我已經設置CertStore配置了本地存儲的CRL。我只想使用這些本地存儲的CRL進行證書驗證。如果傳入連接的證書與這些CRL中的任何一個都不匹配,則不應嘗試從CDP點獲取CRL,而只是軟失敗。有什麼辦法可以做到這一點?在Java中的CRL檢查
System.setProperty("com.sun.security.enableCRLDP", "false");
KeyManagerFactory keyManagerFactory = null;
KeyStore keyStore = null;
keyManagerFactory = KeyManagerFactory.getInstance(keyAlgorithm);
keyStore = KeyStore.getInstance(keyStoreType);
ksFile = new FileInputStream(keyStoreFile);
keyStore.load(ksFile,password);
keyManagerFactory.init (keyStore,password);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
List<CertStore> certStores = new ArrayList<>();
Collection<CRL> crls = new HashSet<>();
crls.add(CertificateFactory.getInstance("X.509").generateCRL(new java.io.FileInputStream("crl path")));
crls.add(CertificateFactory.getInstance("X.509").generateCRL(new java.io.FileInputStream("crl path2")));
certStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
// handshake should not fail when CRL is not available
PKIXRevocationChecker.Option.NO_FALLBACK));
CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector());
// PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector());
((PKIXParameters) pkixParams).setRevocationEnabled(true);
((PKIXParameters) pkixParams).setCertStores(certStores);
((PKIXParameters) pkixParams).addCertPathChecker(rc);
tmf.init(new CertPathTrustManagerParameters(pkixParams));
SSLContext context = SSLContext.getInstance(protocol);
context.init (keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
您想驗證服務器提供的SSL證書是否創建自己的TrustManager,或者您想在SSLConnection建立後提取SSLL證書並使用您的驗證執行驗證CRL清單? – pedrofb
是在ssl握手期間使用TrustManager。 – supraja