchors() throws Exception {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// Load the JDK's cacerts keystore file
String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
FileInputStream is = new FileInputStream(filename);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "changeit";
keystore.load(is, password.toCharArray());
// This class retrieves the most-trusted CAs from the keystore
PKIXParameters params = new PKIXParameters(keystore);
return params.getTrustAnchors();
}
private OCSPTrustManagerFactory() {
}
protected void engineInit(KeyStore keyStore)
throws Exception {
logger.debug("KeyStore is: {}", keyStore.toString());
}
protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
throws Exception {
}
protected TrustManager[] engineGetTrustManagers() {
return new TrustManager[]{tm};
}
}
我相信您可以使用示例代码将此操作用于SSLSocket回答:否。必须在侧面执行OCSP检查。