Java 如何修改LDAPCertStore中用于X509证书链验证的LDAP连接属性
我正在尝试根据使用sun.security.validator.PKIXValidator验证X509证书链。验证的步骤之一是检查CRL。我提供LDAPCertStore从LDAP获取CRL。但是LDAPCertStore无法处理服务器关闭连接,因为java.security.cert.LDAPCertStore参数缺少LDAPConnection的设置 是否可以修改LDAP连接属性,例如使用(系统属性没有帮助,bouncy castle在连接方面有相同的实现)? 请参阅下面要复制的代码:Java 如何修改LDAPCertStore中用于X509证书链验证的LDAP连接属性,java,oracle,security,validation,pki,Java,Oracle,Security,Validation,Pki,我正在尝试根据使用sun.security.validator.PKIXValidator验证X509证书链。验证的步骤之一是检查CRL。我提供LDAPCertStore从LDAP获取CRL。但是LDAPCertStore无法处理服务器关闭连接,因为java.security.cert.LDAPCertStore参数缺少LDAPConnection的设置 是否可以修改LDAP连接属性,例如使用(系统属性没有帮助,bouncy castle在连接方面有相同的实现)? 请参阅下面要复制的代码: @T
@Test
public void testRevocationListValidation() throws Exception {
String trustStoreFile = "trustStoreFilePath";
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream is = getClass().getResourceAsStream(trustStoreFile);
if (is == null) {
throw new FileNotFoundException(String.format("KeyStore file '%s' is not found on classpath", trustStoreFile));
}
trustStore.load(is, "password".toCharArray());
Set<TrustAnchor> trustedAnchors = new HashSet<TrustAnchor>();
for (String caCertificateAlias : new String[]{"ca"}) {
X509Certificate certificate = (X509Certificate) trustStore.getCertificate(caCertificateAlias);
trustedAnchors.add(new TrustAnchor(certificate, null));
}
PKIXParameters parameters = new PKIXParameters(trustedAnchors);
CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters("ldapHost", 389));
parameters.setCertStores(Collections.singletonList(certStore));
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream("keystore.jks"), "password".toCharArray());
String keyStoreAlias = "dev-test";
Certificate[] userCertificateChain = keyStore.getCertificateChain(keyStoreAlias);
for (int i = 0; i < 3; i++) {
System.out.println("Starting validation " + i);
CertPath userCertificatePath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(userCertificateChain));
CertPathValidator.getInstance("PKIX").validate(userCertificatePath, parameters);
System.out.println("Validation " + i + " succeeded");
if (i == 1) {
System.out.println("Sleeping after second validation");
TimeUnit.SECONDS.sleep(90); // Server connection timeout ~ 60 sec
}
}
}
@测试
public void testRevocationListValidation()引发异常{
字符串trustStoreFile=“trustStoreFilePath”;
KeyStore trustStore=KeyStore.getInstance(KeyStore.getDefaultType());
InputStream=getClass().getResourceAsStream(trustStoreFile);
如果(is==null){
抛出新的FileNotFoundException(String.format(“在类路径上找不到密钥库文件'%s',trustStoreFile));
}
load(是“password”.toCharArray());
Set trustedAnchors=new HashSet();
对于(字符串caCertificateAlias:新字符串[]{“ca”}){
X509Certificate=(X509Certificate)信任库.getCertificate(caCertificateAlias);
添加(新信任锚(证书,空));
}
PKIXParameters parameters=新的PKIXParameters(受信任的攻击者);
CertStore CertStore=CertStore.getInstance(“LDAP”,新的LDAPCertStoreParameters(“ldapHost”,389));
参数.setCertStores(Collections.singletonList(certStore));
KeyStore KeyStore=KeyStore.getInstance(KeyStore.getDefaultType());
load(getClass().getResourceAsStream(“keyStore.jks”),“password.tocharray());
字符串keystreaias=“dev test”;
证书[]UserCertificateCain=keyStore.getCertificateCain(keyStoreAlias);
对于(int i=0;i<3;i++){
System.out.println(“开始验证”+i);
CertPath userCertificatePath=CertificateFactory.getInstance(“X.509”).generateCertPath(Arrays.asList(userCertificateChain));
CertPathValidator.getInstance(“PKIX”).validate(userCertificatePath,参数);
System.out.println(“验证”+i+“成功”);
如果(i==1){
System.out.println(“第二次验证后休眠”);
TimeUnit.SECONDS.sleep(90);//服务器连接超时~60秒
}
}
}
Java9中的修复-LDAP连接将自动恢复 看起来根目录是:我已经创建了票证: