KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > ValidateCertUseOCSP


1 import java.io.*;
2 import java.net.URI JavaDoc;
3 import java.security.*;
4 import java.security.cert.*;
5 import java.util.*;
6 import java.security.cert.X509Certificate JavaDoc;
7 import java.security.cert.PKIXParameters JavaDoc;
8
9 /**
10  * Check the revocation status of a public key certificate using OCSP.
11  */

12
13 public class ValidateCertUseOCSP {
14
15     /*
16      * Filename that contains the root CA cert of the OCSP server's cert.
17      */

18     private static final String JavaDoc ROOT_CA_CERT = "RootCA.pem";
19
20     /*
21      * Filename that contains the OCSP server's cert.
22      */

23     private static final String JavaDoc OCSP_SERVER_CERT = "OCSPServer.pem";
24
25     /**
26      * Checks the revocation status of a public key certificate using OCSP.
27      *
28      * Usage: java ValidateCert <cert-file> [<OCSP-server>]
29      * <cert-file> is the filename of the certificate to be checked.
30      * The certificate must be in PEM format.
31      * <OCSP-server> is the URL of the OCSP server to use.
32      * If not supplied then the certificate must identify an OCSP
33      * server by means of its AuthorityInfoAccess extension.
34      * If supplied then it overrides any URL which may be present
35      * in the certificate's AuthorityInfoAccess extension.
36      *
37      * Example: java \
38      * -Dhttp.proxyHost=proxy.example.net \
39      * -Dhttp.proxyPort=8080 \
40      * ValidateCert \
41      * mycert.pem \
42      * http://ocsp.openvalidation.org:80
43      */

44     public static void main(String JavaDoc[] args) {
45     try {
46         CertPath cp = null;
47         Vector certs = new Vector();
48         URI JavaDoc ocspServer = null;
49
50         if (args.length == 0 || args.length > 2) {
51         System.out.println(
52             "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
53         System.exit(-1);
54         }
55
56         // load the cert to be checked
57
certs.add(getCertFromFile(args[0]));
58
59         // handle location of OCSP server
60
if (args.length == 2) {
61         ocspServer = new URI JavaDoc(args[1]);
62             System.out.println("Using the OCSP server at: " + args[1]);
63             System.out.println("to check the revocation status of: " +
64             certs.elementAt(0));
65             System.out.println();
66         } else {
67             System.out.println("Using the OCSP server specified in the " +
68             "cert to check the revocation status of: " +
69             certs.elementAt(0));
70             System.out.println();
71         }
72
73         // init cert path
74
CertificateFactory cf = CertificateFactory.getInstance("X509");
75         cp = (CertPath)cf.generateCertPath(certs);
76
77         // load the root CA cert for the OCSP server cert
78
X509Certificate JavaDoc rootCACert = getCertFromFile(ROOT_CA_CERT);
79
80         // init trusted certs
81
TrustAnchor ta = new TrustAnchor(rootCACert, null);
82         Set trustedCertsSet = new HashSet();
83         trustedCertsSet.add(ta);
84
85         // init cert store
86
Set certSet = new HashSet();
87         X509Certificate JavaDoc ocspCert = getCertFromFile(OCSP_SERVER_CERT);
88         certSet.add(ocspCert);
89         CertStoreParameters storeParams =
90         new CollectionCertStoreParameters(certSet);
91         CertStore store = CertStore.getInstance("Collection", storeParams);
92
93         // init PKIX parameters
94
PKIXParameters JavaDoc params = null;
95         params = new PKIXParameters JavaDoc(trustedCertsSet);
96         params.addCertStore(store);
97
98         // enable OCSP
99
Security.setProperty("ocsp.enable", "true");
100         if (ocspServer != null) {
101         Security.setProperty("ocsp.responderURL", args[1]);
102         Security.setProperty("ocsp.responderCertSubjectName",
103             ocspCert.getSubjectX500Principal().getName());
104         }
105
106         // perform validation
107
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
108         PKIXCertPathValidatorResult cpv_result =
109         (PKIXCertPathValidatorResult) cpv.validate(cp, params);
110         X509Certificate JavaDoc trustedCert = (X509Certificate JavaDoc)
111         cpv_result.getTrustAnchor().getTrustedCert();
112     
113         if (trustedCert == null) {
114         System.out.println("Trsuted Cert = NULL");
115         } else {
116         System.out.println("Trusted CA DN = " +
117             trustedCert.getSubjectDN());
118         }
119     
120     } catch (CertPathValidatorException e) {
121         e.printStackTrace();
122         System.exit(1);
123
124     } catch(Exception JavaDoc e) {
125         e.printStackTrace();
126         System.exit(-1);
127     }
128     System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
129     System.exit(0);
130     }
131
132     /*
133      * Read a certificate from the specified filepath.
134      */

135     private static X509Certificate JavaDoc getCertFromFile(String JavaDoc path) {
136         X509Certificate JavaDoc cert = null;
137         try {
138
139             File certFile = new File(path);
140             if (!certFile.canRead())
141                 throw new IOException(" File " + certFile.toString() +
142             " is unreadable");
143
144             FileInputStream fis = new FileInputStream(path);
145             CertificateFactory cf = CertificateFactory.getInstance("X509");
146             cert = (X509Certificate JavaDoc)cf.generateCertificate(fis);
147
148         } catch(Exception JavaDoc e) {
149         System.out.println("Can't construct X509 Certificate. " +
150         e.getMessage());
151     }
152         return cert;
153     }
154 }
155
Popular Tags