问题
Java supports OCSP out of the box.
The way it is being done though, (I mean the revocation check) is transparent to the programmer.
My question is, is there any api (part of java) that can create a valid OCSP request or response? So that it would be possible for a programmer to implement a custom OCSP checker?
回答1:
The standard Java API does not provide publicly available classes to handle OCSP. In Sun/Oracle's JDK, the OCSP management classes are in the sun.security.provider.certpath package (i.e. a package which is outside of the Java specification) and are not public (so you cannot use them without resorting to reflection, after giving yourself extended access rights).
Also, the implementation in Sun/Oracle's JDK is a pure client: it can encode requests and decode responses, but it cannot decode requests or encode responses.
Hence, implementing a custom OCSP checker would entail implementing the encoding and decoding mechanisms manually: it can be done, but not in five lines of code. EJBCA is an opensource PKI, entirely written in Java, which includes some support for OCSP (I do not know whether extracting the OCSP code for inclusion in another application would be easy or not).
回答2:
Note that Java 8 has a JEP 124 - Enhance the Certificate Revocation-Checking API which should provide new APIs specifically for certificate revocation.
Check out a recent Oracle blog post describing the new functionality, as well as the official Draft Readme.
Hope this helps.
来源:https://stackoverflow.com/questions/5362808/java-apis-for-certificate-revocation-checks