如何使用BouncyCastle获取根CA和终端实体之间的证书路径?

huangapple go评论46阅读模式
英文:

How to use BouncyCastle to get the certification path between a root CA and an end entity?

问题

我有一个根CA、一组中间CA和一个终端实体。它们都表示为org.bouncycastle.cert.X509CertificateHolder实例。如何获取根和终端实体之间的认证路径(也称为证书链),或者如果找不到路径就获取异常?

这里是如何使用纯Java代码来做的,但由于我已经在使用BouncyCastle,我认为使用BouncyCastle来做这个更高效和可维护 -- 此外,我更喜欢避免在Java和BC证书之间进行转换,以便我可以返回原始证书实例的子集。

我找到了org.bouncycastle.cert.path包,但我不知道它是否能帮助我,也不知道如何使用它(我找不到任何示例)。

请注意,中间证书的集合可以是空的或包含不属于链的多余证书。此外,作为一个集合,它不会有顺序。

英文:

I have a root CA, a set of intermediate CAs and an end entity. All represented as org.bouncycastle.cert.X509CertificateHolder instances. How can I get the certification path (aka certificate chain) between the root and the end entity, or get an exception if no path was found?

Here's how to do it with pure Java code, but since I'm already using BouncyCastle, I think it'd be more performant and maintainable to use BouncyCastle for this too -- Also, I'd prefer to avoid converting between Java and BC certificates so that I can return a subset of the original certificate instances.

I've found the package org.bouncycastle.cert.path but I can't figure out if it'd help me or how to use it (I can't find any examples).

Note that the set of intermediate certificates can be empty or contain superfluous certificates that aren't part of the chain. Also, as a set, it won't be ordered.

答案1

得分: 2

"CertPathBuilder"听起来像是你需要的,因为你没有一个提议的证书链,只有一堆证书。BC提供程序包括一个CertPathBuilder实现(例如CertPathBuilder.getInstance("PKIX", "BC")),可以像你提供的链接中描述的那样使用。

BC的pkix包,虽然有一些暗示性的包名称,但并没有工具来复制CertPathBuilder(可能甚至没有完整的CertPathValidator)。进行一定程度的证书格式转换是现实中的事情;也许在你有一个工作示例之后,可以在BC邮件列表上讨论如何最小化它。

英文:

It sounds like you need a CertPathBuilder since you don't have a proposed chain, just a "pile of certificates". The BC provider includes a CertPathBuilder implementation (e.g. CertPathBuilder.getInstance("PKIX", "BC")), used just as described at the link you gave.

BC's pkix jar, whilst having some suggestively-named packages, doesn't have the tools to replicate a CertPathBuilder (probably not even a complete CertPathValidator). A certain amount of certificate format conversions is a fact of life; there may be ways to minimise it. Perhaps take it up on the BC mailing list once you have a working example.

huangapple
  • 本文由 发表于 2020年7月22日 02:21:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/63020771.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定