当前位置:theitroad>java 如何检查 X509Certificate 是否为 CA 证书?

java 如何检查 X509Certificate 是否为 CA 证书?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/12092457/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-10-31 07:33:45  来源:igfitidea点击:

How to check if X509Certificate is CA certificate?

javacertificatex509certificateca

提问by Jurica Krizanic

I have a X509Certificate instance in Java and I need to identify if it is a CA certificate or user certificate.

我在 Java 中有一个 X509Certificate 实例,我需要确定它是 CA 证书还是用户证书。

Can anyone provide any help?

任何人都可以提供任何帮助吗?

Thanks in advance!

提前致谢!

回答by Jurica Krizanic

According to research I have performed, it can be checked by checking basic constraints! Check the APIfor returning results of getBasicConstraints()method.

根据我进行的研究,可以通过检查基本约束来检查!检查方法返回结果的APIgetBasicConstraints()

So if the method returns result != -1, a certificate can be considered as a CA certificate.

因此,如果该方法返回结果!= -1,则可以将证书视为CA certificate.

I have checked this with several CA certificates(root and intermediate), and it works as described. I have also checked this method with several user certificates, and the method returns -1 as result.

我已经用几个CA certificates(根和中级)检查过这个,它的工作原理和描述的一样。我还使用多个用户证书检查了此方法,该方法返回 -1 作为结果。

回答by dpinya

X509Certificate.getKeyUsage() javadoc:

X509Certificate.getKeyUsage() javadoc:

gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15). The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The ASN.1 definition for this is:

          KeyUsage ::= BIT STRING {
              digitalSignature        (0),
              nonRepudiation          (1),
              keyEncipherment         (2),
              dataEncipherment        (3),
              keyAgreement            (4),
              keyCertSign             (5),  --> true ONLY for CAs
              cRLSign                 (6),
              encipherOnly            (7),
              decipherOnly            (8) }

获取一个表示 KeyUsage 扩展位的布尔数组,(OID = 2.5.29.15)。密钥使用扩展定义了包含在证书中的密钥的用途(例如,加密、签名、证书签名)。ASN.1 对此的定义是:

          KeyUsage ::= BIT STRING {
              digitalSignature        (0),
              nonRepudiation          (1),
              keyEncipherment         (2),
              dataEncipherment        (3),
              keyAgreement            (4),
              keyCertSign             (5),  --> true ONLY for CAs
              cRLSign                 (6),
              encipherOnly            (7),
              decipherOnly            (8) }

A certificate can be checked as follow:

可以通过以下方式检查证书:

X509Certificate cert = ...;
boolean[] keyUsage = cert.getKeyUsage();
if ( keyUsage[5] ) {
    // CA certificate
}
else {
    // User certificate
}

回答by Anthony Palmer

A Root CA will be a self signed certificate with the keyCertSignflag enabled. In most scenarios the common name may include the word CAfor convenience. An intermediate CAcertificate may be signed by a Root CA(or another Intermediate!). Your brower key store will have examples of commonly trusted CA certificates.

根 CA 将是keyCertSign启用了该标志的自签名证书。在大多数情况下,CA为方便起见,通用名称可能包含单词。中间CA证书可以由Root CA(或另一个中间人!)签名。您的浏览器密钥库将包含通常受信任的 CA 证书示例。

From The Internet Engineering Task Force

来自互联网工程任务组

The keyCertSign bit is asserted when the subject public key is
    used for verifying a signature on certificates.  This bit may only
    be asserted in CA certificates.

相关推荐

java dex2jar 和 jd-GUI 的替代品?

java dex2jar 和 jd-GUI 的替代品?

java Java中的装饰器

java Java中的装饰器

java 装箱的值被取消装箱,然后立即重新装箱

java 装箱的值被取消装箱,然后立即重新装箱

java 在java中查找两个给定日期之间的所有月份名称

java 在java中查找两个给定日期之间的所有月份名称

相关推荐
最近更新
标签