目标:检索给定证书的证书吊销列表信息。
原因:当一个对象被设置为通过它使用一个实例java.security.cert.PKIXParameters来启用证书撤销状态检查时,此检查器需要一个调用,该调用添加一个包含一个实现,该实现包含验证器可以检查的 CRL 信息。PKIXParameters#setRevocationEnabled(true);sun.security.provider.certpath.CrlRevocationChecker
PKIXParameters#addCertStore(...)java.security.cert.CertStoreX509CRL
问题:是否存在用于检索此数据的库或实现?还是必须手动完成?(下面的手册示例)。库很可能支持所有可能出现的连接/异常/错误类型,而手动解决方案需要努力达到企业标准。
证书可以在任何这些 x509 证书包装器中
java.security.cert.X509Certificate
org.bouncycastle.cert.X509CertificateHolder
org.bouncycastle.jce.provider.X509CertificateObject
用于手动检索 CRL 数据的 Java 代码
static List<X509CRLObject> getCRLSFromCertPath(CertPath certPath, CertificateFactory certificateFactory) {
List<X509CRLObject> x509CRLs = Lists.newArrayList();
List<? extends Certificate> certificates = certPath.getCertificates();
for (Certificate certificate : certificates) {
try {
X509CertImpl x509Cert = new X509CertImpl(certificate.getEncoded());
CRLDistributionPointsExtension crlDistroExten = x509Cert.getCRLDistributionPointsExtension();
if (crlDistroExten != null) {
ArrayList<DistributionPoint> distros = (ArrayList<DistributionPoint>) crlDistroExten.get(CRLDistributionPointsExtension.POINTS);
for (DistributionPoint distributionPoint : distros) {
GeneralNames distroName = distributionPoint.getFullName();
for (int i = 0; i < distroName.size(); ++i) {
URI uri = ((URIName) distroName.get(i).getName()).getURI();
InputStream inputStream = new URL(uri.toString()).openConnection().getInputStream();
X509CRLObject x509CRL = (X509CRLObject) certificateFactory.generateCRL(inputStream);
x509CRLs.add(x509CRL);
inputStream.close(); // Move this somewhere better
}
}
}
} catch (CertificateException | IOException | CRLException e) {
e.printStackTrace();
} catch (RuntimeException e) {
e.printStackTrace();
}
}
return x509CRLs;
}