mdavid mdavid - 11 days ago 8
Java Question

Which Java API should I use for implementing certificate verification with OCSP support?

There exist two java api references:



In the first one there's a description about X509TrustManager interface. I'm confused. Should I use that one for implementing x509 certificate verification or I must go through the second link? Which is the standard way of achieving my goal

Answer

The second link provide the documentation around the CertPath class how to implement your own certification path verification. So you have to handle the whole PKI certificate chain by your own (e.g. validation of signatures and certificates up to the root). Furthermore, it provide you with the information of the PKIX the default algorithm for certificate validation.

The first link show how to use the TrustManager which uses the PKIX algorithm. Beside certificate path validation with PKIX contains the TrustManager more mechanism to establish SSL/TLS communications.

The TrustManager/PKIX algorithm also provide a mechanism for revocation (CLR and OCSP). To activate OCSP take a deeper look at the first link section PKIX TrustManager Support.

If the init(KeyStore ks) method is used, default PKIXParameters are used with the exception that revocation checking is disabled. It can be enabled by setting the system property com.sun.net.ssl.checkRevocation to true.

And you have to set the security property ocsp.enable to true. So basically, you have nothing more to do then

System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");

If you don't want to re-implement or exchange the verification chain mechanism which is provided already with the TrustManager and PKIX algorithm then you should definitely use the first link. If you need more information about the PKIX algorithm, implement your own or do just certification validation and not establishing TLS/SSL communication then you should check the second link .