0
我想根据Oracle official guide使用sun.security.validator.PKIXValidator验证X509证书链。验证中的一个步骤是检查CRL。我正在提供LDAPCertStore以从LDAP获取CRL。但LDAPCertStore无法处理服务器关闭连接,因为缺少LDAPConnection的设置java.security.cert.LDAPCertStoreParameters。如何修改LDAPCertStore中用于X509证书链验证的LDAP连接属性
是否有可能修改LDAP连接属性,例如使用LDAP Connection Pooling(系统属性没有帮助,弹性城堡有关于连接的相同实现)? 请参阅下面的代码重现:
@Test
public void testRevocationListValidation() throws Exception {
String trustStoreFile = "trustStoreFilePath";
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream is = getClass().getResourceAsStream(trustStoreFile);
if (is == null) {
throw new FileNotFoundException(String.format("KeyStore file '%s' is not found on classpath", trustStoreFile));
}
trustStore.load(is, "password".toCharArray());
Set<TrustAnchor> trustedAnchors = new HashSet<TrustAnchor>();
for (String caCertificateAlias : new String[]{"ca"}) {
X509Certificate certificate = (X509Certificate) trustStore.getCertificate(caCertificateAlias);
trustedAnchors.add(new TrustAnchor(certificate, null));
}
PKIXParameters parameters = new PKIXParameters(trustedAnchors);
CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters("ldapHost", 389));
parameters.setCertStores(Collections.singletonList(certStore));
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream("keystore.jks"), "password".toCharArray());
String keyStoreAlias = "dev-test";
Certificate[] userCertificateChain = keyStore.getCertificateChain(keyStoreAlias);
for (int i = 0; i < 3; i++) {
System.out.println("Starting validation " + i);
CertPath userCertificatePath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(userCertificateChain));
CertPathValidator.getInstance("PKIX").validate(userCertificatePath, parameters);
System.out.println("Validation " + i + " succeeded");
if (i == 1) {
System.out.println("Sleeping after second validation");
TimeUnit.SECONDS.sleep(90); // Server connection timeout ~ 60 sec
}
}
}
输出示例:
开始验证0
验证0成功
开始验证1
验证1得手
java.security.cert.CertStoreException: javax.naming.CommunicationException:第二确认开始验证2
java.security.cert.CertPathValidatorException后
睡眠连接关闭[根异常 是用java。 io.IOException:连接关闭];剩余名称
看起来像根:https://stackoverflow.com/questions/8787577/how-to-reconnect-when-the -ldap-server-is-restarted – ichaki5748 2014-09-23 18:23:31
我创建了票证:https://bugs.openjdk.java.net/browse/JDK-8059009 – ichaki5748 2014-10-03 14:12:30