Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

"Validity interval out of date" exception

843811Oct 24 2007 — edited Dec 29 2007
I am trying to query my OCSP server to check certificate status. If I use openssl to do this with the same server URL and same certificate, it works. But I need to do it in Java. CRLs are being properly issued every hour also.

When I run my code, I get:
java.security.cert.CertPathValidatorException: java.io.IOException: Response is unreliable: its validity interval is out-of-date
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
        at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
        at OCSPtest.OCSPtest.main(OCSPtest.java:127)
I have the CA cert as a trusted ca cert in my jre.lib/security/cacerts file, and I have the strng encryption extensions installed.

Here is the code:
package OCSPtest;

//~--- JDK imports ------------------------------------------------------------

import java.io.*;

import java.net.URI;

import java.security.*;
import java.security.cert.*;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;

import java.util.*;

/**
 * Class description
 *
 *
 * @version    Enter version here..., 07/10/15
 * @author     Enter your name here...
 */
public class OCSPtest{

   /**
    * Check the revocation status of a public key certificate using OCSP.
    */

   /*
    * Filename that contains the OCSP server's cert.
    */
   private static final String OCSP_SERVER_CERT =
      "/Users/jar/certs/OCSPSignerCertificate.pem";

   /*
    * Filename that contains the root CA cert of the OCSP server's cert.
    */
   private static final String ROOT_CA_CERT =
      "/Users/jar/certs/SensorNetCA.pem";

   /**
    * Checks the revocation status of a public key certificate using OCSP.
    *
    * Usage:  java ValidateCert <cert-file> [<OCSP-server>]
    *     <cert-file> is the filename of the certificate to be checked.
    *            The certificate must be in PEM format.
    *     <OCSP-server> is the URL of the OCSP server to use.
    *            If not supplied then the certificate must identify an OCSP
    *            server by means of its AuthorityInfoAccess extension.
    *            If supplied then it overrides any URL which may be present
    *            in the certificate's AuthorityInfoAccess extension.
    *
    * Example:  java \
    *             -Dhttp.proxyHost=proxy.example.net \
    *             -Dhttp.proxyPort=8080 \
    *             ValidateCert \
    *             mycert.pem \
    *             http://ocsp.openvalidation.org:80
    */
   public static void main(String[] args) {
      try {
         CertPath cp               = null;
         Vector   certs            = new Vector();
         URI      ocspServer       = null;
         String   ocspServerString =
            "https://ca2.sensornet.gov:8442/ejbca/publicweb/status/ocsp";

         /*
          *         if (args.length == 0 || args.length > 2) {
          *        System.out.println(
          *            "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
          *        System.exit(-1);
          *         }
          */

         // load the cert to be checked
         certs.add(
             getCertFromFile(
                "/Users/jar/certs/jarSensornet.cer"));

         // handle location of OCSP server
         ocspServer = new URI(ocspServerString);
         System.out.println("Using the OCSP server at: ca2");
         System.out.println("to check the revocation status of: "
                            + certs.elementAt(0));
         System.out.println();

         // init cert path
         CertificateFactory cf = CertificateFactory.getInstance("X509");
         cp = (CertPath) cf.generateCertPath(certs);

         // load the root CA cert for the OCSP server cert
         X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);

         // init trusted certs
         TrustAnchor ta              = new TrustAnchor(rootCACert, null);
         Set         trustedCertsSet = new HashSet();

         trustedCertsSet.add(ta);

         // init cert store
//         Set             certSet  = new HashSet();
//         X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
         //System.out.println("OCSP Responder cert: " + ocspCert);
         //certSet.add(ocspCert);


         // init PKIX parameters
         PKIXParameters params = null;

         params = new PKIXParameters(trustedCertsSet);
         //params.addCertStore(store);

         // enable OCSP
         Security.setProperty("ocsp.enable", "true");

         if (ocspServer != null) {
            Security.setProperty("ocsp.responderURL", ocspServerString);
//            Security.setProperty(
//                "ocsp.responderCertSubjectName",
//                ocspCert.getSubjectX500Principal().getName());
         }

         // perform validation
         CertPathValidator           cpv        =
            CertPathValidator.getInstance("PKIX");
         PKIXCertPathValidatorResult cpv_result =
            (PKIXCertPathValidatorResult) cpv.validate(cp, params);
         X509Certificate trustedCert =
            (X509Certificate) cpv_result.getTrustAnchor().getTrustedCert();

         if (trustedCert == null) {
            System.out.println("Trsuted Cert = NULL");
         } else {
            System.out.println("Trusted CA DN = "
                               + trustedCert.getSubjectDN());
         }
      } catch (CertPathValidatorException e) {
         e.printStackTrace();
         System.exit(1);
      } catch (Exception e) {
         e.printStackTrace();
         System.exit(-1);
      }

      System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
      System.exit(0);
   }

   /**
    * Read a certificate from the specified filepath.
    */
   private static X509Certificate getCertFromFile(String path) {
      X509Certificate cert = null;

      try {
         File certFile = new File(path);

         if (!certFile.canRead()) {
            throw new IOException(" File " + certFile.toString()
                                  + " is unreadable");
         }

         FileInputStream    fis = new FileInputStream(path);
         CertificateFactory cf  = CertificateFactory.getInstance("X509");

         cert = (X509Certificate) cf.generateCertificate(fis);
      } catch (Exception e) {
         System.out.println("Can't construct X509 Certificate. " + path
                            + " " + e.getMessage());
      }

      return cert;
   }
}
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jan 24 2008
Added on Oct 24 2007
6 comments
16,462 views