English 中文(简体)
How can I verify that a certificate is an EV certificate with Java?
原标题:

Consider the following sample code which uses a TrustManager to log whether an outgoing connection used a valid certificate (but accept the connection in all cases):

import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;

public class CertChecker implements X509TrustManager {

    private final X509TrustManager defaultTM;

    public CertChecker() throws GeneralSecurityException {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init((KeyStore)null);
        defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
        if (defaultTM != null) {
            try {
                defaultTM.checkServerTrusted(certs, authType);
                System.out.println("Certificate valid");
            } catch (CertificateException ex) {
                System.out.println("Certificate invalid: " + ex.getMessage());
            }
        }
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
    public X509Certificate[] getAcceptedIssuers() { return null;}

    public static void main(String[] args) throws Exception {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
        SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
        ((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
    }
}

What do I have to do inside the checkClientTrusted method to check if that certificate is an extended validation certificate (green address bar in modern browsers) or a normal one (yellow address bar)?

edit:

I m trying to get a CertPathValidator working, but somehow I only get exceptions about certificate is not a CA certificate... Any ideas?

edit2: Using PKIXParameters instead of PKIXBuilderParameters

private boolean isEVCertificate(X509Certificate[] certs, String authType) {
    try {
        CertPath cp = new X509CertPath(Arrays.asList(certs));
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);
        PKIXParameters cpp = new PKIXParameters(ks);
        cpp.setRevocationEnabled(false);
        CertPathValidator cpv = CertPathValidator.getInstance("PKIX");          
        PKIXCertPathValidatorResult res = (PKIXCertPathValidatorResult) cpv.validate(cp, cpp);
        System.out.println(res.getTrustAnchor().getCAName());
        System.out.println(res.getPolicyTree().getValidPolicy());
        System.out.println(cp);
        return false;
    } catch (Exception ex) {
        ex.printStackTrace();
        return false;
    }
}

I am testing against real-world EV certificates. The code now works with www.paypal.com (in the sense that it does not throw an exception), but does not work with banking.dkb.de. :-(

But even with Paypal.com the trust anchor getCAName returns null, so how can I know against which CA it was validated so that I can look up the right EV policy?

最佳回答

I finally got it to work... A running minimal example that shows all the logic and checks is below. And yes, it works for banking.dkb.de :-)

Thanks to all of you who helped me. Any comments about blatant security holes or anything else (except the code style or missing error handling; I tried hard to condense my code to the absolute minimum of runnable code) are welcome, so feel free to comment :)

import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.util.*;

import javax.net.ssl.*;
import javax.security.auth.x500.X500Principal;

public class CertChecker implements X509TrustManager {

    private final X509TrustManager defaultTM;

    public CertChecker() throws GeneralSecurityException {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init((KeyStore)null);
        defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
        if (defaultTM != null) {
            try {
                defaultTM.checkServerTrusted(certs, authType);
                if (isEVCertificate(certs))
                    System.out.println("EV Certificate: "+ certs[0].getSubjectX500Principal().getName() + " issued by " + certs[0].getIssuerX500Principal().getName());                    
                System.out.println("Certificate valid");
            } catch (CertificateException ex) {
                System.out.println("Certificate invalid: " + ex.getMessage());
            }
        }
    }

    private boolean isEVCertificate(X509Certificate[] certs) {
        try {
            // load keystore with trusted CA certificates
            KeyStore cacerts = KeyStore.getInstance("JKS");
            cacerts.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);

            // build a cert selector that selects the first certificate of the certificate chain
            // TODO we should verify this against the hostname...
            X509CertSelector targetConstraints = new X509CertSelector();
            targetConstraints.setSubject(certs[0].getSubjectX500Principal());

            // build a cert path from our selected cert to a CA cert
            PKIXBuilderParameters params = new PKIXBuilderParameters(cacerts, targetConstraints);        
            params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs))));
            params.setRevocationEnabled(false);
            CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath();

            // validate the cert path
            PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(cp, params);
            return isEV(result);
        } catch (Exception ex) {
            ex.printStackTrace();
            return false;
        }
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
    public X509Certificate[] getAcceptedIssuers() { return null;}

    public static void main(String[] args) throws Exception {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
        SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
        ((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
    }

    private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();

    static {
        // It would make sense to populate this map from Properties loaded through 
        // Class.getResourceAsStream().
        policies.put(
                new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"), 
                "2.16.840.1.113733.1.7.23.6"
        );
        // TODO add more certificates here
    }

    // based on http://stackoverflow.com/questions/1694466/1694720#1694720
    static boolean isEV(PKIXCertPathValidatorResult result)
    {
        // Determine the policy to look for.
        X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
        System.out.println("[Debug] Found root DN: "+root.getName());
        String policy = policies.get(root);
        if (policy != null)
            System.out.println("[Debug] EV Policy should be: "+policy);

        // Traverse the tree, looking at its "leaves" to see if the end-entity 
        // certificate was issued under the corresponding EV policy.
        PolicyNode tree = result.getPolicyTree();
        if (tree == null)
            return false;
        Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
        stack.push(tree);
        while (!stack.isEmpty()) {
            PolicyNode current = stack.pop();
            Iterator<? extends PolicyNode> children = current.getChildren();
            int leaf = stack.size();
            while (children.hasNext())
                stack.push(children.next());
            if (stack.size() == leaf) {
                System.out.println("[Debug] Found policy: " + current.getValidPolicy());
                // If the stack didn t grow, there were no "children". I.e., the 
                // current node is a "leaf" node of the policy tree.
                if (current.getValidPolicy().equals(policy))
                    return true;
            }
        }
        // The certificate wasn t issued under the authority s EV policy.
        return false;
    }
}
问题回答

First, you ll need a table of issuer names and their corresponding EV policy identifiers.

