GeeCON Prague 2014*
The moose likes Security and the fly likes OCSP Validation , x.509 Certificate Validation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Engineering » Security
Bookmark "OCSP Validation , x.509 Certificate Validation " Watch "OCSP Validation , x.509 Certificate Validation " New topic
Author

OCSP Validation , x.509 Certificate Validation

lakmal indika
Greenhorn

Joined: Oct 25, 2012
Posts: 1
Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?

=========================Code ===========================================================
import java.security.cert.*;
import java.security.*;
import java.util.*;
import java.io.*;

public class OCSPCheck {
// OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp
private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
// private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
public static void main(String [] args){
try {

// X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
// X509Certificate clientCert = readCert("PIDTestBruger2.cer");
// CA Certificate
X509Certificate caCert = readCert("F:
4 Development\\X509Validation\\src
LCPL-ROOT-PUB.cer");
// Client Cerificate
X509Certificate clientCert = readCert("F:
4 Development\\X509Validation\\src
LCPL-Intermediate-Pub.cer");
List certList = new Vector();
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

// Set the Trust anchor
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
try{
//System.out.println(anchor.toString() + "CA NAME");
}catch(Exception e)
{
}
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
//Security.setProperty("ocsp.responderURL", responderUrl);

// Validate and obtain results
try {
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();

System.out.println("Query Result ");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (Exception cpve) {
System.out.println("Validation failure, cert :"
+ cpve.toString());
}
// } catch (CertPathValidatorException cpve) {
// System.out.println("Validation failure, cert["
// + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
// }

} catch (Exception e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
}

===========================================================================================================
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1064
    
  10

Cross posted to https://forums.oracle.com/forums/thread.jspa?threadID=2456427&tstart=0
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18876
    
  40


Please note that JavaRanch actually allows crossposting to other sites...

https://www.coderanch.com/how-to/java/BeForthrightWhenCrossPostingToOtherSites

However, we do require that you be forthright about it. Crossposting tends to waste ranchers time and effort, so please be honest about it.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
 
GeeCON Prague 2014
 
subject: OCSP Validation , x.509 Certificate Validation