Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

"Validity interval out of date" exception

843811Oct 24 2007 — edited Dec 29 2007
I am trying to query my OCSP server to check certificate status. If I use openssl to do this with the same server URL and same certificate, it works. But I need to do it in Java. CRLs are being properly issued every hour also.

When I run my code, I get:
java.security.cert.CertPathValidatorException: java.io.IOException: Response is unreliable: its validity interval is out-of-date
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
        at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
        at OCSPtest.OCSPtest.main(OCSPtest.java:127)
I have the CA cert as a trusted ca cert in my jre.lib/security/cacerts file, and I have the strng encryption extensions installed.

Here is the code:
package OCSPtest;

//~--- JDK imports ------------------------------------------------------------

import java.io.*;

import java.net.URI;

import java.security.*;
import java.security.cert.*;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;

import java.util.*;

/**
 * Class description
 *
 *
 * @version    Enter version here..., 07/10/15
 * @author     Enter your name here...
 */
public class OCSPtest{

   /**
    * Check the revocation status of a public key certificate using OCSP.
    */

   /*
    * Filename that contains the OCSP server's cert.
    */
   private static final String OCSP_SERVER_CERT =
      "/Users/jar/certs/OCSPSignerCertificate.pem";

   /*
    * Filename that contains the root CA cert of the OCSP server's cert.
    */
   private static final String ROOT_CA_CERT =
      "/Users/jar/certs/SensorNetCA.pem";

   /**
    * Checks the revocation status of a public key certificate using OCSP.
    *
    * Usage:  java ValidateCert <cert-file> [<OCSP-server>]
    *     <cert-file> is the filename of the certificate to be checked.
    *            The certificate must be in PEM format.
    *     <OCSP-server> is the URL of the OCSP server to use.
    *            If not supplied then the certificate must identify an OCSP
    *            server by means of its AuthorityInfoAccess extension.
    *            If supplied then it overrides any URL which may be present
    *            in the certificate's AuthorityInfoAccess extension.
    *
    * Example:  java \
    *             -Dhttp.proxyHost=proxy.example.net \
    *             -Dhttp.proxyPort=8080 \
    *             ValidateCert \
    *             mycert.pem \
    *             http://ocsp.openvalidation.org:80
    */
   public static void main(String[] args) {
      try {
         CertPath cp               = null;
         Vector   certs            = new Vector();
         URI      ocspServer       = null;
         String   ocspServerString =
            "https://ca2.sensornet.gov:8442/ejbca/publicweb/status/ocsp";

         /*
          *         if (args.length == 0 || args.length > 2) {
          *        System.out.println(
          *            "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
          *        System.exit(-1);
          *         }
          */

         // load the cert to be checked
         certs.add(
             getCertFromFile(
                "/Users/jar/certs/jarSensornet.cer"));

         // handle location of OCSP server
         ocspServer = new URI(ocspServerString);
         System.out.println("Using the OCSP server at: ca2");
         System.out.println("to check the revocation status of: "
                            + certs.elementAt(0));
         System.out.println();

         // init cert path
         CertificateFactory cf = CertificateFactory.getInstance("X509");
         cp = (CertPath) cf.generateCertPath(certs);

         // load the root CA cert for the OCSP server cert
         X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);

         // init trusted certs
         TrustAnchor ta              = new TrustAnchor(rootCACert, null);
         Set         trustedCertsSet = new HashSet();

         trustedCertsSet.add(ta);

         // init cert store
//         Set             certSet  = new HashSet();
//         X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
         //System.out.println("OCSP Responder cert: " + ocspCert);
         //certSet.add(ocspCert);


         // init PKIX parameters
         PKIXParameters params = null;

         params = new PKIXParameters(trustedCertsSet);
         //params.addCertStore(store);

         // enable OCSP
         Security.setProperty("ocsp.enable", "true");

         if (ocspServer != null) {
            Security.setProperty("ocsp.responderURL", ocspServerString);
//            Security.setProperty(
//                "ocsp.responderCertSubjectName",
//                ocspCert.getSubjectX500Principal().getName());
         }

         // perform validation
         CertPathValidator           cpv        =
            CertPathValidator.getInstance("PKIX");
         PKIXCertPathValidatorResult cpv_result =
            (PKIXCertPathValidatorResult) cpv.validate(cp, params);
         X509Certificate trustedCert =
            (X509Certificate) cpv_result.getTrustAnchor().getTrustedCert();

         if (trustedCert == null) {
            System.out.println("Trsuted Cert = NULL");
         } else {
            System.out.println("Trusted CA DN = "
                               + trustedCert.getSubjectDN());
         }
      } catch (CertPathValidatorException e) {
         e.printStackTrace();
         System.exit(1);
      } catch (Exception e) {
         e.printStackTrace();
         System.exit(-1);
      }

      System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
      System.exit(0);
   }

   /**
    * Read a certificate from the specified filepath.
    */
   private static X509Certificate getCertFromFile(String path) {
      X509Certificate cert = null;

      try {
         File certFile = new File(path);

         if (!certFile.canRead()) {
            throw new IOException(" File " + certFile.toString()
                                  + " is unreadable");
         }

         FileInputStream    fis = new FileInputStream(path);
         CertificateFactory cf  = CertificateFactory.getInstance("X509");

         cert = (X509Certificate) cf.generateCertificate(fis);
      } catch (Exception e) {
         System.out.println("Can't construct X509 Certificate. " + path
                            + " " + e.getMessage());
      }

      return cert;
   }
}
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jan 24 2008
Added on Oct 24 2007
6 comments
16,473 views