Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

OCSP Validation

indiika-JavaNetOct 25 2012
Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?

=========================Code ===========================================================

import java.security.cert.*;
import java.security.*;
import java.util.*;
import java.io.*;

public class OCSPCheck {

// OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp

private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
// private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
public static void main(String [] args){
try {

// X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
// X509Certificate clientCert = readCert("PIDTestBruger2.cer");


// CA Certificate
X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
// Client Cerificate
X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");


List certList = new Vector();
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {

CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

// Set the Trust anchor
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
try{
//System.out.println(anchor.toString() + "CA NAME");
}catch(Exception e)
{

}
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);

Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
//Security.setProperty("ocsp.responderURL", responderUrl);

// Validate and obtain results
try {

PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();

System.out.println("Query Result ");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (Exception cpve) {
System.out.println("Validation failure, cert :"
+ cpve.toString());
}
// } catch (CertPathValidatorException cpve) {
// System.out.println("Validation failure, cert["
// + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
// }

} catch (Exception e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
}

===========================================================================================================

Comments

Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Nov 22 2012
Added on Oct 25 2012
0 comments
2,111 views