本文主要是介绍JAVA获取服务器证书以及请求OCSP查询证书状态,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
应用场景:leader需要做个监控程序扫描自己网站的服务器证书状态是否符合设置,出现异常则发短信/Email给管理人员。
假设我们要监控的URL是https://baidu.com,首先使用URL建立https通道,连接正常则服务器会发送证书回客户端。
JAVA需要用到的jar包,bouncy castle相关的包,大家自行下载。maven配置:
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk15on</artifactId><version>${bouncycastle.version}</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk15on</artifactId><version>${bouncycastle.version}</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bcmail-jdk15on</artifactId><version>${bouncycastle.version}</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bctls-jdk15on</artifactId><version>${bouncycastle.version}</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-ext-jdk15on</artifactId><version>${bouncycastle.version}</version></dependency><dependency><groupId>org.bouncycastle</groupId><artifactId>bcpg-jdk15on</artifactId><version>${bouncycastle.version}</version></dependency>获取服务器证书代码如下:
public List<X509Certificate> getServerCertificates(String url) {try {// http转httpsif (url.startsWith("http:")) {url = url.replace("http", "https");} else if (url.indexOf("http") < 0) {url = "https://" + url;}
// enableTLSChainTesting(false);ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();URL urlConnect = new URL(url);HttpsURLConnection conn = (HttpsURLConnection) urlConnect.openConnection();// 设置请求基本属性conn.setRequestProperty("accept", "*/*");conn.setRequestProperty("connection", "Keep-Alive");conn.setRequestProperty("user-agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");//创建sslsocket通道conn.setSSLSocketFactory(createSSLFactory());conn.connect();if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {Certificate[] certs = conn.getServerCertificates();for (Certificate cert : certs) {if (cert instanceof X509Certificate) {list.add((X509Certificate) cert);} else {logger.info("Unsupported certificate type. type=" + cert.getClass().getName());}}return list;}return null;} catch (SSLHandshakeException se) {// 无法验证throw new MonitorException(se.getMessage(), se.getCause());} catch (Exception e) {throw new MonitorException(e.getMessage());}}在上面代码中需要创建SSLSocket,需要有个可信任源来验证服务器证书。如果没有信任源则会产生此类错误,unable to find valid certification path to requested target
下面是创建信任源以及返回sslsocket的两种方式:
public SSLSocketFactory createSSLFactory() {try {//此类型自己创建一个类实现TrustManager亦可在实现类里判断SSLContext sc = SSLContext.getInstance("TLS");sc.init(null, new TrustManager[] { new TrustAllX509TrustManager() }, new java.security.SecureRandom());return sc.getSocketFactory();/*//此类型自己创建jks文件导入信任证书KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());InputStream is =getClass().getClassLoader().getResourceAsStream("config/webtrust.jks");keystore.load(is, null);TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());tmf.init(keystore); SSLContext ctx = SSLContext.getInstance("SSL");ctx.init(null, tmf.getTrustManagers(), null); SSLSocketFactory sf =ctx.getSocketFactory();return sf;*/} catch (Exception e) {e.printStackTrace();}return null;}我这里业务需求需要信任所有证书,否则服务器证书过期,则获取不到certificates,出现握手错误。
TrustAllX509TrustManager.java如下:
class TrustAllX509TrustManager implements X509TrustManager {public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[0];}public void checkClientTrusted(java.security.cert.X509Certificate[] certs,String authType) {}public void checkServerTrusted(java.security.cert.X509Certificate[] certs,String authType) {}}到目前为止,则可以获取服务器的证书了。
验证证书吊销状态在CA机构的CRL文件可以验证,但是想要获取证书的即时状态就需要访问CA机构的OCSP服务了。
CA机构的OCSP服务地址一般都是在证书上面的,如图:
那我们怎么通过代码获取到该扩展项并且去请求OCSP服务地址来验证证书呢?
首先将获取回来的证书强转到X509Certificate格式,然后获取证书的der格式证书,然后再获取扩展项
使用扩展项可以获取到颁发者机构信息,再根据特定的OID获取URL。代码如下:
TBSCertificate tbs = TBSCertificate.getInstance(cert.getTBSCertificate());Extensions extensions = tbs.getExtensions();AuthorityInformationAccess access = AuthorityInformationAccess.fromExtensions(extensions);AccessDescription[] descs = access.getAccessDescriptions();for (AccessDescription desc : descs) {if (desc.getAccessMethod().getId().equalsIgnoreCase("1.3.6.1.5.5.7.48.1")) {ocspUrl = desc.getAccessLocation().getName().toString();}}到这里就能获取到证书上面CA机构的OCSP服务器地址。
还需要创建OCSP request去请求,所有CA机构的OCSP服务器都是按照RCF6960协议来进行定义的,需要了解的朋友可以看下
https://www.rfc-editor.org/rfc/pdfrfc/rfc6960.txt.pdf
具体可以参考4.1.1的ocsp request的参数结构。
public static OCSPReq buildOCSPRequest(final X509Certificate x509Certificate, final X509Certificate issuerX509Certificate) {try {CertificateID certId = new CertificateID((new BcDigestCalculatorProvider()).get(CertificateID.HASH_SHA1),new X509CertificateHolder(issuerX509Certificate.getEncoded()),x509Certificate.getSerialNumber());final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();ocspReqBuilder.addRequest(certId);final OCSPReq ocspReq = ocspReqBuilder.build();return ocspReq;} catch (Exception e) {e.printStackTrace();}return null; }贴下我这边的请求创建,对这块的了解也是初始阶段,有熟悉的老铁可以交流交流。
具体的请求:
使用http协议和get请求,将得到的ocsp request进行URLDecode,具体的意思英文不好的同学自己google翻译下。请求服务器返回的流反序列化成OCSPResp对象。这个对象是在bouncycastle包里面的。
下面是对OCSPResp对象的解析操作。判断证书处于哪个状态。
if (OCSPResp.SUCCESSFUL == ocspResp.getStatus()) {// 连接成功BasicOCSPResp basic = (BasicOCSPResp) ocspResp.getResponseObject();SingleResp[] resps = basic.getResponses();if (resps != null && resps.length == 1) {SingleResp resp = resps[0];CertificateStatus certStatus = resp.getCertStatus();if (certStatus == CertificateStatus.GOOD) {// 证书正常状态gdcaCertResp.setStatus(OcspResp.CERT_STATUS_GOOD);} else {if (certStatus instanceof RevokedStatus) {// 证书吊销gdcaCertResp.setStatus(OcspResp.CERT_STATUS_REVOKED);gdcaCertResp.setRevokeTime(((RevokedStatus) certStatus).getRevocationTime());logger.warn("The Certificate was revoked!revokedTime:{}", gdcaCertResp.getRevokeTime());} else if (certStatus instanceof UnknownStatus) {gdcaCertResp.setStatus(OcspResp.CERT_STATUS_UNKNOWN);}}}}到这里就完成了获取服务器证书和验证服务器证书的操作了。
这篇关于JAVA获取服务器证书以及请求OCSP查询证书状态的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
