0

我正在研究 SCEP 实施(请求者和授权者)。该项目使用 JScep 作为库。

在 PKCSReq 通信期间,客户端收到 CertRep SUCCESS。草案说如下:

+----------------+--------------------------------------------------+ | Request-type | Reply-contents | +----------------+--------------------------------------------------+ | PKCSReq | the reply MUST contain at least the issued | | | certificate in the certificates field of the | | | Signed-Data. The reply MAY contain additional | | | certificates, but the issued certificate MUST be | | | the first in the list. The reply MUST NOT | | | contain a CRL. All returned certificates MUST | | | conform to [RFC5280]. |

我对解释有点困惑MAY contain additional certificates

这是否意味着整个证书链将在响应中显示为Collection(JScep)?

4

1 回答 1

1

可以提供整个证书链,但不是必须的。一般来说,我希望 SCEP 服务器能够提供建立信任链所需的一切。

如果您调用enrol并且结果EnrollmentResponse是成功的 ( isSuccess()),那么您可以调用getCertStore以访问java.security.cert.CertStore. 这CertStore将包含服务器发送的所有证书。

您可以使用CertStoreInspectorfrom jscep 直接提取相关证书,如下所示:

CertStoreInspector inspector = DefaultCertStoreInspectorFactory.getInstance(certStore);
X509Certificate ca = inspector.getIssuer();
X509Certificate signer_ra = inspector.getSigner();
X509Certificate recipient_ra = inspector.getSigner();

https://github.com/jscep/jscep/issues/48

于 2015-11-02T08:46:15.353 回答