Author |
Topic: Certificate Revocation Checking via OCSP |
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
Certificate Revocation Checking via OCSP |
What is OCSP?
OCSP stands for Online Certificate Status Protocol which is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
|
|
|
|
|
|
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
How many ways are there to do certificate revocation checking ? |
There are three ways to do certificate revocation checking:
1) Statically by CRL ( (Certificate Revocation List) files which are typically in local storage;
2) Dynamically by CRL Distribution Point (CRLDP) which is inside the target certificate as a URL typically pointing to the issuer's CA CRL repository;
3) Dynamically by OCSP to any server which provides Certificate Revocation Checking service.
|
|
|
|
|
|
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
What's the order then? |
The three ways can be activated at the same time for certificate checking, but the process follows the order:
OCSP --> CRLDP --> CRL File
If the incoming certificate passes OCSP checkpoint, then CRLDP, and CRL File at last.
|
|
|
|
|
|
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
Why OCSP? |
Short answer: it's faster.
Long answer:
1) CRLs may be seen as analogous to a credit card company's "bad customer list" which can grow significantly to a huge list. Locally maintaining this huge list involves both memory (you may need 4GB memory just to preload the DOD's bad customer list) footprint and synchronization issues.
2) CPLDP sounds good but not reliable due to the greater number of requests to the well known CA's URL over the Internet.
3) Since an OCSP response contains less information than a typical CRL, OCSP can feasibly provide more timely information regarding the revocation status of a certificate without burdening the network.
4) The most important reason that OCSP may play a role is that OCSP's URL can be customized. It can be pointing to any third party or your own CRL checking service or a dedicated server.
|
|
|
|
|
|
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
How do I enable OCSP checking? |
Two ways:
Dynamic Way
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
Static Way
Locate the file named <java-jre>/lib/security/java.security
|
|
|
|
|
|
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
Any other parameters to customize OCSP? |
Yes, here you go:
Location of the OCSP responder
ocsp.responderURL=http://ocsp.example.net:80
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property explicitly specifies the location of the OCSP responder. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
Similar to what you expects for crlDP, you may see the following ebtry in a certificate:
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://onsite-ocsp.verisign.com]
]
Here, "http://onsite-ocsp.verisign.com" indicates the default location of the OCSP service.
Subject name of the OCSP responder's certificate
ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate then both the "ocsp.responderCertIssuerName" and "ocsp.responderCertSerialNumber" properties must be used instead. When this property is set then those two properties are ignored.
Issuer name of the OCSP responder's certificate
ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the "ocsp.responderCertSerialNumber" property must also be set. When the "ocsp.responderCertSubjectName" property is set then this property is ignored.
Serial number of the OCSP responder's certificate
ocsp.responderCertSerialNumber=2A:FF:00
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string of hexadecimal digits (colon or space separators may be present) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the "ocsp.responderCertIssuerName" property must also be set. When the "ocsp.responderCertSubjectName" property is set then this property is ignored.
|
|
|
|
|
|
|
X509 member offline |
|
posts: |
28 |
joined: |
05/01/2007 |
from: |
MS |
|
|
|
|
|
Sample code to validate certificates via OCSP service |
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
public class AuthorizedResponderNoCheck {
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy your trust anchor certificate here, in PEM format.
"-----END CERTIFICATE-----";
static String trusedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy your trusted enterprise certificate here, in PEM format.
"-----END CERTIFICATE-----";
static String issuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy the intermediate CA certificate here, in PEM format.
"-----END CERTIFICATE-----";
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
// copy the target certificate here, in PEM format.
"-----END CERTIFICATE-----";
private static CertPath generateCertificatePath()
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(issuerCertStr.getBytes());
Certificate issuerCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate targetCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(trusedCertStr.getBytes());
Certificate trusedCert = cf.generateCertificate(is);
is.close();
// generate certification path
List list = Arrays.asList(new Certificate[] {
targetCert, issuerCert, trusedCert});
return cf.generateCertPath(list);
}
private static Set generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
is.close();
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
public static void main(String args[]) throws Exception {
// if you work behind proxy, configure the proxy.
System.setProperty("http.proxyHost", "proxyhost");
System.setProperty("http.proxyPort", "proxyport");
CertPath path = generateCertificatePath();
Set anchors = generateTrustAnchors();
PKIXParameters params = new PKIXParameters(anchors);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
// Activate CRLDP
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(path, params);
}
}
|
|
|
|
|
|
|
|