|
Sample code to validate certificates via OCSP service |
|
Subject: Sample code to validate certificates via OCSP service
Author: X509
In response to: Any other parameters to customize OCSP?
Posted on: 07/01/2010 08:31:27 PM
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
public class AuthorizedResponderNoCheck {
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy your trust anchor certificate here, in PEM format.
"-----END CERTIFICATE-----";
static String trusedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy your trusted enterprise certificate here, in PEM format.
"-----END CERTIFICATE-----";
static String issuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy the intermediate CA certificate here, in PEM format.
"-----END CERTIFICATE-----";
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy the target certificate here, in PEM format.
"-----END CERTIFICATE-----";
private static CertPath generateCertificatePath()
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(issuerCertStr.getBytes());
Certificate issuerCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate targetCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(trusedCertStr.getBytes());
Certificate trusedCert = cf.generateCertificate(is);
is.close();
// generate certification path
List list = Arrays.asList(new Certificate[] {
targetCert, issuerCert, trusedCert});
return cf.generateCertPath(list);
}
private static Set generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
is.close();
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
public static void main(String args[]) throws Exception {
// if you work behind proxy, configure the proxy.
System.setProperty("http.proxyHost", "proxyhost");
System.setProperty("http.proxyPort", "proxyport");
CertPath path = generateCertificatePath();
Set anchors = generateTrustAnchors();
PKIXParameters params = new PKIXParameters(anchors);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
// Activate CRLDP
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(path, params);
}
}
>
> On 07/01/2010 08:23:16 PM X509 wrote:
Yes, here you go:
Location of the OCSP responder
ocsp.responderURL=http://ocsp.example.net:80
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property explicitly specifies the location of the OCSP responder. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
Similar to what you expects for crlDP, you may see the following ebtry in a certificate:
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://onsite-ocsp.verisign.com]
]
Here, "http://onsite-ocsp.verisign.com" indicates the default location of the OCSP service.
Subject name of the OCSP responder's certificate
ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate then both the "ocsp.responderCertIssuerName" and "ocsp.responderCertSerialNumber" properties must be used instead. When this property is set then those two properties are ignored.
Issuer name of the OCSP responder's certificate
ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the "ocsp.responderCertSerialNumber" property must also be set. When the "ocsp.responderCertSubjectName" property is set then this property is ignored.
Serial number of the OCSP responder's certificate
ocsp.responderCertSerialNumber=2A:FF:00
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string of hexadecimal digits (colon or space separators may be present) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the "ocsp.responderCertIssuerName" property must also be set. When the "ocsp.responderCertSubjectName" property is set then this property is ignored.
References:
|
|
|
|