java根据X509CA证书的名称约束扩展验证名称

3 周 Questions & Answers 32

我有一个CA证书，被解析为X509Certificate对象，它可能有Name Constraints扩展名，也可能没有

在使用此CA证书签署新证书之前，我想手动验证给定的主机名或IP地址是否为CA所允许。我该如何实现这一点

# 1 楼答案

尽管我可以看到JDK为此提供了不错的API，但它们都是内部的。所以我最终使用了Bouncy Castle

  public boolean validateAgainstNamingConstraints(X509Certificate certificate, GeneralName name) {
    NameConstraints nameConstraints = null;
    try {
      nameConstraints = NameConstraints.getInstance(
          JcaX509ExtensionUtils.parseExtensionValue(certificate.getExtensionValue(Extension.nameConstraints.getId())));
    } catch (IOException e) {
      log.warn("Failed to parse name constraint. Skipping validation. {}", e.getMessage());
      return true;
    }

    if (nameConstraints == null) {
      return true;
    }

    var nameConstraintValidator = new PKIXNameConstraintValidator();
    if (nameConstraints.getPermittedSubtrees() != null) {
      nameConstraintValidator.intersectPermittedSubtree(nameConstraints.getPermittedSubtrees());
    }

    if (nameConstraints.getExcludedSubtrees() != null) {
      for (int i = 0; i < nameConstraints.getExcludedSubtrees().length; i++) {
        nameConstraintValidator.addExcludedSubtree(nameConstraints.getExcludedSubtrees()[i]);
      }
    }

    try {
      nameConstraintValidator.checkPermitted(name);
      nameConstraintValidator.checkExcluded(name);
      return true;
    } catch (NameConstraintValidatorException e) {
      return false;
    }
  }

如何使用：

validateAgainstNamingConstraints(certificate, new GeneralName(GeneralName.dNSName, "test.google.com"))
validateAgainstNamingConstraints(certificate, new GeneralName(GeneralName.iPAddress, "192.168.111.1"))

Python中文网

有 Java 编程相关的问题?

java根据X509CA证书的名称约束扩展验证名称

共 (1) 个答案

# 1 楼答案