OCSP吊销客户端证书

我发现了一个最优秀的解决方案

http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html

/** 54 * This is a class that checks the revocation status of a certificate(s) using 55 * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of 56 * the CertPathValidator framework. It is useful when you want to 57 * just check the revocation status of a certificate, and you don't want to 58 * incur the overhead of validating all of the certificates in the 59 * associated certificate chain. 60 * 61 * @author Sean Mullan 62 */ 

它有一个方法检查（X509Certificate clientCert，X509Certificate issuerCert），它可以做到这一点！

以下是Jetty 7中的相关代码，它从servletRequest请求中获取一系列证书，并通过带有OCSP的certpath APIvalidation它们。

http://grepcode.com/file/repo1.maven.org/maven2/org.eclipse.jetty/jetty-util/7.4.0.v20110414/org/eclipse/jetty/util/security/CertificateValidator.java#189

看来这里有一个Tomcat补丁来启用ocspvalidation。

如果您选择手动执行此操作：

 Security.setProperty("ocsp.enable", "true") 

或者通过命令行参数设置它。 看到这里 ：

此属性的值为true或false。 如果为true，则在进行证书吊销检查时启用OCSP检查; 如果设置为false或未设置，则禁用OCSP检查。

这里有一些我觉得有用的代码：

 interface ValidationStrategy { boolean validate(X509Certificate certificate, CertPath certPath, PKIXParameters parameters) throws GeneralSecurityException; } class SunOCSPValidationStrategy implements ValidationStrategy { @Override public boolean validate(X509Certificate certificate, CertPath certPath, PKIXParameters parameters) throws GeneralSecurityException { try { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv .validate(certPath, parameters); Signature.LOG.debug("Validation result is: " + result); return true; // if no exception is thrown } catch (CertPathValidatorException cpve) { // if the exception is (or is caused by) // CertificateRevokedException, return false; // otherwise re-throw, because this indicates a failure to perform // the validation Throwable cause = ExceptionUtils.getRootCause(cpve); Class exceptionClass = cause != null ? cause.getClass() : cpve.getClass(); if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) { return false; } throw cpve; } } } 

 import org.bouncycastle.util.io.pem.PemReader; import sun.security.provider.certpath.OCSP; import sun.security.x509.X509CertImpl; import java.io.IOException; import java.io.StringReader; import java.net.URI; import java.nio.file.Files; import java.nio.file.Paths; import java.security.cert.CertPathValidatorException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Date; public void test() throws IOException, CertPathValidatorException, java.security.cert.CertificateException { X509Certificate userCert = getX509Cert("path_to_user_cert"); X509Certificate caCert = getX509Cert("path_to_CA_cert"); OCSP.RevocationStatus ocsp = OCSP.check(userCert, caCert, URI.create("URL to OCSP, but this can be read from USER Cert(AuthorityInfoAccess) As well"), caCert, new Date()); System.out.println(ocsp); } private X509CertImpl getX509Cert(final String path) throws CertificateException, IOException { return new X509CertImpl( new PemReader( new StringReader( new String( Files.readAllBytes( Paths.get(path))))) .readPemObject() .getContent()); }