0 Replies Latest reply: Nov 29, 2011 3:14 AM by user8478974 RSS

    Problems validating an X509 certificate path

      I am trying to implement a X509TrustManager. In the code below the path is made from the certificates received from the server, and the TrustAnchor is generated from the root of this path (a Verisign certificate). In other words rootCert is identical to certs[1]. Yet, validation fails. I am not sure whether Verisign certificate should be in the pass or in which order the path must be set up (root first or last?). Could anyone give me a hint? I am assuming that the path is valid (Web browser seems to have no problem.)

          public void checkServerTrusted(X509Certificate[] certs, String authType)
                  throws CertificateException {
              try {
                  CertificateFactory cf = CertificateFactory.getInstance("X.509");
                  List list = new ArrayList();
                  for (int i = certs.length - 1; i >= 0; i--) {
      CertPath path = cf.generateCertPath(list);
      TrustAnchor anchor = new TrustAnchor(rootCert, null);

      Set anchors = Collections.singleton(anchor);

      PKIXParameters params = new PKIXParameters(anchors);

      // Activate certificate revocation checking

      // Activate OCSP
      Security.setProperty("ocsp.enable", "true");

      // Activate CRLDP
      System.setProperty("com.sun.security.enableCRLDP", "true");

      // Ensure that the ocsp.responderURL property is not set.
      if (Security.getProperty("ocsp.responderURL") != null) {
      throw new Exception("The ocsp.responderURL property must not be set");

      CertPathValidator validator = CertPathValidator.getInstance("PKIX");

      System.out.println("provider = " + validator.getProvider());
      System.out.println("path = " + path);
      System.out.println("params = " + params);
      validator.validate(path, params);

      } catch (CertPathValidatorException ex) {
      throw new CertificateException(ex.getMessage());
      } catch (NoSuchAlgorithmException ex) {
      } catch (InvalidAlgorithmParameterException ex) {
      } catch (CertificateException ex) {
      } catch (Exception ex) {