0 Replies Latest reply: Oct 25, 2012 12:48 AM by 553148 RSS

    OCSP Validation

    553148
      Hi All, I'm trying to validate a X.509 certificate using java. But it always gives a error "Validation failure, cert :java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses", I also added certificate to windows certificate store. any clue to resolve this ?

      =========================Code ===========================================================

      import java.security.cert.*;
      import java.security.*;
      import java.util.*;
      import java.io.*;

      public class OCSPCheck {

      // OCSP URL http://ocsp.lankaclear.lk:11080/ocsp/ee/ocsp

      private static final String TEST_RESPONDER_URL = "http://172.18.60.100:11080/ocsp/ee/ocsp";
      // private static final String TEST_RESPONDER_URL = "http://ocsp-commercial.lankaclear.lk:11080/ocsp/ee/ocsp";
      public static void main(String [] args){
      try {

      // X509Certificate caCert = readCert("TDCOCESSTEST2.cer");
      // X509Certificate clientCert = readCert("PIDTestBruger2.cer");


      // CA Certificate
      X509Certificate caCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-ROOT-PUB.cer");
      // Client Cerificate
      X509Certificate clientCert = readCert("F:\\4 Development\\X509Validation\\src\\LCPL-Intermediate-Pub.cer");


      List certList = new Vector();
      certList.add(clientCert);
      certList.add(caCert);
      validateCertPath(certList, caCert, TEST_RESPONDER_URL);
      } catch (Exception e){
      e.printStackTrace();
      }
      }
      private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
      try {

      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      CertPath cp = cf.generateCertPath(certList);
      CertPathValidator cpv = CertPathValidator.getInstance("PKIX");

      // Set the Trust anchor
      TrustAnchor anchor = new TrustAnchor(trustedCert, null);
      try{
      //System.out.println(anchor.toString() + "CA NAME");
      }catch(Exception e)
      {

      }
      PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
      params.setRevocationEnabled(true);

      Security.setProperty("ocsp.enable", "true");
      Security.setProperty("ocsp.responderURL", responderUrl);
      //Security.setProperty("ocsp.responderURL", responderUrl);

      // Validate and obtain results
      try {

      PKIXCertPathValidatorResult result =
      (PKIXCertPathValidatorResult) cpv.validate(cp, params);
      PolicyNode policyTree = result.getPolicyTree();
      PublicKey subjectPublicKey = result.getPublicKey();

      System.out.println("Query Result ");
      System.out.println("Policy Tree:\n" + policyTree);
      System.out.println("Subject Public key:\n" + subjectPublicKey);
      } catch (Exception cpve) {
      System.out.println("Validation failure, cert :"
      + cpve.toString());
      }
      // } catch (CertPathValidatorException cpve) {
      // System.out.println("Validation failure, cert["
      // + cpve.getIndex() + "] :" + cpve.getMessage() + " " + cpve.toString());
      // }

      } catch (Exception e) {
      e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
      }
      }
      private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
      InputStream is = new FileInputStream(fileName);
      BufferedInputStream bis = new BufferedInputStream(is);
      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
      return cert;
      }
      }

      ===========================================================================================================