OCSP检入Java安全套接字

您可以使用此TrustManager实现，我已经开始进行一些基于XueLei.Fan博客上的OCSP检查代码的测试。

我已经使用Netty基于他们的HttpSnoopClient点击https://www.mozilla.org/en-US/并且它有效。

 import io.netty.handler.ssl.util.SimpleTrustManagerFactory; import io.netty.util.internal.EmptyArrays; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; import javax.net.ssl.ManagerFactoryParameters; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; import java.security.Security; import java.security.cert.*; import java.util.*; /** * TrustManager that verifies server certs using OCSP using the code found at * https://blogs.oracle.com/xuelei/entry/enable_ocsp_checking */ public class OCSPTrustManagerFactory extends SimpleTrustManagerFactory { private static final InternalLogger logger = InternalLoggerFactory .getInstance(OCSPTrustManagerFactory.class); public static final TrustManagerFactory INSTANCE = new OCSPTrustManagerFactory(); private static final TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String s) { OCSPTrustManagerFactory.logger.debug("Accepting a client certificate: " + chain[0].getSubjectDN()); } public void checkServerTrusted(X509Certificate[] chain, String s) { try { logger.debug("Certs size:{}", chain.length); logger.debug("Accepting a server certificate:{} ", chain[0].getSubjectDN()); // if you work behind proxy, configure the proxy. // System.setProperty("http.proxyHost", "proxyHost"); //System.setProperty("http.proxyPort", "proxyPort"); CertPath path = generateCertificatePath(chain); Set anchors = generateTrustAnchors(); PKIXParameters params = new PKIXParameters(anchors); // Activate certificate revocation checking params.setRevocationEnabled(true); // Activate OCSP Security.setProperty("ocsp.enable", "true"); // Activate CRLDP System.setProperty("com.sun.security.enableCRLDP", "true"); // Ensure that the ocsp.responderURL property is not set. if (Security.getProperty("ocsp.responderURL") != null) { throw new Exception("The ocsp.responderURL property must not be set"); } CertPathValidator validator = CertPathValidator.getInstance("PKIX"); validator.validate(path, params); logger.info("OCSP validation successful for Server certificate: {}", chain[0].getSubjectDN()); } catch (Exception ex) { logger.error("Exception checking Server certificates", ex); } } public X509Certificate[] getAcceptedIssuers() { return EmptyArrays.EMPTY_X509_CERTIFICATES; } }; private static CertPath generateCertificatePath(X509Certificate[] certs) throws CertificateException { // generate certificate from cert strings CertificateFactory cf = CertificateFactory.getInstance("X.509"); return cf.generateCertPath(Arrays.asList(certs)); } private static Set generateTrustAnchors() throws Exception { // generate certificate from cert string CertificateFactory cf = CertificateFactory.getInstance("X.509"); // Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit"; keystore.load(is, password.toCharArray()); // This class retrieves the most-trusted CAs from the keystore PKIXParameters params = new PKIXParameters(keystore); return params.getTrustAnchors(); } private OCSPTrustManagerFactory() { } protected void engineInit(KeyStore keyStore) throws Exception { logger.debug("KeyStore is: {}", keyStore.toString()); } protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws Exception { } protected TrustManager[] engineGetTrustManagers() { return new TrustManager[]{tm}; } } 

我相信你可以使用示例代码在这里使用SSLSocket