mdavid mdavid - 4 days ago 5
Java Question

How to enable OCSP in X509TrustManager?

System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");


Is setting these properties really sufficient to enable OCSP?

If so, then why we need bouncy castle OCSP support instead of just setting this properties?

Answer

If the certificates containing a Authority Information Access extension (OCSPSigning) then you don't have nothing to do more then set the properties you mentioned.

System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");

See RFC3280 and How to up OCSP using OpenSSL for more information.

If your CA doesn't provide this extension to the issued certificates then you can configure a responder URL by setting the property

Security.property("ocsp.responderURL", ...)

By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.

If the certificate of your OCSP responder does not match the certificate of the issuer then you can set an alternative subject name by setting

Security.property("ocsp.responderCertSubjectName", ...);

By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties must be used instead. When th is property is set, then those two properties are ignored.

For a description of all properties which can be used to configure OCSP see JavaTM PKI Programmer's Guide.


Why we need bouncy castle OCSP support instead of just setting this properties?

Nobody saying that you have to use bouncy castle as security provider. Using the default sun JCE is fine at least in case of using JRE 1.8.

Comments