1. 首頁
  2. 問答
  3. 如何修改LDAPCertStore中用於X509證書鏈驗證的LDAP連接屬性

如何修改LDAPCertStore中用於X509證書鏈驗證的LDAP連接屬性

2014-09-23 85 views
0

我想根據Oracle official guide使用sun.security.validator.PKIXValidator驗證X509證書鏈。驗證中的一個步驟是檢查CRL。我正在提供LDAPCertStore以從LDAP獲取CRL。但LDAPCertStore無法處理服務器關閉連接,因爲缺少LDAPConnection的設置java.security.cert.LDAPCertStoreParameters如何修改LDAPCertStore中用於X509證書鏈驗證的LDAP連接屬性

是否有可能修改LDAP連接屬性,例如使用LDAP Connection Pooling(系統屬性沒有幫助,彈性城堡有關於連接的相同實現)? 請參閱下面的代碼重現:

@Test 
public void testRevocationListValidation() throws Exception { 
    String trustStoreFile = "trustStoreFilePath"; 
    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
    InputStream is = getClass().getResourceAsStream(trustStoreFile); 
    if (is == null) { 
     throw new FileNotFoundException(String.format("KeyStore file '%s' is not found on classpath", trustStoreFile)); 
    } 
    trustStore.load(is, "password".toCharArray()); 
    Set<TrustAnchor> trustedAnchors = new HashSet<TrustAnchor>(); 
    for (String caCertificateAlias : new String[]{"ca"}) { 
     X509Certificate certificate = (X509Certificate) trustStore.getCertificate(caCertificateAlias); 
     trustedAnchors.add(new TrustAnchor(certificate, null)); 
    } 
    PKIXParameters parameters = new PKIXParameters(trustedAnchors); 
    CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters("ldapHost", 389)); 
    parameters.setCertStores(Collections.singletonList(certStore)); 

    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
    keyStore.load(getClass().getResourceAsStream("keystore.jks"), "password".toCharArray()); 

    String keyStoreAlias = "dev-test"; 
    Certificate[] userCertificateChain = keyStore.getCertificateChain(keyStoreAlias); 

    for (int i = 0; i < 3; i++) { 
     System.out.println("Starting validation " + i); 
     CertPath userCertificatePath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(userCertificateChain)); 
     CertPathValidator.getInstance("PKIX").validate(userCertificatePath, parameters); 
     System.out.println("Validation " + i + " succeeded"); 
     if (i == 1) { 
      System.out.println("Sleeping after second validation"); 
      TimeUnit.SECONDS.sleep(90); // Server connection timeout ~ 60 sec 
     } 
    } 

}

輸出示例:

開始驗證0

驗證0成功

開始驗證1

驗證1得手

java.security.cert.CertStoreException: javax.naming.CommunicationException:第二確認

開始驗證2

java.security.cert.CertPathValidatorException後

睡眠連接關閉[根異常 是用java。 io.IOException:連接關閉];剩餘名稱

來源

2014-09-23 ichaki5748

+0

看起來像根:https://stackoverflow.com/questions/8787577/how-to-reconnect-when-the -ldap-server-is-restarted – ichaki5748 2014-09-23 18:23:31

+0

我創建了票證:https://bugs.openjdk.java.net/browse/JDK-8059009 – ichaki5748 2014-10-03 14:12:30

回答

相關問題

 相關問題