Reputation: 573
How to enable OCSP in X509TrustManager?
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
Is setting these properties really sufficient to enable OCSP?
If so, then why we need bouncy castle OCSP support instead of just setting this properties?
Upvotes: 3
Views: 4739
Answers (1)
Reputation: 10372
If the certificates containing a Authority Information Access extension (OCSPSigning) then you don't have nothing to do more then set the properties you mentioned.
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
See RFC3280 and How to up OCSP using OpenSSL for more information.
If your CA doesn't provide this extension to the issued certificates then you can configure a responder URL by setting the property
Security.setProperty("ocsp.responderURL", ...)
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
If the certificate of your OCSP responder does not match the certificate of the issuer then you can set an alternative subject name by setting
Security.setProperty("ocsp.responderCertSubjectName", ...);
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties must be used instead. When th is property is set, then those two properties are ignored.
For a description of all properties which can be used to configure OCSP see JavaTM PKI Programmer's Guide.
Why we need bouncy castle OCSP support instead of just setting this properties?
Nobody saying that you have to use bouncy castle as security provider. Using the default sun JCE is fine at least in case of using JRE 1.8.
Upvotes: 5
Related Questions
- How to enable OCSP stapling on java TLS server?
- Enable SSL certificate revocation checking in OpenJDK 11
- Implementing X509TrustManager
- Incompatibility between javax.security.cert.X509Certificate and java.security.cert.X509Certificate
- OCSP Revocation on client certificate
- Does X509TrustManagerImpl.checkServerTrusted() handle OCSP by itself if the appropriate properties are set?
- Which Java API should I use for implementing certificate verification with OCSP support?
- How can we do our own Certificate Verification Step in HTTPS
- Java OCSP Client using openSSL
- Exception When Reading OCSP Signing Certs in Java