Java supports OCSP out of the box.
The way it is being done though, (I mean the revocation check) is transparent to the programmer.
My question is, is there any api (part of java) that can create a valid OCSP request or response? So that it would be possible for a programmer to implement a custom OCSP checker?
解决方案
The standard Java API does not provide publicly available classes to handle OCSP. In Sun/Oracle's JDK, the OCSP management classes are in the sun.security.provider.certpath package (i.e. a package which is outside of the Java specification) and are not public (so you cannot use them without resorting to reflection, after giving yourself extended access rights).
Also, the implementation in Sun/Oracle's JDK is a pure client: it can encode requests and decode responses, but it cannot decode requests or encode responses.
Hence, implementing a custom OCSP checker would entail implementing the encoding and decoding mechanisms manually: it can be done, but not in five lines of code. EJBCA is an opensource PKI, entirely written in Java, which includes some support for OCSP (I do not know whether extracting the OCSP code for inclusion in another application would be easy or not).
819
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
