OCSP Revocation on client certificate
Solution 1
I found a most excellent solution:
http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html
/**
54 * This is a class that checks the revocation status of a certificate(s) using
55 * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
56 * the CertPathValidator framework. It is useful when you want to
57 * just check the revocation status of a certificate, and you don't want to
58 * incur the overhead of validating all of the certificates in the
59 * associated certificate chain.
60 *
61 * @author Sean Mullan
62 */
It has a method check(X509Certificate clientCert, X509Certificate issuerCert) that does the trick!
Solution 2
It appears there is a patch for Tomcat here to enable ocsp validation.
If you choose to do it manually:
Security.setProperty("ocsp.enable", "true")
Or set it via a command-line argument. See here:
This property's value is either true or false. If true, OCSP checking is enabled when doing certificate revocation checking; if false or not set, OCSP checking is disabled.
And here's some code that I think works:
interface ValidationStrategy {
boolean validate(X509Certificate certificate, CertPath certPath,
PKIXParameters parameters) throws GeneralSecurityException;
}
class SunOCSPValidationStrategy implements ValidationStrategy {
@Override
public boolean validate(X509Certificate certificate, CertPath certPath,
PKIXParameters parameters) throws GeneralSecurityException {
try {
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv
.validate(certPath, parameters);
Signature.LOG.debug("Validation result is: " + result);
return true; // if no exception is thrown
} catch (CertPathValidatorException cpve) {
// if the exception is (or is caused by)
// CertificateRevokedException, return false;
// otherwise re-throw, because this indicates a failure to perform
// the validation
Throwable cause = ExceptionUtils.getRootCause(cpve);
Class<? extends Throwable> exceptionClass = cause != null ? cause.getClass()
: cpve.getClass();
if (exceptionClass.getSimpleName().equals("CertificateRevokedException")) {
return false;
}
throw cpve;
}
}
}
Solution 3
Here's the relevant code from Jetty 7 that takes an array of certificates pulled from the servletRequest request and validates them via the certpath API with OCSP.
gtrak
I'm a programmer guy. I studied for a while at Georgia Tech, now I code for pleasure and profit. Interested in clojure, concurrency, visualization, distributed-systems, and I currently work for Allovue in Baltimore.
Updated on March 18, 2020Comments
-
gtrak over 4 years
How do I manually check for certificate revocation status in java using OCSP, given just a client's java.security.cert.X509Certificate? I can't see a clear way to do it.
Alternatively, can I make tomcat do it for me automatically, and how do you know your solution to be true?
-
gtrak over 13 yearsand this works for tomcat? I've googled around, and saw this solution, I just don't see that it will definitely work written anywhere.
-
Bozho over 13 years@gtrak - you'd have to check manually for revoked certificates.
-
gtrak over 13 yearscan I do that without using a CRL?
-
gtrak over 13 yearsnope, I've been playing around with bouncy castle, trying to find the simplest way to do it or an example.
-
gtrak over 13 years@Bozho, appreciate your help, but I'm still having some problems. stackoverflow.com/questions/5237970/…
-
gtrak over 13 years@Bozho, I ran into some problems creating the certpath, but I found a simpler solution above.
-
mdavid over 7 yearswhat is the issuerCert?
-
Manas Shukla over 7 years@gtrak : I am using the class that you have mentioned. The problem is that it is using a POST to do OCSP check. How can we make a GET call for OCSP check since the above class can not be extended ?