How do I manually check for certificate revocation status in java using OCSP, given just a client's java.security.cert.X509Certificate? I can't see a clear way to do it.
Alternatively, can I make tomcat do it for me automatically, and how do you know your solution to be true?
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X. 509 digital certificate. It is described in RFC 6960 and is on the Internet standards track.
Certificate revocation is the act of invalidating a TLS/SSL before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational.
I found a most excellent solution:
http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html
/**
54 * This is a class that checks the revocation status of a certificate(s) using
55 * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
56 * the CertPathValidator framework. It is useful when you want to
57 * just check the revocation status of a certificate, and you don't want to
58 * incur the overhead of validating all of the certificates in the
59 * associated certificate chain.
60 *
61 * @author Sean Mullan
62 */
It has a method check(X509Certificate clientCert, X509Certificate issuerCert) that does the trick!
It appears there is a patch for Tomcat here to enable ocsp validation.
If you choose to do it manually:
Security.setProperty("ocsp.enable", "true")
Or set it via a command-line argument. See here:
This property's value is either true or false. If true, OCSP checking is enabled when doing certificate revocation checking; if false or not set, OCSP checking is disabled.
And here's some code that I think works:
interface ValidationStrategy {
boolean validate(X509Certificate certificate, CertPath certPath,
PKIXParameters parameters) throws GeneralSecurityException;
}
class SunOCSPValidationStrategy implements ValidationStrategy {
@Override
public boolean validate(X509Certificate certificate, CertPath certPath,
PKIXParameters parameters) throws GeneralSecurityException {
try {
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv
.validate(certPath, parameters);
Signature.LOG.debug("Validation result is: " + result);
return true; // if no exception is thrown
} catch (CertPathValidatorException cpve) {
// if the exception is (or is caused by)
// CertificateRevokedException, return false;
// otherwise re-throw, because this indicates a failure to perform
// the validation
Throwable cause = ExceptionUtils.getRootCause(cpve);
Class<? extends Throwable> exceptionClass = cause != null ? cause.getClass()
: cpve.getClass();
if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) {
return false;
}
throw cpve;
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With