Hi,
I'm trying to use OCSP validation on JDK 1.5.0_05. I have a keystore with just the trusted root certificate and the OCSP server certificate in it. I use that "trustedCerts" keystore for my params:
params = new PKIXParameters(trustedCerts);
params.setRevocationEnabled(true);
...
CertPathValidatorResult cpvResult = cpv.validate(certPath, params);
Where "certPath" is the certificate path to validate.
I get the following exception:
java.security.cert.CertPathValidatorException: Certificate in the OCSP response does not match the certificate supplied in the OCSP request.
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
...
With certpath debugging on, it looks like that the OCSP validation algorithm is choosing the wrong certificate. It looks like the path is validated properly, then the OCSP part chooses the trusted root certificate instead of the OCSP server certificate to use for the request. I have tried setting the following properties:
java.security.Security.setProperty("ocsp.responderCertIssuerName", ocspCert.getIssuerX500Principal().getName());
java.security.Security.setProperty("ocsp.responderCertSerialNumber", ocspCert.getSerialNumber().toString());
I have alternately tried:
java.security.Security.setProperty("ocsp.responderCertSubjectName", ocspCert.getSubjectX500Principal().getName());
Where the "ocspCert" is the server certificate for the OCSP responder out of the aforementioned trustedCerts keystore.
Could someone tell me what I'm doing wrong?
Thanks,
-Keith