Java Bouncy Castle OCSP Url
我正在使用bouncy castle 1.48与OCSP验证证书验证。它工作得很好。 但我使用OCSPURL作为静态变量,我想从证书中读取它。Url作为权限信息访问写入证书中Java Bouncy Castle OCSP Url,java,certificate,bouncycastle,ocsp,Java,Certificate,Bouncycastle,Ocsp,我正在使用bouncy castle 1.48与OCSP验证证书验证。它工作得很好。 但我使用OCSPURL作为静态变量,我想从证书中读取它。Url作为权限信息访问写入证书中 [1]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://ocsp.mydomain 我从证书中获取了org.bo
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.mydomain
我从证书中获取了org.bouncycastle.asn1.x509.AuthorityInformationAccess
对象
byte[] octetBytes = certificate.getExtensionValue(X509Extension.authorityInfoAccess.getId());
ASN1InputStream octetStream = new ASN1InputStream(octetBytes);
byte[] encoded = X509ExtensionUtil.fromExtensionValue(octetBytes).getEncoded();
ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(encoded));
AuthorityInformationAccess access = AuthorityInformationAccess.getInstance(seq);
它写了权威信息访问:Oid(1.3.6.1.5.5.7.48.1)
,但无法从那里获取Url我找到了方法
private String getOcspUrl(X509Certificate certificate) throws Exception {
byte[] octetBytes = certificate
.getExtensionValue(X509Extension.authorityInfoAccess.getId());
DLSequence dlSequence = null;
ASN1Encodable asn1Encodable = null;
try {
ASN1Primitive fromExtensionValue = X509ExtensionUtil
.fromExtensionValue(octetBytes);
if (!(fromExtensionValue instanceof DLSequence))
return null;
dlSequence = (DLSequence) fromExtensionValue;
for (int i = 0; i < dlSequence.size(); i++) {
asn1Encodable = dlSequence.getObjectAt(i);
if (asn1Encodable instanceof DLSequence)
break;
}
if (!(asn1Encodable instanceof DLSequence))
return null;
dlSequence = (DLSequence) asn1Encodable;
for (int i = 0; i < dlSequence.size(); i++) {
asn1Encodable = dlSequence.getObjectAt(i);
if (asn1Encodable instanceof DERTaggedObject)
break;
}
if (!(asn1Encodable instanceof DERTaggedObject))
return null;
DERTaggedObject derTaggedObject = (DERTaggedObject) asn1Encodable;
byte[] encoded = derTaggedObject.getEncoded();
if (derTaggedObject.getTagNo() == 6) {
int len = encoded[1];
return new String(encoded, 2, len);
}
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
私有字符串getocspur(X509Certificate证书)引发异常{
字节[]八位字节=证书
.getExtensionValue(X509Extension.authorityInfoAccess.getId());
DLSequence DLSequence=null;
ASN1Encodable ASN1Encodable=null;
试一试{
ASN1原语fromExtensionValue=X509ExtensionUtil
.fromExtensionValue(八字节);
if(!(从DLSequence的扩展值实例))
返回null;
dlSequence=(dlSequence)fromExtensionValue;
对于(int i=0;i
我就是这样做的:
private String getOcspUrlFromCertificate(X509Certificate cert) {
byte[] extensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId());
try {
ASN1Sequence asn1Seq = (ASN1Sequence) X509ExtensionUtil.fromExtensionValue(extensionValue); // AuthorityInfoAccessSyntax
Enumeration<?> objects = asn1Seq.getObjects();
while (objects.hasMoreElements()) {
ASN1Sequence obj = (ASN1Sequence) objects.nextElement(); // AccessDescription
DERObjectIdentifier oid = (DERObjectIdentifier) obj.getObjectAt(0); // accessMethod
DERTaggedObject location = (DERTaggedObject) obj.getObjectAt(1); // accessLocation
if (location.getTagNo() == GeneralName.uniformResourceIdentifier) {
DEROctetString uri = (DEROctetString) location.getObject();
String str = new String(uri.getOctets());
if (oid.equals(X509ObjectIdentifiers.id_ad_ocsp)) {
return str;
}
}
}
} catch (Exception e) {
logger.error("Error", e);
}
return null;
}
私有字符串getOcspUrlFromCertificate(X509Certificate cert){
