Discussions
Categories
- 196.8K All Categories
- 2.2K Data
- 235 Big Data Appliance
- 1.9K Data Science
- 449.9K Databases
- 221.6K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 549 MySQL Community Space
- 478 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3K ORDS, SODA & JSON in the Database
- 533 SQLcl
- 4K SQL Developer Data Modeler
- 186.9K SQL & PL/SQL
- 21.3K SQL Developer
- 295.5K Development
- 17 Developer Projects
- 138 Programming Languages
- 292.2K Development Tools
- 104 DevOps
- 3.1K QA/Testing
- 645.9K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 154 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.1K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 17 Java Essentials
- 158 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 203 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 402 LiveLabs
- 37 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.6K Other Languages
- 2.3K Chinese
- 171 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 230 Portuguese
OCSP Validation
indiika-JavaNet
Member Posts: 14
Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?
=========================Code ===========================================================
import java.security.cert.*;
import java.security.*;
import java.util.*;
import java.io.*;
public class OCSPCheck {
// OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp
private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
// private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
public static void main(String [] args){
try {
// X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
// X509Certificate clientCert = readCert("PIDTestBruger2.cer");
// CA Certificate
X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
// Client Cerificate
X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");
List certList = new Vector();
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
// Set the Trust anchor
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
try{
//System.out.println(anchor.toString() + "CA NAME");
}catch(Exception e)
{
}
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
//Security.setProperty("ocsp.responderURL", responderUrl);
// Validate and obtain results
try {
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();
System.out.println("Query Result ");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (Exception cpve) {
System.out.println("Validation failure, cert :"
+ cpve.toString());
}
// } catch (CertPathValidatorException cpve) {
// System.out.println("Validation failure, cert["
// + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
// }
} catch (Exception e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
}
===========================================================================================================
=========================Code ===========================================================
import java.security.cert.*;
import java.security.*;
import java.util.*;
import java.io.*;
public class OCSPCheck {
// OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp
private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
// private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
public static void main(String [] args){
try {
// X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
// X509Certificate clientCert = readCert("PIDTestBruger2.cer");
// CA Certificate
X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
// Client Cerificate
X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");
List certList = new Vector();
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
// Set the Trust anchor
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
try{
//System.out.println(anchor.toString() + "CA NAME");
}catch(Exception e)
{
}
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
//Security.setProperty("ocsp.responderURL", responderUrl);
// Validate and obtain results
try {
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();
System.out.println("Query Result ");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (Exception cpve) {
System.out.println("Validation failure, cert :"
+ cpve.toString());
}
// } catch (CertPathValidatorException cpve) {
// System.out.println("Validation failure, cert["
// + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
// }
} catch (Exception e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
}
===========================================================================================================
Tagged:
This discussion has been closed.