I am trying to query my OCSP server to check certificate status. If I use openssl to do this with the same server URL and same certificate, it works. But I need to do it in Java. CRLs are being properly issued every hour also.
When I run my code, I get:
java.security.cert.CertPathValidatorException: java.io.IOException: Response is unreliable: its validity interval is out-of-date
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at OCSPtest.OCSPtest.main(OCSPtest.java:127)
I have the CA cert as a trusted ca cert in my jre.lib/security/cacerts file, and I have the strng encryption extensions installed.
Here is the code:
package OCSPtest;
//~--- JDK imports ------------------------------------------------------------
import java.io.*;
import java.net.URI;
import java.security.*;
import java.security.cert.*;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.*;
/**
* Class description
*
*
* @version Enter version here..., 07/10/15
* @author Enter your name here...
*/
public class OCSPtest{
/**
* Check the revocation status of a public key certificate using OCSP.
*/
/*
* Filename that contains the OCSP server's cert.
*/
private static final String OCSP_SERVER_CERT =
"/Users/jar/certs/OCSPSignerCertificate.pem";
/*
* Filename that contains the root CA cert of the OCSP server's cert.
*/
private static final String ROOT_CA_CERT =
"/Users/jar/certs/SensorNetCA.pem";
/**
* Checks the revocation status of a public key certificate using OCSP.
*
* Usage: java ValidateCert <cert-file> [<OCSP-server>]
* <cert-file> is the filename of the certificate to be checked.
* The certificate must be in PEM format.
* <OCSP-server> is the URL of the OCSP server to use.
* If not supplied then the certificate must identify an OCSP
* server by means of its AuthorityInfoAccess extension.
* If supplied then it overrides any URL which may be present
* in the certificate's AuthorityInfoAccess extension.
*
* Example: java \
* -Dhttp.proxyHost=proxy.example.net \
* -Dhttp.proxyPort=8080 \
* ValidateCert \
* mycert.pem \
* http://ocsp.openvalidation.org:80
*/
public static void main(String[] args) {
try {
CertPath cp = null;
Vector certs = new Vector();
URI ocspServer = null;
String ocspServerString =
"https://ca2.sensornet.gov:8442/ejbca/publicweb/status/ocsp";
/*
* if (args.length == 0 || args.length > 2) {
* System.out.println(
* "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
* System.exit(-1);
* }
*/
// load the cert to be checked
certs.add(
getCertFromFile(
"/Users/jar/certs/jarSensornet.cer"));
// handle location of OCSP server
ocspServer = new URI(ocspServerString);
System.out.println("Using the OCSP server at: ca2");
System.out.println("to check the revocation status of: "
+ certs.elementAt(0));
System.out.println();
// init cert path
CertificateFactory cf = CertificateFactory.getInstance("X509");
cp = (CertPath) cf.generateCertPath(certs);
// load the root CA cert for the OCSP server cert
X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);
// init trusted certs
TrustAnchor ta = new TrustAnchor(rootCACert, null);
Set trustedCertsSet = new HashSet();
trustedCertsSet.add(ta);
// init cert store
// Set certSet = new HashSet();
// X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
//System.out.println("OCSP Responder cert: " + ocspCert);
//certSet.add(ocspCert);
// init PKIX parameters
PKIXParameters params = null;
params = new PKIXParameters(trustedCertsSet);
//params.addCertStore(store);
// enable OCSP
Security.setProperty("ocsp.enable", "true");
if (ocspServer != null) {
Security.setProperty("ocsp.responderURL", ocspServerString);
// Security.setProperty(
// "ocsp.responderCertSubjectName",
// ocspCert.getSubjectX500Principal().getName());
}
// perform validation
CertPathValidator cpv =
CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult cpv_result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
X509Certificate trustedCert =
(X509Certificate) cpv_result.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
System.out.println("Trsuted Cert = NULL");
} else {
System.out.println("Trusted CA DN = "
+ trustedCert.getSubjectDN());
}
} catch (CertPathValidatorException e) {
e.printStackTrace();
System.exit(1);
} catch (Exception e) {
e.printStackTrace();
System.exit(-1);
}
System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
System.exit(0);
}
/**
* Read a certificate from the specified filepath.
*/
private static X509Certificate getCertFromFile(String path) {
X509Certificate cert = null;
try {
File certFile = new File(path);
if (!certFile.canRead()) {
throw new IOException(" File " + certFile.toString()
+ " is unreadable");
}
FileInputStream fis = new FileInputStream(path);
CertificateFactory cf = CertificateFactory.getInstance("X509");
cert = (X509Certificate) cf.generateCertificate(fis);
} catch (Exception e) {
System.out.println("Can't construct X509 Certificate. " + path
+ " " + e.getMessage());
}
return cert;
}
}