This week's book giveaway is in the Clojure forum.
We're giving away four copies of Clojure in Action and have Amit Rathore and Francis Avila on-line!
See this thread for details.
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Help with OCSP Stand Alone Implementation

 
Marcelo Tataje
Ranch Hand
Posts: 64
Java Oracle Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everybody, I'm new at this forum and maybe my English is not perfect. The subject of this post is to get some help, because I'm implementing a functionality with OCSP (Online Certificate Status Protocol) in a Stand-Alone application with Java.

I receive this trace when I execute it:

java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.validateCertPath(TigerOcsp.java:124)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.main(TigerOcsp.java:31)
Validation failure, cert[-1] :Path does not chain with any of the trust anchors


I made this based on a code with some certificates (.cer), it ran perfect!
But now I changed to test my certificates and it gives me this error and I'm can't figure out why. I don't think because I use keystores(jks) that I transform into Certificates to make it run. I think I need maybe one line or something more.

My code is the following:

private static final String TEST_RESPONDER_URL = "http://test.ocsp.certifikat.dk/ocsp/status";
private static X509Certificate certCA;
private static X509Certificate certTS;
/**
* Sample params:
* TDCOCESSTEST2.cer PIDTestBruger2.cer
* @param args
*/
public static void main(String [] args){
initializeKeys();
try {
if (args.length != 2)
throw new Exception("TigerOcsp " + "caFile " + "certfile ");

X509Certificate caCert = certCA;
X509Certificate clientCert = certTS;

List certList = new Vector();
// NB: this is the correct sequence!!
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}

private static void initializeKeys(){
String path = "/usr/share/tomcat6/certs/certifik-ap-keystore.jks";
String password = "keystorepass";
getCertificates(path, password);
path = "/usr/share/tomcat6/certs/certifik-ap-truststore.1.jks";
getCertificates(path, password);
}

private static void getCertificates(String path, String password){
KeyStore ks = null;

try {
ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(path), password.toCharArray());

Enumeration<String> elem = ks.aliases();

while(elem.hasMoreElements()){
String alias = elem.nextElement();

if(alias.equals("1")){
certCA = (X509Certificate) ks.getCertificate(alias);

}

if(alias.equals("mykey")){
certTS = (X509Certificate) ks.getCertificate(alias);

}


}


} catch (KeyStoreException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
// Instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");

// Extract the certification path from
// the List of Certificates

CertPath cp = cf.generateCertPath(certList);

// Create CertPathValidator that implements the "PKIX" algorithm
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

// Set the Trust anchor
PublicKey publicKey = trustedCert.getPublicKey();

TrustAnchor anchor = new TrustAnchor(trustedCert, null);


// Set the PKIX parameters
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));

params.setRevocationEnabled(true);

// the list of additional signer certificates for populating the trust store

Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);

// Validate and obtain results
try {

//AQUƍ SE CAE!!!
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);



PolicyNode policyTree = result.getPolicyTree();

PublicKey subjectPublicKey = result.getPublicKey();

System.out.println("Certificate validated");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);

} catch (CertPathValidatorException cpve) {
cpve.printStackTrace();
System.out.println("Validation failure, cert["
+ cpve.getIndex() + "] :" + cpve.getMessage());
}

} catch (NoSuchAlgorithmException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (InvalidAlgorithmParameterException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (CertificateException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}

}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}

If someone can help me, I would really appreciate it.

Thanks a million!!!
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic