6 Replies Latest reply on Dec 29, 2007 7:17 AM by EJP

    "Validity interval out of date" exception

    843811
      I am trying to query my OCSP server to check certificate status. If I use openssl to do this with the same server URL and same certificate, it works. But I need to do it in Java. CRLs are being properly issued every hour also.

      When I run my code, I get:
      java.security.cert.CertPathValidatorException: java.io.IOException: Response is unreliable: its validity interval is out-of-date
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
              at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
              at OCSPtest.OCSPtest.main(OCSPtest.java:127)
      I have the CA cert as a trusted ca cert in my jre.lib/security/cacerts file, and I have the strng encryption extensions installed.

      Here is the code:
      package OCSPtest;
      
      //~--- JDK imports ------------------------------------------------------------
      
      import java.io.*;
      
      import java.net.URI;
      
      import java.security.*;
      import java.security.cert.*;
      import java.security.cert.PKIXParameters;
      import java.security.cert.X509Certificate;
      
      import java.util.*;
      
      /**
       * Class description
       *
       *
       * @version    Enter version here..., 07/10/15
       * @author     Enter your name here...
       */
      public class OCSPtest{
      
         /**
          * Check the revocation status of a public key certificate using OCSP.
          */
      
         /*
          * Filename that contains the OCSP server's cert.
          */
         private static final String OCSP_SERVER_CERT =
            "/Users/jar/certs/OCSPSignerCertificate.pem";
      
         /*
          * Filename that contains the root CA cert of the OCSP server's cert.
          */
         private static final String ROOT_CA_CERT =
            "/Users/jar/certs/SensorNetCA.pem";
      
         /**
          * Checks the revocation status of a public key certificate using OCSP.
          *
          * Usage:  java ValidateCert <cert-file> [<OCSP-server>]
          *     <cert-file> is the filename of the certificate to be checked.
          *            The certificate must be in PEM format.
          *     <OCSP-server> is the URL of the OCSP server to use.
          *            If not supplied then the certificate must identify an OCSP
          *            server by means of its AuthorityInfoAccess extension.
          *            If supplied then it overrides any URL which may be present
          *            in the certificate's AuthorityInfoAccess extension.
          *
          * Example:  java \
          *             -Dhttp.proxyHost=proxy.example.net \
          *             -Dhttp.proxyPort=8080 \
          *             ValidateCert \
          *             mycert.pem \
          *             http://ocsp.openvalidation.org:80
          */
         public static void main(String[] args) {
            try {
               CertPath cp               = null;
               Vector   certs            = new Vector();
               URI      ocspServer       = null;
               String   ocspServerString =
                  "https://ca2.sensornet.gov:8442/ejbca/publicweb/status/ocsp";
      
               /*
                *         if (args.length == 0 || args.length > 2) {
                *        System.out.println(
                *            "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
                *        System.exit(-1);
                *         }
                */
      
               // load the cert to be checked
               certs.add(
                   getCertFromFile(
                      "/Users/jar/certs/jarSensornet.cer"));
      
               // handle location of OCSP server
               ocspServer = new URI(ocspServerString);
               System.out.println("Using the OCSP server at: ca2");
               System.out.println("to check the revocation status of: "
                                  + certs.elementAt(0));
               System.out.println();
      
               // init cert path
               CertificateFactory cf = CertificateFactory.getInstance("X509");
               cp = (CertPath) cf.generateCertPath(certs);
      
               // load the root CA cert for the OCSP server cert
               X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);
      
               // init trusted certs
               TrustAnchor ta              = new TrustAnchor(rootCACert, null);
               Set         trustedCertsSet = new HashSet();
      
               trustedCertsSet.add(ta);
      
               // init cert store
      //         Set             certSet  = new HashSet();
      //         X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
               //System.out.println("OCSP Responder cert: " + ocspCert);
               //certSet.add(ocspCert);
      
      
               // init PKIX parameters
               PKIXParameters params = null;
      
               params = new PKIXParameters(trustedCertsSet);
               //params.addCertStore(store);
      
               // enable OCSP
               Security.setProperty("ocsp.enable", "true");
      
               if (ocspServer != null) {
                  Security.setProperty("ocsp.responderURL", ocspServerString);
      //            Security.setProperty(
      //                "ocsp.responderCertSubjectName",
      //                ocspCert.getSubjectX500Principal().getName());
               }
      
               // perform validation
               CertPathValidator           cpv        =
                  CertPathValidator.getInstance("PKIX");
               PKIXCertPathValidatorResult cpv_result =
                  (PKIXCertPathValidatorResult) cpv.validate(cp, params);
               X509Certificate trustedCert =
                  (X509Certificate) cpv_result.getTrustAnchor().getTrustedCert();
      
               if (trustedCert == null) {
                  System.out.println("Trsuted Cert = NULL");
               } else {
                  System.out.println("Trusted CA DN = "
                                     + trustedCert.getSubjectDN());
               }
            } catch (CertPathValidatorException e) {
               e.printStackTrace();
               System.exit(1);
            } catch (Exception e) {
               e.printStackTrace();
               System.exit(-1);
            }
      
            System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
            System.exit(0);
         }
      
         /**
          * Read a certificate from the specified filepath.
          */
         private static X509Certificate getCertFromFile(String path) {
            X509Certificate cert = null;
      
            try {
               File certFile = new File(path);
      
               if (!certFile.canRead()) {
                  throw new IOException(" File " + certFile.toString()
                                        + " is unreadable");
               }
      
               FileInputStream    fis = new FileInputStream(path);
               CertificateFactory cf  = CertificateFactory.getInstance("X509");
      
               cert = (X509Certificate) cf.generateCertificate(fis);
            } catch (Exception e) {
               System.out.println("Can't construct X509 Certificate. " + path
                                  + " " + e.getMessage());
            }
      
            return cert;
         }
      }
        • 1. Re: "Validity interval out of date" exception
          843811
          This is the openssl code that works. Unfortunately, it requires that the certificates are in files, which will not work for me because I am checking the user's client cert that gets presented to a webapp.
          /*
           * Main.java
           *
           * Created on Oct 12, 2007, 3:21:59 PM
           *
           * To change this template, choose Tools | Templates
           * and open the template in the editor.
           */
          
          
          
          package validatecertuseocsp;
          
          //~--- JDK imports ------------------------------------------------------------
          
          import java.io.*;
          
          import java.net.URI;
          
          import java.security.*;
          import java.security.cert.*;
          
          import java.util.*;
          
          /**
           * Check the revocation status of a public key certificate using OCSP.
           */
          public class ValidateCertUseOCSP{
          
             /*
              * Filename that contains the OCSP server's cert.
              */
             private static final String OCSP_SERVER_CERT =
                "/opt/jboss/Certificates/SensorNetCA.pem";
          
             /*
              * Filename that contains the root CA cert of the OCSP server's cert.
              */
             private static final String ROOT_CA_CERT =
                "/opt/jboss/Certificates/SensorNetCA.pem";
          
             /**
              * Checks the revocation status of a public key certificate using OCSP.
              *
              * We use the openssl calls to do this.
              */
             public static void main(String[] args) {
                try {
                   CertPath cp               = null;
                   Vector   certs            = new Vector();
                   URI      ocspServer       = null;
                   String   ocspServerString =
                      "https://ca2.sensornet.gov:8442/ejbca/publicweb/status/ocsp";
          
                   // Try this with the openssl call
                   Runtime rt      = Runtime.getRuntime();
                   String  command = "openssl ocsp -issuer " + ROOT_CA_CERT
                                     + " -CAfile  " + ROOT_CA_CERT
                                     + " -cert /Users/jar/certs/jarSensornet.cer "
                                     + "-url " + ocspServerString;
                   Process           proc   = rt.exec(command);
                   InputStream       stderr = proc.getErrorStream();
                   InputStreamReader isr    = new InputStreamReader(stderr);
                   BufferedReader    br     = new BufferedReader(isr);
                   String            line   = null;
                   StringBuffer      sb  = new StringBuffer();
          
                   sb.append("<ERROR>\n");
          
                   while ((line = br.readLine()) != null) {
                      sb.append(line);
                   }
                   sb.append("</ERROR>\n");
                   line = sb.toString();
                   if(!line.contains("Response verify OK")) {
                      System.err.print(line);
                   }
          
                   InputStream       in  = proc.getInputStream();
                   InputStreamReader inr = new InputStreamReader(in);
                   BufferedReader    bin = new BufferedReader(inr);
          
                   while ((line = bin.readLine()) != null) {
                      System.out.println(line);
                      sb.append(line);
                   }
          
                   int exitVal = proc.waitFor();
                   System.out.println(exitVal);
                   line = sb.toString();
          
                   if (line.contains("good")) {
                      System.out.println("Success");
                   } else {
                      System.out.println("Failure");
                   }
                } catch (Exception e) {
                   e.printStackTrace();
                   System.exit(-1);
                }
          
                System.exit(0);
             }
          }
          • 2. Re: "Validity interval out of date" exception
            843811
            The OCSP server is giving a "good" answer:
             Received OCSP request for certificate with serNo: 3850952b4a624751, and issuerNameHash: c78608c41e0790a726a0000961efba839b295b4c.
            15:41:03,960 INFO  [OCSPServletBase] Adding status information (good) for certificate with serial '3850952b4a624751' from issuer 'CN=SensorNetCA,DC=sensornet,DC=gov'.
            • 3. Re: "Validity interval out of date" exception
              843811
              I am getting same error. Let me know if you find a solution for this. Thanks.
              • 4. Re: "Validity interval out of date" exception
                EJP
                The solution is to use certificates which are current, not expired.
                • 5. Re: "Validity interval out of date" exception
                  843811
                  The certificates are all valid.
                  • 6. Re: "Validity interval out of date" exception
                    EJP
                    Err, no they're not. The validity interval is out of date on at least one of them. This is the only rational deduction from the evidence. Try printing out the notBefore and notAfter dates and see.