PKIXCertPathBuilder 使用 Bouncy Castle 提供程序失败,但使用默认 (SUN) 提供程序
PKIXCertPathBuilder fails with Bouncy Castle provider but works with default (SUN) provider
我正在使用以下代码根据参考 here.
验证 X509Certificate
static void verifyCertTrust(X509Certificate certificate, Set<X509Certificate> additionalCerts) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, CertPathValidatorException, InvalidAlgorithmParameterException, CertPathBuilderException{
Set<X509Certificate> trustedRoots = new HashSet<X509Certificate>();
Set<X509Certificate> intermediateCerts = new HashSet<X509Certificate>();
for (X509Certificate cert : additionalCerts) {
if(isSelfSigned(cert)){
trustedRoots.add(cert);
}
else{
intermediateCerts.add(cert);
}
}
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate root : trustedRoots) {
trustAnchors.add(new TrustAnchor(root, null));
}
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(certificate);
PKIXParameters parameters = new PKIXBuilderParameters(trustAnchors, selector);
parameters.setRevocationEnabled(false);
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts), "BC");
parameters.addCertStore(intermediateCertStore);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", "BC");
cpb.build(parameters);
}
如果我在获取 CertPathBuilder 的实例时删除提供程序 BC 并让 JVM 使用默认的 SUN 提供程序,这将起作用。但是,对于 BC 提供者,我得到以下异常。
Exception in thread "main" java.security.cert.CertPathBuilderException: No certificate found matching targetContraints.
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
at signer.GetPkcs11Key.verifyCertTrust(GetPkcs11Key.java:105)
at signer.GetPkcs11Key.main(GetPkcs11Key.java:71)
有什么想法可以使它与 BouncyCastle 提供商一起工作吗?
要验证的证书必须在您的示例中的 CertStore 中,因此请添加:
parameters.setRevocationEnabled...;
//Add the certitificate to the cert store
intermediateCerts.add(certificate);
CertStore intermediateCertStore....
我正在使用以下代码根据参考 here.
验证X509Certificate
static void verifyCertTrust(X509Certificate certificate, Set<X509Certificate> additionalCerts) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, CertPathValidatorException, InvalidAlgorithmParameterException, CertPathBuilderException{
Set<X509Certificate> trustedRoots = new HashSet<X509Certificate>();
Set<X509Certificate> intermediateCerts = new HashSet<X509Certificate>();
for (X509Certificate cert : additionalCerts) {
if(isSelfSigned(cert)){
trustedRoots.add(cert);
}
else{
intermediateCerts.add(cert);
}
}
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate root : trustedRoots) {
trustAnchors.add(new TrustAnchor(root, null));
}
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(certificate);
PKIXParameters parameters = new PKIXBuilderParameters(trustAnchors, selector);
parameters.setRevocationEnabled(false);
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts), "BC");
parameters.addCertStore(intermediateCertStore);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", "BC");
cpb.build(parameters);
}
如果我在获取 CertPathBuilder 的实例时删除提供程序 BC 并让 JVM 使用默认的 SUN 提供程序,这将起作用。但是,对于 BC 提供者,我得到以下异常。
Exception in thread "main" java.security.cert.CertPathBuilderException: No certificate found matching targetContraints.
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
at signer.GetPkcs11Key.verifyCertTrust(GetPkcs11Key.java:105)
at signer.GetPkcs11Key.main(GetPkcs11Key.java:71)
有什么想法可以使它与 BouncyCastle 提供商一起工作吗?
要验证的证书必须在您的示例中的 CertStore 中,因此请添加:
parameters.setRevocationEnabled...;
//Add the certitificate to the cert store
intermediateCerts.add(certificate);
CertStore intermediateCertStore....