分享程序员开发的那些事...
更新时间:2023-11-25 16:12:46
似乎必须在执行第一个请求之前设置这些选项.
It seems like those options have to be set before the first request has been performed.
因此,以下代码作为独立的Java程序抛出CertPathValidatorException: Certificate has been revoked(在Windows上使用OpenJDK 11.0.2 x64测试):
Therefore the following code as standalone Java program throws an CertPathValidatorException: Certificate has been revoked (tested using OpenJDK 11.0.2 x64 on Windows):
public static void main(String[] args) {
validateOnCertificateRevocation(true); // throws CertPathValidatorException
}
但是以下代码不会引起任何错误/异常:
However the following code does not cause any errors/Exceptions:
public static void main(String[] args) {
validateOnCertificateRevocation(false);
validateOnCertificateRevocation(true); // nothing happens
}
您可以看到在处理完第一个请求后更改选项无效.我假设这些选项是在某些与证书验证相关的类的static { ... }块中处理的.
You can see the changing the options after the first request has been processed isn't effective. I assume that those options are processed in a static { ... } block of some certificate validation related class.
如果您仍想基于每个请求启用/禁用证书吊销检查,则可以通过实现自己的 CertPathValidator (您可以为其启用/禁用证书吊销通过PKIXParameters.setRevocationEnabled(boolean)检查.
If you still want to enable/disable certificate revocation checking on a per-request base you can do so by implementing your own X509TrustManager that uses CertPathValidator (for which you can enable/disable certificate revocation checking via PKIXParameters.setRevocationEnabled(boolean).
或者,有一种解决方案可以全局启用证书吊销检查并显式处理CertificateRevokedException:
Alternatively there is the solution to globally enable certificate revocation checking and explicitly handle the CertificateRevokedException:
private boolean checkOnCertificateRevocation;
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
try {
getDefaultTrustManager().checkServerTrusted(certs, authType);
} catch (CertificateException e) {
if (checkOnCertificateRevocation) {
if (getRootCause(e) instanceof CertificateRevokedException) {
throw e;
}
}
}
}