This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Other JSE/JEE APIs and the fly likes Help with OCSP Stand Alone Implementation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Other JSE/JEE APIs
Bookmark "Help with OCSP Stand Alone Implementation" Watch "Help with OCSP Stand Alone Implementation" New topic
Author

Help with OCSP Stand Alone Implementation

Marcelo Tataje
Ranch Hand

Joined: Jan 31, 2011
Posts: 64

Hello everybody, I'm new at this forum and maybe my English is not perfect. The subject of this post is to get some help, because I'm implementing a functionality with OCSP (Online Certificate Status Protocol) in a Stand-Alone application with Java.

I receive this trace when I execute it:

java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.validateCertPath(TigerOcsp.java:124)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.main(TigerOcsp.java:31)
Validation failure, cert[-1] :Path does not chain with any of the trust anchors


I made this based on a code with some certificates (.cer), it ran perfect!
But now I changed to test my certificates and it gives me this error and I'm can't figure out why. I don't think because I use keystores(jks) that I transform into Certificates to make it run. I think I need maybe one line or something more.

My code is the following:

private static final String TEST_RESPONDER_URL = "http://test.ocsp.certifikat.dk/ocsp/status";
private static X509Certificate certCA;
private static X509Certificate certTS;
/**
* Sample params:
* TDCOCESSTEST2.cer PIDTestBruger2.cer
* @param args
*/
public static void main(String [] args){
initializeKeys();
try {
if (args.length != 2)
throw new Exception("TigerOcsp " + "caFile " + "certfile ");

X509Certificate caCert = certCA;
X509Certificate clientCert = certTS;

List certList = new Vector();
// NB: this is the correct sequence!!
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}

private static void initializeKeys(){
String path = "/usr/share/tomcat6/certs/certifik-ap-keystore.jks";
String password = "keystorepass";
getCertificates(path, password);
path = "/usr/share/tomcat6/certs/certifik-ap-truststore.1.jks";
getCertificates(path, password);
}

private static void getCertificates(String path, String password){
KeyStore ks = null;

try {
ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(path), password.toCharArray());

Enumeration<String> elem = ks.aliases();

while(elem.hasMoreElements()){
String alias = elem.nextElement();

if(alias.equals("1")){
certCA = (X509Certificate) ks.getCertificate(alias);

}

if(alias.equals("mykey")){
certTS = (X509Certificate) ks.getCertificate(alias);

}


}


} catch (KeyStoreException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
// Instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");

// Extract the certification path from
// the List of Certificates

CertPath cp = cf.generateCertPath(certList);

// Create CertPathValidator that implements the "PKIX" algorithm
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

// Set the Trust anchor
PublicKey publicKey = trustedCert.getPublicKey();

TrustAnchor anchor = new TrustAnchor(trustedCert, null);


// Set the PKIX parameters
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));

params.setRevocationEnabled(true);

// the list of additional signer certificates for populating the trust store

Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);

// Validate and obtain results
try {

//AQUƍ SE CAE!!!
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);



PolicyNode policyTree = result.getPolicyTree();

PublicKey subjectPublicKey = result.getPublicKey();

System.out.println("Certificate validated");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);

} catch (CertPathValidatorException cpve) {
cpve.printStackTrace();
System.out.println("Validation failure, cert["
+ cpve.getIndex() + "] :" + cpve.getMessage());
}

} catch (NoSuchAlgorithmException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (InvalidAlgorithmParameterException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (CertificateException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}

}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}

If someone can help me, I would really appreciate it.

Thanks a million!!!
 
Don't get me started about those stupid light bulbs.
 
subject: Help with OCSP Stand Alone Implementation
 
Similar Threads
Assigning a manually read certificate to the trustStore
Help with conversion of String to x509Certificate
how generate a attribute cerificate in separate files with crypto shell extension(like .cer)
please help
as of release 5, 'enum' is a keyword...