OCSP and JAVA

OCSP stands for Online Certificate Status Protocol, and it is used to answer numerous problems with Certification Revocation Lists(CRL) which can make them unmanageable quite quickly if you have a quick turnover in certificates. Issues with distributing updates, having all your clients connect to renew when the last Certification Revocation List(CRL) you sent them expires, and not being able to get a CRL out in time all add up. In the same manner that financial institutions found making online facilities available preferable to continually sending out black lists of credit cards, Online Certificate Status Protocol (OCSP), is an answer to the online method for working out the revocation status of a certificate.



Sample Java Source Code to validate a certificate with an OCSP Respondent




//bouncycastle classes
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPException;
import org.bouncycastle.ocsp.OCSPReq;
import org.bouncycastle.ocsp.OCSPReqGenerator;
import org.bouncycastle.ocsp.OCSPResp;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;

//standard classes
import java.math.BigInteger;
import java.security.*;
import java.util.*;
import java.io.*;
import java.net.*;
import java.security.cert.*;

public class OCSPClient {

public static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
throws OCSPException {
//Add provider BC
//Without this line code won't execute and will throw an Exception
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

// Generate the id for the certificate
CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber);

// request generation
OCSPReqGenerator gen = new OCSPReqGenerator();

gen.addRequest(id);

// create details
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
Vector oids = new Vector();
Vector values = new Vector();

oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray())));

gen.setRequestExtensions(new X509Extensions(oids, values));

return gen.generate();
}

public static void main(String[] args) throws Exception {


//Read Certificate of the User
InputStream inStream = new FileInputStream("C:/oscar/Proyectos/OCSP/veri_viabcp.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate interCert = (X509Certificate) cf.generateCertificate(inStream);
inStream.close();

//Read Certificate of the CA
InputStream inStreamRoot = new FileInputStream("C:/oscar/Proyectos/OCSP/veri_root.cer");
X509Certificate rootCert = (X509Certificate) cf.generateCertificate(inStreamRoot);
inStreamRoot.close();

OCSPReq request = generateOCSPRequest(rootCert, interCert.getSerialNumber());

//Codificate request:
byte[] array = request.getEncoded();

//Send request:
//serviceAddr URL OCSP service
//String serviceAddr="http://ocsp.digsigtrust.com:80/";
//String serviceAddr="http://ocsp.verisign.com";
String serviceAddr = "http://onsite-ocsp.verisign.com";

String hostAddr = "";
if (serviceAddr != null) {
hostAddr = serviceAddr;
try {
if (serviceAddr.startsWith("http")) {
HttpURLConnection con = null;
URL url = new URL((String) serviceAddr);
con = (HttpURLConnection) url.openConnection();
con.setRequestProperty("Content-Type", "application/ocsp-request");
con.setRequestProperty("Accept", "application/ocsp-response");
con.setDoOutput(true);
OutputStream out = con.getOutputStream();
DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));

dataOut.write(array);

dataOut.flush();
dataOut.close();

//for errors in response:
if (con.getResponseCode() / 100 != 2) {
throw new Exception("Exception occurred");
}

//Read the Response
InputStream in = (InputStream) con.getContent();
OCSPResp ocspResponse = new OCSPResp(in);

System.out.println(ocspResponse.getStatus());
System.out.println("...");
} else {

//for other types of connections

}
} catch (Exception e) {
System.out.println(e);
}
}

}
}



Exception in thread "main" java.security.NoSuchProviderException: no such provider: BC
at sun.security.jca.GetInstance.getService(GetInstance.java:66)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
at java.security.Signature.getInstance(Signature.java:332)
at org.bouncycastle.x509.X509Util.getSignatureInstance(Unknown Source)
at org.bouncycastle.x509.X509Util.calculateSignature(Unknown Source)
at org.bouncycastle.x509.X509V1CertificateGenerator.generate(Unknown Source)
at org.bouncycastle.x509.X509V1CertificateGenerator.generateX509Certificate(Unknown Source)
at org.bouncycastle.x509.X509V1CertificateGenerator.generateX509Certificate(Unknown Source)

This exception will occur if you do not add the security provider.
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());


Comments