Enable OCSP checking

If a certificate is issued with a authority information access extension which indicates the OCSP access method and location, one can enable the default implementation of OCSP checker during building or validating a certification path.

Maybe you need to check your certificate firstly, in the purpose of making sure it includes a OCSP authority information access extension:

#${JAVA_HOME}/bin/keytool -printcert -v -file target.cert

You are expected to see similar lines in the output:

#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://onsite-ocsp.verisign.com]
]

In the above output, "http://onsite-ocsp.verisign.com" indicates the location of the OCSP service.

If you find one of similar authority information access extension in your certificate path, you need to enable OCSP checker.

For Sun PKIX implementation, OCSP checking is not enabled by default for compatibility, note that enabling OCSP checking only has an effect if revocation checking has also been enabled. So, in order to enable OCSP checker, first of all, you need to active certificate revocation checking; then active OCSP checking. It is simple and straightforward, only needs a few lines.

PKIXParameters params = new PKIXParameters(anchors);

// Activate certificate revocation checking
params.setRevocationEnabled(true);

// Activate OCSP
Security.setProperty("ocsp.enable", "true");

After that above two configurations, the default Sun PKIX implementation will try to get certificate status from the OCSP service indicated in the authority information access extension. For the above example, "http://onsite-ocsp.verisign.com" is the OCSP service. The enabled Sun OCSP checker will send certificate status request to the service, get response, and analysis the status from the response, if the status is revoked or unknown, the target certificate would be rejected.

Here is a sample code I wrote help you test your certificates and OCSP service, hope it helps.

/\*\*
 \* @author Xuelei Fan
 \*/
import java.io.\*;
import java.net.SocketException;
import java.util.\*;
import java.security.Security;
import java.security.cert.\*;

public class AuthorizedResponderNoCheck {

    static String selfSignedCertStr =
        "-----BEGIN CERTIFICATE-----\\n" +
        // copy your trust anchor certificate here, in PEM format.
        "-----END CERTIFICATE-----";

    static String trusedCertStr =
        "-----BEGIN CERTIFICATE-----\\n" +
        // copy your trusted enterprise certificate here, in PEM format.
        "-----END CERTIFICATE-----";

    static String issuerCertStr =
        "-----BEGIN CERTIFICATE-----\\n" +
        // copy the intermediate CA certificate here, in PEM format.
        "-----END CERTIFICATE-----";

    static String targetCertStr =
        "-----BEGIN CERTIFICATE-----\\n" +
        // copy the target certificate here, in PEM format.
        "-----END CERTIFICATE-----";


    private static CertPath generateCertificatePath()
            throws CertificateException {
        // generate certificate from cert strings
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        ByteArrayInputStream is =
            new ByteArrayInputStream(issuerCertStr.getBytes());
        Certificate issuerCert = cf.generateCertificate(is);

        is = new ByteArrayInputStream(targetCertStr.getBytes());
        Certificate targetCert = cf.generateCertificate(is);

        is = new ByteArrayInputStream(trusedCertStr.getBytes());
        Certificate trusedCert = cf.generateCertificate(is);

        is.close();

        // generate certification path
        List list = Arrays.asList(new Certificate[] {
                        targetCert, issuerCert, trusedCert});

        return cf.generateCertPath(list);
    }

    private static Set generateTrustAnchors()
            throws CertificateException {
        // generate certificate from cert string
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        ByteArrayInputStream is =
                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
        Certificate selfSignedCert = cf.generateCertificate(is);

        is.close();

        // generate a trust anchor
        TrustAnchor anchor =
            new TrustAnchor((X509Certificate)selfSignedCert, null);

        return Collections.singleton(anchor);
    }

    public static void main(String args[]) throws Exception {

        // if you work behind proxy, configure the proxy.
        System.setProperty("http.proxyHost", "proxyhost");
        System.setProperty("http.proxyPort", "proxyport");

        CertPath path = generateCertificatePath();
        Set anchors = generateTrustAnchors();

        PKIXParameters params = new PKIXParameters(anchors);

        // Activate certificate revocation checking
        params.setRevocationEnabled(true);

        // Activate OCSP
        Security.setProperty("ocsp.enable", "true");

        // Activate CRLDP
        System.setProperty("com.sun.security.enableCRLDP", "true");

        // Ensure that the ocsp.responderURL property is not set.
        if (Security.getProperty("ocsp.responderURL") != null) {
            throw new
                Exception("The ocsp.responderURL property must not be set");
        }

        CertPathValidator validator = CertPathValidator.getInstance("PKIX");

        validator.validate(path, params);
    }
}
Comments:

Hi, good entry :)

I follow your sample to validate a chain with ocsp but I found a problem. In the CertPtahValidator I can specify a date, everything works alright when the date is the actual date, but when the date is from the past the validator throws an exception. Do you know if the validator supports ocsp validations with a past date?

Thanks.

java.security.cert.CertPathValidatorException: Must specify the location of an OCSP Responder
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at net.esle.sinadura.core.validate.CertificatePathBuilder.verifyCertificateChainRealTime(CertificatePathBuilder.java:521)
at net.esle.sinadura.gui.sections.main.helpers.ValidatePDFHelper.validatePDF(ValidatePDFHelper.java:216)
at net.esle.sinadura.gui.sections.main.events.ValidatePDFProgress.run(ValidatePDFProgress.java:33)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:113)

Posted by Alfredo Sanchez Blanco on August 04, 2009 at 03:31 PM GMT+08:00 #

Hi:

If I use Bouncy Castle, how to do ?
What "com.sun.security.enableCRLDP" should be ?

Posted by pp on August 06, 2009 at 11:55 AM GMT+08:00 #

Alfredo,

It is a good question. I'm afraid OCSP validation does not support past date currently. We will investigate the necessities to support past date. If interested, please keep track of the status of http://bugs.sun.com/view_bug.do?bug_id=6883616.

Thanks,
Xuelei

Posted by Xue-Lei Andrew Fan on September 18, 2009 at 04:26 PM GMT+08:00 #

Hi,

I have this signature.xml file with PEM format signature's certificate, I can extract it from XML, add "-----begin/end... -----" parts. Maybe you know, where and how can I get other certificates?
When I try "List list = Arrays.asList(new Certificate[] {cert});" it only gives me:
"java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors"...

Cheers,
Martin

Posted by Martin on December 07, 2010 at 08:31 AM GMT+08:00 #

I've got same error, I changed the code to get X509Certificates from my jks files, but I get Path does not chain with any of the trust anchors
I tried directly with other certificates, just pasting the code, but I'm still getting same error. I've been racking my brain trying to figure out what is wrong. Any Suggestion Please? I'll be really grateful if someone could clarify this. Thanks

Posted by Marcelo on February 01, 2011 at 10:11 PM GMT+08:00 #

@Martin@Marcelo>

Apparently the certificate you want to validate must be chained to a trust anchor. The error says that your certificate chain does not go up to one of the anchors.

I suppose your chain should be something like:

targetCert --> issuerCert --> trustedCert --> selfSignedCertStr/anchor

Where the arrow means "issued by"

Posted by Marian on February 03, 2011 at 03:32 PM GMT+08:00 #

Post a Comment:
  • HTML Syntax: NOT allowed
About

A blog on security and networking

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today