1

How to set default CRL path in java. As now for certificates not containing CRL distribution point I get this:

PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status

I've tried the combinations of com.sun.security.enableCRLDP and com.sun.net.ssl.checkRevocation with certificates containing CRLDP and not containing it. The conclusion is that when you set the above mentioned properties but you have certificate which doesn't contain CRLDP you get an exception, that' s not the behavior I want for my current system.

4

1 回答 1

0

I guess I found a way to specify a local CRL file and it seems to do the trick.

        // initialize a new TMF with our keyStore
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");

        CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector());

        // Activate certificate revocation checking
        ((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true);

        List<CertStore> certStores = new ArrayList<>(1);

        Collection<CRL> crls = new HashSet<>(1);
        crls.add(CertificateFactory.getInstance("X.509").generateCRL( new java.io.FileInputStream("your_local_file.crl")));

        certStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
        ((PKIXBuilderParameters) pkixParams).setCertStores(certStores);

        System.setProperty("com.sun.security.enableCRLDP", "true");
        tmf.init(new CertPathTrustManagerParameters(pkixParams));

        // acquire X509 trust manager from factory
        TrustManager tms[] = tmf.getTrustManagers();
        for (TrustManager tm : tms) {
            if (tm instanceof X509TrustManager) {
                trustManager = (X509TrustManager) tm;
                break;
            }
        }

In this case if the certificate doesn't contain CRL distribution point it won't throw an exception and will try to determine revocation status from the file I've given. But still if the specified local CRL file's content is not in a proper format it won't skip and you'll get an exception even if your certificate contains CRL distribution point as an alternative.

Anyway looking forward to more elegant answers if any.

于 2016-12-09T07:44:56.290 回答