How to use OCSP responses in validation of CertPath

Question

I don't want the Java validator to contact the OCSP responder.

I'm working on XAdES library, as such I'll need to use OCSP responses that somebody saved in the XML document to validate if the signatures were valid at some time in past. That makes it necessary to provide OCSP responses to CertPathBuilder the same way CRLs are provided and make it use them to validate the certificates at some time in the past.

The Oracle documentation describes only how to make the validator contact the OCSP responders, it doesn't describe how to use OCSP responses for validation.

Is it possible to do using Java PKI API or Bouncy Caste Lightweight API?

Answer 1

In that same link is the PKIXCertPathChecker part, which you can implement to perform OCSP checking. I've looked through the code of both the OCSPChecker class, which implements this contract, and OCSP the underlying implementation class. OCSPChecker seems to create an URI instance, which gets translated into an URL by the OCSP implementation class. Unfortunately, it is then directly used as input for a HTTP connection, so it seems you are stuck with HTTP if you use the direct route.

Now both classes are of course GPL'ed, so you can simply grab them and create a different implementation, as long as you keep to the GPL license that comes with it. Otherwise you seem to have little option but to implement PKIXCertPathChecker yourself...