自己找到解决方案。因此,这是如何针对受信任的存储提取和验证证书链的方法(为便于阅读,跳过了异常处理):
CertificateFactory cf = CertificateFactory.getInstance("X.509");// Get ContentInfo//byte[] signature = ... // PKCS#7 signature bytesInputStream signatureIn = new ByteArrayInputStream(signature);DERObject obj = new ASN1InputStream(signatureIn).readObject();ContentInfo contentInfo = ContentInfo.getInstance(obj);// Extract certificatesSignedData signedData = SignedData.getInstance(contentInfo.getContent());Enumeration certificates = signedData.getCertificates().getObjects();// Build certificate pathList certList = new ArrayList();while (certificates.hasMoreElements()) { DERObject certObj = (DERObject) certificates.nextElement(); InputStream in = new ByteArrayInputStream(certObj.getDEREnpred()); certList.add(cf.generateCertificate(in));}CertPath certPath = cf.generateCertPath(certList);// Load key store//String keyStorePath = ...KeyStore keyStore = KeyStore.getInstance("JKS");keyStore.load(new FileInputStream(keyStorePath), null);// Set validation parametersPKIXParameters params = new PKIXParameters(keyStore);params.setRevocationEnabled(false); // to avoid exception on empty CRL// Validate certificate pathCertPathValidator validator = CertPathValidator.getInstance("PKIX");CertPathValidatorResult result = validator.validate(certPath, params);validate()如果验证失败,将抛出异常。
文档:
ASN1Set,
ContentInfo,
SignedData。其他所有外来名称和相关文档都可以在中找到
java.security.cert。
这里没有SUN依赖项,仅需要BouncyCastle提供程序库。
