0 Replies Latest reply: Nov 29, 2011 3:14 AM by user8478974 RSS

    Problems validating an X509 certificate path

    user8478974
      I am trying to implement a X509TrustManager. In the code below the path is made from the certificates received from the server, and the TrustAnchor is generated from the root of this path (a Verisign certificate). In other words rootCert is identical to certs[1]. Yet, validation fails. I am not sure whether Verisign certificate should be in the pass or in which order the path must be set up (root first or last?). Could anyone give me a hint? I am assuming that the path is valid (Web browser seems to have no problem.)

      Thanks.
      @Override
          public void checkServerTrusted(X509Certificate[] certs, String authType)
                  throws CertificateException {
              
              try {
                  CertificateFactory cf = CertificateFactory.getInstance("X.509");
                  
                  List list = new ArrayList();
                  for (int i = certs.length - 1; i >= 0; i--) {
                      list.add(certs);
      }
      CertPath path = cf.generateCertPath(list);
      TrustAnchor anchor = new TrustAnchor(rootCert, null);

      Set anchors = Collections.singleton(anchor);

      PKIXParameters params = new PKIXParameters(anchors);

      // Activate certificate revocation checking
      params.setRevocationEnabled(true);

      // Activate OCSP
      Security.setProperty("ocsp.enable", "true");

      // Activate CRLDP
      System.setProperty("com.sun.security.enableCRLDP", "true");

      // Ensure that the ocsp.responderURL property is not set.
      if (Security.getProperty("ocsp.responderURL") != null) {
      throw new Exception("The ocsp.responderURL property must not be set");
      }

      CertPathValidator validator = CertPathValidator.getInstance("PKIX");

      System.out.println("provider = " + validator.getProvider());
      System.out.println("path = " + path);
      System.out.println("params = " + params);
      validator.validate(path, params);

      } catch (CertPathValidatorException ex) {
      throw new CertificateException(ex.getMessage());
      } catch (NoSuchAlgorithmException ex) {
      ex.printStackTrace();
      } catch (InvalidAlgorithmParameterException ex) {
      ex.printStackTrace();
      } catch (CertificateException ex) {
      ex.printStackTrace();
      } catch (Exception ex) {
      ex.printStackTrace();
      }

      }