OCSP Validation
Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?
=========================Code ===========================================================
import java.security.cert.*;
import java.security.*;
import java.util.*;
import java.io.*;
public class OCSPCheck {
// OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp
private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
// private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
public static void main(String [] args){
try {
// X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
// X509Certificate clientCert = readCert("PIDTestBruger2.cer");
// CA Certificate
X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
// Client Cerificate
X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");
List certList = new Vector();
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(certList);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
// Set the Trust anchor
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
try{
//System.out.println(anchor.toString() + "CA NAME");
}catch(Exception e)
{
}
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
//Security.setProperty("ocsp.responderURL", responderUrl);
// Validate and obtain results
try {
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();
System.out.println("Query Result ");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (Exception cpve) {
System.out.println("Validation failure, cert :"
+ cpve.toString());
}
// } catch (CertPathValidatorException cpve) {
// System.out.println("Validation failure, cert["
// + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
// }
} catch (Exception e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
}
===========================================================================================================