Java Can';使用CertPathBuilder生成证书路径时,无法获取受信任的根CA
我有一个终端实体、一些中间CA和一些受信任CA的证书,我正在尝试使用Java Can';使用CertPathBuilder生成证书路径时,无法获取受信任的根CA,java,bouncycastle,Java,Bouncycastle,我有一个终端实体、一些中间CA和一些受信任CA的证书,我正在尝试使用CertPathBuilder查找终端实体和一个受信任CA之间的证书路径。但是,我当前的实现包括任何中间CA和最终实体,但没有包括受信任的根 我尝试了BouncyCastle提供程序(CertPathBuilder.getInstance(“PKIX”、“BC”))和Sun的(CertPathBuilder.getInstance(“PKIX”)),但得到了相同的结果 下面是一个自包含的Kotlin代码片段,使用Bouncy C
CertPathBuilderCertPathBuilder.getInstance(“PKIX”、“BC”)CertPathBuilder.getInstance(“PKIX”)实现(“org.bouncycastle:bcpkix-jdk15on:1.66”)buildCertificationPathpackage com.example.cert
导入org.bouncycastle.asn1.asn1布尔值
导入org.bouncycastle.asn1.asn1可编码
导入org.bouncycastle.asn1.asn1EncodaLevector
导入org.bouncycastle.asn1.ASN1Integer
导入org.bouncycastle.asn1.asn1原语
导入org.bouncycastle.asn1.DERBMPString
导入org.bouncycastle.asn1.DEROctetString
导入org.bouncycastle.asn1.DERSequence
导入org.bouncycastle.asn1.x500.X500Name
导入org.bouncycastle.asn1.x500.X500NameBuilder
导入org.bouncycastle.asn1.x500.style.BCStyle
导入org.bouncycastle.asn1.x509.AuthorityKeyIdentifier
导入org.bouncycastle.asn1.x509.Extension
导入org.bouncycastle.asn1.x509.SubjectKeyIdentifier
导入org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
导入org.bouncycastle.cert.X509CertificateHolder
导入org.bouncycastle.cert.X509v3CertificateBuilder
导入org.bouncycastle.cert.jcajce.JcaX509CertificateConverter
导入org.bouncycastle.jce.provider.BouncyCastleProvider
导入org.bouncycastle.operator.jcajce.JcaContentSignerBuilder
导入java.math.biginger
导入java.security.KeyPair
导入java.security.KeyPairGenerator
导入java.security.MessageDigest
导入java.security.PrivateKey
导入java.security.PublicKey
导入java.security.SecureRandom
导入java.security.security
导入java.security.cert.CertPathBuilder
导入java.security.cert.CertPathBuilderException
导入java.security.cert.CertStore
导入java.security.cert.CollectionCertStoreParameters
导入java.security.cert.PKIXBuilderParameters
导入java.security.cert.PKIXParameters
导入java.security.cert.TrustAnchor
导入java.security.cert.X509CertSelector
导入java.security.cert.x509证书
导入java.sql.Date
导入java.time.zoneDateTime
val bcToJavaCertificateConverter:JcaX509CertificateConverter=
JcaX509CertificateConverter().setProvider(BouncyCastleProvider())
主要内容(){
Security.addProvider(BouncyCastleProvider())
//使用BouncyCastle颁发证书
val rootCAKeyPair=generateRSAKeyPair()
val rootCACert=issueCertificate(
“根”,
rootCAKeyPair.public,
rootCAKeyPair.private,
isCA=正确,
路径约束=2
)
val intermediateCAKeyPair=generateRSAKeyPair()
val intermediateccert=颁发证书(
“中级”,
中间密钥对.public,
rootCAKeyPair.private,
根卡塞特,
isCA=正确,
路径约束=1
)
val endEntityKeyPair=generateRSAKeyPair()
val endEntityCert=颁发证书(
“结束”,
endEntityKeyPair.public,
中间密钥对.private,
中级证书,
isCA=假,
路径约束=0
)
//将BouncyCastle证书转换为Java证书:
val javaRootCert=convertBCCertToJava(rootCACert)
val javaInterCert=convertBCCertToJava(intermediateccert)
val javaEndCert=convertBCCertToJava(endEntityCert)
val intermediateAndRootPath=构建认证路径(
javaInterCert,
emptySet(),
集合(javaRootCert)
)
if(intermediateAndRootPath.contentEquals(arrayOf(“intermediate”,“root”))){
println(“中间CA和根CA之间的路径正常”)
}否则{
普林顿(
“中间CA和根CA之间的路径错误:”+
intermediateAndRootPath.joinToString(“,”)
)
}
val endAndIntermediatePath=buildCertificationPath(
javaEndCert,
emptySet(),
集合(javaInterCert)
)
if(endAndIntermediatePath.contentEquals(arrayOf(“end”,“intermediate”))){
println(“最终实体和中间CA之间的路径正常”)
}否则{
普林顿(
“结束实体和中间CA之间的路径错误:”+
endAndIntermediatePath.joinToString(“,”)
)
}
val endAndRootPath=buildCertificationPath(
javaEndCert,
集合(javaInterCert),
集合(javaRootCert)
)
if(endAndRootPath.contentEquals(arrayOf(“end”、“intermediate”、“root”)){
println(“结束实体和根CA之间的路径正常”)
}否则{
println(“结束实体和根CA之间的路径错误:“+endAndRootPath.joinToString(,”))
}
}
趣味建筑认证路径(
亲缘关系专家:X509证书,
中级证书:已设置,
信任的cacerts:设置
):数组{
val trustAnchors=trustedCACerts.map{TrustAnchor(it,null)}.toSet()
val intermediateCertStore=CertStore.getInstance(
“收藏”,
CollectionCertStoreParameters(中间证书),
“卑诗省”
)
val endEntitySelector=X509CertSelector()
endEntitySelector.certificate=endEntityCert
val参数:PKIXParameters=PKIXBuilderParameters(信任锚、属性选择器)
parameters.isRevocationEnabled=false//TODO:需要吗?
参数addCertStore(中间CertStore)
//val pathBuilder:CertPathBuilder=CertPathBuilder.getInstance(“PKIX”)
val pathBuilder:CertPathBuilder=CertPathBuilder.getInstance(“PKIX”、“BC”)
val pathBuilderResult=try{
pathBuilder.build(第
Path between intermediate and root CA is wrong: intermediate
Path between end entity and intermediate CA is wrong: end
Path between end entity and root CA is wrong: end,intermediate