Reputation: 11
Certificate chain validation using java, checking revokation and OCSP status
I am new to the world of PKI , certificates in general. I am writing a service which needs to validate a chain of certiticates.
The general approach taken is as follows
a) Generate a List of certificates from the data sent
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);
CertPathValidatorResult certPathValidatorResult = null;
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates =
(List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
CertPath certPath = certificateFactory.generateCertPath(x509Certificates);
Load the JDK keystore, with something like this //Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit"; keystore.load(is, password.toCharArray());
-
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParameters = new PKIXParameters(keystore); //pkixParameters.setRevocationEnabled(false); PKIXParameters certPathValidatorResult = certPathValidator.validate(certPath, pkixParameters); I am assuming if this is not a valid chain it would throw an exception. Would this validation check expired Certificates, Valid Public Key ?
also I need to be able to find the the OCSP staus of a certificate or check if it is revoked>? How can this be done using the Cryptography API
Is the use fo bouncy castle recommended over the API ? Does Bouncy castle have a way to check CRL and OCSP status of a certificate?
Thanks for all the pointers and help in advance. Appreciate it.
Best Regards
Upvotes: 0
Views: 3816
Answers (1)
Reputation: 71
- It's correct, you can use CertificateFactory to load certificates chain.
- If you want validate a chain of certiticates, you don't need a KeyStore. The certificates are validated with the certificate of autority who emit that certificate.
For example:
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(chain.getBytes());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> x509Certificates = (List<X509Certificate>) certificateFactory.generateCertificates(byteArrayInputStream);
x509Certificates.get(1).verify(x509Certificates.get(0).getPublicKey());
- In this case you can use it to validate a certificate if you don't know the root ca.
- You can check the period with
x509Certificates.get(1).getNotBefore()
and
x509Certificates.get(1).getNotAfter()
- Is important validate the status of certificate.
- Yes BouncyCastle is great library for it.
Upvotes: 0
Related Questions
- Validate Certificate chain with java bouncing castle
- How to check revocation status of X509Certificate chain using JAVA?
- How to get server certificate chain then verify it's valid and trusted in Java
- CRL Verification in Java
- CRL check in Java
- How get X509 certificate's full cert chain programatically?
- Validating certificate chain in Java from truststore
- Certificate chain validation
- Checking a X509 Certificate Revocation
- How can we do our own Certificate Verification Step in HTTPS