您的位置: 首页  >  技术问答  >  如何修改LDAPCertStore中用于X509证书链验证的LDAP连接属性

如何修改LDAPCertStore中用于X509证书链验证的LDAP连接属性

分类: 技术问答 2022-09-27 00:07:17
问题描述:

我想根据Oracle official guide使用sun.security.validator.PKIXValidator验证X509证书链。验证中的一个步骤是检查CRL。我正在提供LDAPCertStore以从LDAP获取CRL。但LDAPCertStore无法处理服务器关闭连接,因为缺少LDAPConnection的设置java.security.cert.LDAPCertStoreParameters如何修改LDAPCertStore中用于X509证书链验证的LDAP连接属性

是否有可能修改LDAP连接属性,例如使用LDAP Connection Pooling(系统属性没有帮助,弹性城堡有关于连接的相同实现)? 请参阅下面的代码重现:

@Test 
public void testRevocationListValidation() throws Exception { 
    String trustStoreFile = "trustStoreFilePath"; 
    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
    InputStream is = getClass().getResourceAsStream(trustStoreFile); 
    if (is == null) { 
     throw new FileNotFoundException(String.format("KeyStore file '%s' is not found on classpath", trustStoreFile)); 
    } 
    trustStore.load(is, "password".toCharArray()); 
    Set<TrustAnchor> trustedAnchors = new HashSet<TrustAnchor>(); 
    for (String caCertificateAlias : new String[]{"ca"}) { 
     X509Certificate certificate = (X509Certificate) trustStore.getCertificate(caCertificateAlias); 
     trustedAnchors.add(new TrustAnchor(certificate, null)); 
    } 
    PKIXParameters parameters = new PKIXParameters(trustedAnchors); 
    CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters("ldapHost", 389)); 
    parameters.setCertStores(Collections.singletonList(certStore)); 

    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
    keyStore.load(getClass().getResourceAsStream("keystore.jks"), "password".toCharArray()); 

    String keyStoreAlias = "dev-test"; 
    Certificate[] userCertificateChain = keyStore.getCertificateChain(keyStoreAlias); 

    for (int i = 0; i < 3; i++) { 
     System.out.println("Starting validation " + i); 
     CertPath userCertificatePath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(userCertificateChain)); 
     CertPathValidator.getInstance("PKIX").validate(userCertificatePath, parameters); 
     System.out.println("Validation " + i + " succeeded"); 
     if (i == 1) { 
      System.out.println("Sleeping after second validation"); 
      TimeUnit.SECONDS.sleep(90); // Server connection timeout ~ 60 sec 
     } 
    } 

}

输出示例:

开始验证0

验证0成功

开始验证1

验证1得手

java.security.cert.CertStoreException: javax.naming.CommunicationException:第二确认

开始验证2

java.security.cert.CertPathValidatorException后

睡眠连接关闭[根异常 是用java。 io.IOException:连接关闭];剩余名称

+0

看起来像根:https://stackoverflow.com/questions/8787577/how-to-reconnect-when-the -ldap-server-is-restarted – ichaki5748 2014-09-23 18:23:31

+0

我创建了票证:https://bugs.openjdk.java.net/browse/JDK-8059009 – ichaki5748 2014-10-03 14:12:30

在Java中9个固定 - LDAP连接将被自动恢复 https://bugs.openjdk.java.net/browse/JDK-8059009

相关推荐