如何在 Java 中以编程方式检查 SSL 证书到期日期

how to check SSL certificate expiration date programmatically in Java(如何在 Java 中以编程方式检查 SSL 证书到期日期)

本文介绍了如何在 Java 中以编程方式检查 SSL 证书到期日期的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要从Java网站上的SSL证书中提取到期日期,应该同时支持受信任和自签名证书,例如:1.信任https://github.com2.自签https://mms.nw.ru/

I need to extract expiration date from SSL certificate on web site in Java,should support both trusted and self-signed certificate,such as: 1.trusted https://github.com 2.self-signed https://mms.nw.ru/

我已经复制了一些代码:

I already copy some code as:

import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class SSLTest {

    public static void main(String [] args) throws Exception {
        // configure the SSLContext with a TrustManager
        SSLContext ctx = SSLContext.getInstance("TLS");
        ctx.init(new KeyManager[0], new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
        SSLContext.setDefault(ctx);

        URL url = new URL("https://github.com");//https://mms.nw.ru
        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
        conn.setHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String arg0, SSLSession arg1) {
                return true;
            }
        });
        System.out.println(conn.getResponseCode());
        Certificate[] certs = conn.getServerCertificates();
        for (Certificate cert :certs){
            System.out.println(cert.getType());
            System.out.println(cert);
        }

        conn.disconnect();
    }

    private static class DefaultTrustManager implements X509TrustManager {

        @Override
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}

        @Override
        public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    }
}

问题是:

  1. 如何从证书中解析过期日期,在我的代码中 toString() 确实输出了日期,但是很难解析.

  1. How to parse the expiration date from the certificate, in my code the toString() did output the date,but it is hard to parse.

如何确定证书链,例如链3的github证书,我怎么知道从哪个证书获取到期日期?

How to determine the certificate chain, eg, the github certificate with chains 3, how did i know which certificate to get the expiration date from?

推荐答案

如何从证书中解析过期日期

How to parse the expiration date from the certificate

将其转换为 X509Certificate 并调用 getNotAfter().

Cast it to an X509Certificate and call getNotAfter().

如何确定证书链,例如github证书有链

How to determine the certificate chain, eg, the github certificate with chains

你明白了.这就是 Certificate[] 数组,正如它在 Javadoc.

You've got it. That's what the Certificate[] array is, as it says in the Javadoc.

我怎么知道从哪个证书获取到期日期?

How did i know which certificate to get the expiration date from?

阅读 Javadoc.对等方自己的证书首先是任何证书颁发机构".

Read the Javadoc. "The peer's own certificate first followed by any certificate authorities".

但是我不知道你为什么要这样做.Java 应该已经为您完成了这一切.

However I don't know why you're doing any of this. Java should already do it all for you.

请丢弃不安全且不正确的 TrustManager 实现.处理自签名证书的正确方法是将它们导入客户端信任库.还请扔掉不安全的 HostnameVerifier,并使用默认的或安全的.如果您不希望 HTTPS 安全,为什么还要使用它?

And please throw away that insecure and incorrect TrustManager implementation. The correct way to handle self-signed certificates is to import them into the client truststore. Please also throw away your insecure HostnameVerifier, and use the default one, or a secure one. Why use HTTPS at all if you don't want it to be secure?

这篇关于如何在 Java 中以编程方式检查 SSL 证书到期日期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本文标题为:如何在 Java 中以编程方式检查 SSL 证书到期日期

基础教程推荐