Reputation: 573
Which Java API should I use for implementing certificate verification with OCSP support?
There exist two java api references:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html
In the first one there's a description about X509TrustManager interface. I'm confused. Should I use that one for implementing x509 certificate verification or I must go through the second link? Which is the standard way of achieving my goal
Upvotes: 1
Views: 764
Answers (1)
Reputation: 10372
The second link provide the documentation around the CertPath class how to implement your own certification path verification. So you have to handle the whole PKI certificate chain by your own
(e.g. validation of signatures and certificates up to the root). Furthermore, it provide you with the information of the PKIX the default algorithm for certificate validation.
The first link show how to use the TrustManager which uses the PKIX algorithm. Beside certificate path validation with PKIX contains the TrustManager more mechanism to establish SSL/TLS communications.
The TrustManager/PKIX algorithm also provide a mechanism for revocation (CLR and OCSP). To activate OCSP take a deeper look at the first link section PKIX TrustManager Support.
If the init(KeyStore ks) method is used, default PKIXParameters are used with the exception that revocation checking is disabled. It can be enabled by setting the system property com.sun.net.ssl.checkRevocation to true.
And you have to set the security property ocsp.enable to true. So basically, you have nothing more to do then
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
If you don't want to re-implement or exchange the verification chain mechanism which is provided already with the TrustManager and PKIX algorithm then you should definitely use the first link. If you need more information about the PKIX algorithm, implement your own or do just certification validation and not establishing TLS/SSL communication then you should check the second link .
Upvotes: 1
Related Questions
- OCSP check in Java secure sockets
- CRL Verification in Java
- Validate X.509 certificate against CA in Java
- Is there any Java x509certificate ClientHello parser in Java?
- How to get SSL/TLS certificate in JAVA
- Java generate secure certificate
- java apis for certificate revocation checks
- Validate X509 certificates using Java APis
- Solutions to sign certificates
- Java client for the X.509 secured web-service