Java X509证书解析和验证

Java X509证书解析和验证



I'm trying to process X509 certificates in several steps and running into a couple of problems. I'm new to JCE so I not completely up to date on everything yet.

我们希望能够根据不同的编码解析几个不同的X509证书(PEM, DER和PCKS7)。我使用FireFox(包括证书链)以PEM和PCKS7格式从 导出相同的证书。我已经留下了几行不需要的问题

We want to be able to parse several different X509 certificates based on different encodings (PEM, DER and PCKS7). I've exported the same certificate from in PEM and PCKS7 format using FireFox (certificate including chain). I've left couple lines out that are not needed for the questions

public List<X509Certificate> parse(FileInputStream fis) {  
     * Generate a X509 Certificate initialized with the data read from the inputstream. 
     * NOTE: Generation fails when using BufferedInputStream on PKCS7 certificates.
    List<X509Certificate> certificates = null;
      log.debug("Parsing new certificate.");
      certificates = (List<X509Certificate>) cf.generateCertificates(fis);
    return certificates;


This code is working fine aslong as I work with a FileInputStream instead of a BufferedInputStream for PCKS7, which is quite strange already I think? But I can live with it.

2)使用OCSP验证证书链(如果证书中没有找到OCSP URL,则回退到CRL)。这是我不完全确定如何处理这个问题的地方。

The next step is to validate these certificate chains. 1) Check if all certificates have a valid date (easy) 2) Validate certificate chain using OCSP (and fallback to CRL if no OCSP URL is found in the certificate). This is where I'm not completely sure how to handle this.

我正在使用Sun JCE,但似乎没有那么多可用的文档(在示例中)为此?

I'm using the Sun JCE, but it seems there is not that much documentation available (in examples) for this?

我首先做了一个简单的实现,只检查链而不经过OCSP / CRL检查。

I first made a simple implementation that only checks the chain without going through the OCSP/CRL checks.

private Boolean validateChain(List<X509Certificate> certificates) {
    PKIXParameters params;
    CertPath certPath;
    CertPathValidator certPathValidator;
    Boolean valid = Boolean.FALSE;

    params = new PKIXParameters(keyStore);

    certPath = cf.generateCertPath(certificates);
    certPathValidator = CertPathValidator.getInstance("PKIX");

    PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)  
    certPathValidator.validate(certPath, params);

      if(null != result) {
        valid = Boolean.TRUE;
    return valid;


This is working fine for my PEM certificate, but not for the PCKS7 certificate (same certifcate, only exported in other format). Path does not chain with any of the trust anchors.


The only difference I'm able to see is that the order in which the CertPath is formed is not the same? I was not able to figure out what was going wrong so I left this for now and kept on going with the PEM certificate, but lets call this QUESTION 1 ;)

显然,如果我使用以下命令启用OCSP: Security.setProperty(ocsp.enable,true); 并设置 params.setRevocationEnabled(true);
它应该能够自己找到OCSP URL,但似乎并非如此。应该做的标准实现是什么(问题2)?必须指定OCSP响应者的位置

What I wanted to implement afterwards was the OCSP checking. Apparently if I enable OCSP using: Security.setProperty("ocsp.enable", "true"); and set params.setRevocationEnabled(true); it should be able to find the OCSP URL on its own, but that does not seem to be the case. What is the standard implementation supposed to do (QUESTION 2)? Must specify the location of an OCSP Responder


Going past this, I found a way to retrieve the OCSP url from the certificate using AuthorityInfoAccessExtension and such.


But after setting the OCSP url manually in the ocsp.url property, I'm getting an OCSP response error: UNAUTHORIZED

似乎我错过了很多必要的步骤,而很多在线参考文献都说设置 ocsp.enable 属性应该只需要做什么?

It seems like I'm missing a lot of necessary steps while alot of online references say setting the ocsp.enable property should be all you need to do?


Perhaps any of you whizkids cant guide me through the process a little bit? Show me where I'm completely wrong :)


The next step would be implementing CRL checks if no OCSP was found, if anyone could point out any example or show me some documentation on this it would also be much appreciated!



Since it's not picking up the properties on its own, I've been trying to set all the properties myself using the following:

    // Activate OCSP
        Security.setProperty("ocsp.enable", "true");
        // Activate CRLDP -- no idea what this is
        Security.setProperty("", "true");

        X509Certificate target = (X509Certificate) certPath.getCertificates().get(0);
        Security.setProperty("ocsp.responderCertIssuerName", target.getIssuerX500Principal().getName());
        Security.setProperty("ocsp.responderCertSubjectName", target.getSubjectX500Principal().getName());
        Security.setProperty("ocsp.responderCertSerialNumber", target.getSerialNumber().toString(16));


Which gives an exception: Cannot find the responder's certificate (set using the OCSP security properties).


For future reference I'll post the answer to my own question (partly atleast)


OCSP and CRL checks are implemented in the standard Java implementation already and there is no need for custom code or other providers (BC, ..). They are disabled by default.


To enable this, you have to atleast set two parameters:

(PKIXParameters or PKIXParameterBuilder) params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");

当您尝试验证证书路径时,这将激活OCSP检查(PKIXCertPathValidatorResult.validate()) 。

This will activate OCSP checking when you are trying to validate the certificate path (PKIXCertPathValidatorResult.validate()).


When you want to add the fallback check for CRL if no OCSP is available, add an aditional property:

System.setProperty("", "true");


A lot of my problems are happening due to the fact that I have to support different certificate formats (PKCS7, PEM). My implementation works fine for PEM, but since PKCS7 does NOT save ordering of the certificates in the chain it is a bit harder (

X509CertSelector targetConstraints = new X509CertSelector();

// Here's the issue for PKCS7 certificates since they are not ordered,
// but I havent figured out how I can see what the target certificate
// (lowest level) is in the incoming certificates..

PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);   


Hope this will be useful remarks for other people as well, perhaps someone can shed a light on how to find the target certificate in an unordered PKCS7 list?