byte[]extensionValue=cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId());
试一试{
ASN1Sequence asn1Seq=(ASN1Sequence)X509ExtensionUtil.fromExtensionValue(extensionValue);//AuthorityInfoAccessSyntax
枚举对象=asn1Seq.getObjects();
while(objects.hasMoreElements()){
ASN1Sequence obj=(ASN1Sequence)objects.nextElement();//AccessDescription
DERObjectIdentifier oid=(DERObjectIdentifier)obj.getObjectAt(0);//accessMethod
DERTaggedObject location=(DERTaggedObject)obj.getObjectAt(1);//accessLocation
if(location.getTagNo()==GeneralName.uniformResourceIdentifier){
DEROctetString uri=(DEROctetString)location.getObject();
String str=新字符串(uri.getOctets());
if(oid.equals(X509ObjectIdentifiers.id_ad_ocsp)){
返回str;
}
}
}
}捕获(例外e){
错误(“错误”,e);
}
返回null;
}
带有BouncyCastle 1.9的
是:
依赖
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.59</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.59</version>
</dependency>
函数来验证撤销
public CertificateStatus verifRevocationWithOCSP(X509Certificate certificate,X509Certificate issuerCertificate) throws Exception{
OcspClientBouncyCastle ocspClient = new OcspClientBouncyCastle();
String urlOCSP = getOcspUrl();
BasicOCSPResp basicOCSPResp = ocspClient.getBasicOCSPResp(certificate, issuerCertificate, urlOCSP);
if (basicOCSPResp == null)
throw new IOException("Error en la consulta ar servidor OCSP ["+urlOCSP+"]");
BasicOCSPResp basicResponse = basicOCSPResp;
SingleResp[] responses = basicResponse.getResponses();
if (responses.length == 1) {
SingleResp resp = responses[0];
Object status = resp.getCertStatus();
System.out.println("OBJECT: "+status);
if (status == CertificateStatus.GOOD) {
return CertificateStatus.GOOD;
} else if (status instanceof RevokedStatus) {
RevokedStatus revokedStatus = (RevokedStatus)status;
return revokedStatus;
} else if(status instanceof UnknownStatus){
UnknownStatus unknownStatus = (UnknownStatus)status;
return unknownStatus;
}
throw new IOException("Tipo de respuesta de OCSP ["+status+"] desconocido");
}
else
throw new IOException("No se recibio ni una respuesta al consultar el OCSP para la URL ["+urlOCSP+"]");
}
使用BouncyCastle X509CertificateHolder 使用BouncyCastle1.66、Java8和LombokVal
public static String getOcspUrl(final String certPEM) {
val certHolder = toCertificateHolder(certPEM);
val aiaExtension = AuthorityInformationAccess.fromExtensions(certHolder.getExtensions());
val ocspUrl = Arrays.stream(aiaExtension.getAccessDescriptions())
.filter(ad -> ad.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_ocsp))
.map(ad -> ad.getAccessLocation().getName().toASN1Primitive().toString())
.findFirst();
return ocspUrl.get();
}
public static X509CertificateHolder toCertificateHolder(final String certPEM) {
val parser = new PEMParser(new StringReader(certPEM));
return (X509CertificateHolder) parser.readObject();
}
public static String getOcspUrl(final String certPEM) {
val certHolder = toCertificateHolder(certPEM);
val aiaExtension = AuthorityInformationAccess.fromExtensions(certHolder.getExtensions());
val ocspUrl = Arrays.stream(aiaExtension.getAccessDescriptions())
.filter(ad -> ad.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_ocsp))
.map(ad -> ad.getAccessLocation().getName().toASN1Primitive().toString())
.findFirst();
return ocspUrl.get();
}
public static X509CertificateHolder toCertificateHolder(final String certPEM) {
val parser = new PEMParser(new StringReader(certPEM));
return (X509CertificateHolder) parser.readObject();
}