Help with OCSP Stand Alone Implementation
posted 6 years ago
Hello everybody, I'm new at this forum and maybe my English is not perfect. The subject of this post is to get some help, because I'm implementing a functionality with OCSP (Online Certificate Status Protocol) in a Stand-Alone application with Java.
I receive this trace when I execute it:
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.validateCertPath(TigerOcsp.java:124)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.main(TigerOcsp.java:31)
Validation failure, cert[-1] :Path does not chain with any of the trust anchors
I made this based on a code with some certificates (.cer), it ran perfect!
But now I changed to test my certificates and it gives me this error and I'm can't figure out why. I don't think because I use keystores(jks) that I transform into Certificates to make it run. I think I need maybe one line or something more.
My code is the following:
private static final String TEST_RESPONDER_URL = "http://test.ocsp.certifikat.dk/ocsp/status";
private static X509Certificate certCA;
private static X509Certificate certTS;
/**
* Sample params:
* TDCOCESSTEST2.cer PIDTestBruger2.cer
* @param args
*/
public static void main(String [] args){
initializeKeys();
try {
if (args.length != 2)
throw new Exception("TigerOcsp " + "caFile " + "certfile ");
X509Certificate caCert = certCA;
X509Certificate clientCert = certTS;
List certList = new Vector();
// NB: this is the correct sequence!!
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static void initializeKeys(){
String path = "/usr/share/tomcat6/certs/certifik-ap-keystore.jks";
String password = "keystorepass";
getCertificates(path, password);
path = "/usr/share/tomcat6/certs/certifik-ap-truststore.1.jks";
getCertificates(path, password);
}
private static void getCertificates(String path, String password){
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(path), password.toCharArray());
Enumeration<String> elem = ks.aliases();
while(elem.hasMoreElements()){
String alias = elem.nextElement();
if(alias.equals("1")){
certCA = (X509Certificate) ks.getCertificate(alias);
}
if(alias.equals("mykey")){
certTS = (X509Certificate) ks.getCertificate(alias);
}
}
} catch (KeyStoreException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
// Instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// Extract the certification path from
// the List of Certificates
CertPath cp = cf.generateCertPath(certList);
// Create CertPathValidator that implements the "PKIX" algorithm
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
// Set the Trust anchor
PublicKey publicKey = trustedCert.getPublicKey();
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
// Set the PKIX parameters
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);
// the list of additional signer certificates for populating the trust store
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
// Validate and obtain results
try {
//AQUÍ SE CAE!!!
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();
System.out.println("Certificate validated");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (CertPathValidatorException cpve) {
cpve.printStackTrace();
System.out.println("Validation failure, cert["
+ cpve.getIndex() + "] :" + cpve.getMessage());
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (InvalidAlgorithmParameterException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (CertificateException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
If someone can help me, I would really appreciate it.
Thanks a million!!!
I receive this trace when I execute it:
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.validateCertPath(TigerOcsp.java:124)
at dk.certifikat.ocsp.client.tiger.TigerOcsp.main(TigerOcsp.java:31)
Validation failure, cert[-1] :Path does not chain with any of the trust anchors
I made this based on a code with some certificates (.cer), it ran perfect!
But now I changed to test my certificates and it gives me this error and I'm can't figure out why. I don't think because I use keystores(jks) that I transform into Certificates to make it run. I think I need maybe one line or something more.
My code is the following:
private static final String TEST_RESPONDER_URL = "http://test.ocsp.certifikat.dk/ocsp/status";
private static X509Certificate certCA;
private static X509Certificate certTS;
/**
* Sample params:
* TDCOCESSTEST2.cer PIDTestBruger2.cer
* @param args
*/
public static void main(String [] args){
initializeKeys();
try {
if (args.length != 2)
throw new Exception("TigerOcsp " + "caFile " + "certfile ");
X509Certificate caCert = certCA;
X509Certificate clientCert = certTS;
List certList = new Vector();
// NB: this is the correct sequence!!
certList.add(clientCert);
certList.add(caCert);
validateCertPath(certList, caCert, TEST_RESPONDER_URL);
} catch (Exception e){
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static void initializeKeys(){
String path = "/usr/share/tomcat6/certs/certifik-ap-keystore.jks";
String password = "keystorepass";
getCertificates(path, password);
path = "/usr/share/tomcat6/certs/certifik-ap-truststore.1.jks";
getCertificates(path, password);
}
private static void getCertificates(String path, String password){
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(path), password.toCharArray());
Enumeration<String> elem = ks.aliases();
while(elem.hasMoreElements()){
String alias = elem.nextElement();
if(alias.equals("1")){
certCA = (X509Certificate) ks.getCertificate(alias);
}
if(alias.equals("mykey")){
certTS = (X509Certificate) ks.getCertificate(alias);
}
}
} catch (KeyStoreException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
private static void validateCertPath(List certList, X509Certificate trustedCert, String responderUrl) {
try {
// Instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// Extract the certification path from
// the List of Certificates
CertPath cp = cf.generateCertPath(certList);
// Create CertPathValidator that implements the "PKIX" algorithm
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
// Set the Trust anchor
PublicKey publicKey = trustedCert.getPublicKey();
TrustAnchor anchor = new TrustAnchor(trustedCert, null);
// Set the PKIX parameters
PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
params.setRevocationEnabled(true);
// the list of additional signer certificates for populating the trust store
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.responderURL", responderUrl);
// Validate and obtain results
try {
//AQUÍ SE CAE!!!
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
PolicyNode policyTree = result.getPolicyTree();
PublicKey subjectPublicKey = result.getPublicKey();
System.out.println("Certificate validated");
System.out.println("Policy Tree:\n" + policyTree);
System.out.println("Subject Public key:\n" + subjectPublicKey);
} catch (CertPathValidatorException cpve) {
cpve.printStackTrace();
System.out.println("Validation failure, cert["
+ cpve.getIndex() + "] :" + cpve.getMessage());
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (InvalidAlgorithmParameterException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (CertificateException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
private static X509Certificate readCert(String fileName) throws FileNotFoundException, CertificateException {
InputStream is = new FileInputStream(fileName);
BufferedInputStream bis = new BufferedInputStream(is);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
return cert;
}
If someone can help me, I would really appreciate it.
Thanks a million!!!
|