When a CA issues a certificate, they can note the policy under which they issued the certificate. The identifier for this policy assigned by the issuer, so that s why you need a list of issuers and their EV policies.

Then you ll need to get the policy from the server certificate. Refer to RFC 5280, § 4.1.2.4 to learn more about policies in general and how they work.

You ll need to validate the certificate chain to obtain a PKIXCertPathValidatorResult. Part of the result is a policy tree. You can navigate through the policy tree to determine if it includes the EV policy for the target certificate s issuer.


Here s a detailed example of checking a certificate path result.

private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();

static {
  /* 
   * It would make sense to populate this map from Properties loaded through 
   * Class.getResourceAsStream().
   */
  policies.put(
    new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"), 
    "2.16.840.1.113733.1.7.23.6"
  );
  // ...
}

static boolean isEV(PKIXCertPathValidatorResult result)
{
  /* Determine the policy to look for. */
  X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
  String policy = policies.get(root);
  if (policy == null)
    /* The EV policy for this issuer is unknown (or there is none). */
    return false;
  /* Traverse the tree, looking at its "leaves" to see if the end-entity 
   * certificate was issued under the corresponding EV policy. */
  PolicyNode tree = result.getPolicyTree();
  Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
  stack.push(tree);
  while (!stack.isEmpty()) {
    PolicyNode current = stack.pop();
    Iterator<? extends PolicyNode> children = current.getChildren();
    int leaf = stack.size();
    while (children.hasNext())
      stack.push(children.next());
    if (stack.size() == leaf) {
      /* If the stack didn t grow, there were no "children". I.e., the 
       * current node is a "leaf" node of the policy tree. */
      if (current.getValidPolicy().equals(policy))
        return true;
    }
  }
  /* The certificate wasn t issued under the authority s EV policy. */
  return false;
}

EDIT: Posted addtional code.

If you use Sun s X509 implementation, you can do something like this,

  CertificatePoliciesExtension ext = ((X509CertImpl)cert).getCertificatePoliciesExtension();
  List<PolicyInformation> policies = (List<PolicyInformation>)ext.get(CertificatePoliciesExtension.POLICIES);
  boolean evCert = false;
  for (PolicyInformation info : policies) {
      CertificatePolicyId id = info.getPolicyIdentifier();
      if (isEVPolicy(id)) {
         evCert = true;
         break;                 
      }             
  }

  ......

  public static ObjectIdentifier[] EV_POLICIES;

  static {
      try {
          EV_POLICIES = new ObjectIdentifier[] {
                new ObjectIdentifier("2.16.840.1.113733.1.7.23.6"), // Verisign
                new ObjectIdentifier("1.3.6.1.4.1.14370.1.6"), // Geo-Trust of Verisign
                new ObjectIdentifier("2.16.840.1.113733.1.7.48.1") // Thawte
          };
      } catch (IOException e) {
        throw new IllegalStateException("Invalid OIDs");
      }
  }

  private boolean isEVPolicy(CertificatePolicyId id) {
    for (ObjectIdentifier oid : EV_POLICIES) {
        if (oid.equals((Object)id.getIdentifier())) 
            return true;
    }
    return false;
 }

We only allow EV cert from 3 CAs. You can add more EV OIDs in that array. You can get a full list of the OIDs from

http://hg.mozilla.org/mozilla-central/file/05ab1cbc361f/security/manager/ssl/src/nsIdentityChecking.cpp





相关问题
Spring Properties File

Hi have this j2ee web application developed using spring framework. I have a problem with rendering mnessages in nihongo characters from the properties file. I tried converting the file to ascii using ...

Logging a global ID in multiple components

I have a system which contains multiple applications connected together using JMS and Spring Integration. Messages get sent along a chain of applications. [App A] -> [App B] -> [App C] We set a ...

Java Library Size

If I m given two Java Libraries in Jar format, 1 having no bells and whistles, and the other having lots of them that will mostly go unused.... my question is: How will the larger, mostly unused ...

How to get the Array Class for a given Class in Java?

I have a Class variable that holds a certain type and I need to get a variable that holds the corresponding array class. The best I could come up with is this: Class arrayOfFooClass = java.lang....

SQLite , Derby vs file system

I m working on a Java desktop application that reads and writes from/to different files. I think a better solution would be to replace the file system by a SQLite database. How hard is it to migrate ...

热门标签