Hi,
Interesting ... as far as I can see java throws "Unable to verify OCSP
Responder's signature" only if responderCert is null in OCSPResponse.
Strange that it happens only time to time.
Could you experiment a bit with OCSP validation explicitly, using something
like this:
Set certSet = new HashSet();
X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
certSet.add(ocspCert);
CertStoreParameters storeParams =
new CollectionCertStoreParameters(certSet);
CertStore store = CertStore.getInstance("Collection", storeParams);
// init PKIX parameters
PKIXParameters params = null;
params = new PKIXParameters(trustedCertsSet);
params.addCertStore(store);
// enable OCSP
Security.setProperty("ocsp.enable", "true");
if (ocspServer != null) {
Security.setProperty("ocsp.responderURL", args[1]);
Security.setProperty("ocsp.responderCertSubjectName",
ocspCert.getSubjectX500Principal().getName());
}
// perform validation
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult cpv_result =
(PKIXCertPathValidatorResult) cpv.validate(cp, params);
X509Certificate trustedCert = (X509Certificate)
cpv_result.getTrustAnchor().getTrustedCert();
Perhaps you will be able to reproduce the problem and investigate it in details.
Regards,
Andrei.
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Dienstag, 3. Juni 2014 17:07
> To: [email protected]
> Subject: CXF & OCSP Signers
>
> My apologies if this is the wrong place for this question, as it's not
> strictly a CXF
> issue, but I'm hoping someone might be able to kick me in the right direction
> ...
>
> In my architecture, the STS I am building will need to check certificate
> revocation against one of a set of OCSP responders. Revocation checking works
> well using the standard Java configuration, that is not an issue. What is an
> issue
> though is that we are using a hierarchical OCSP architecture, with multiple
> OCSP signers, each with their own certificate. So when checking the status of
> a
> cert against a responder, depending on the health of everything in the system,
> the revocation response could be signed with any one of those OCSP signing
> certs.
>
> With a single signing cert, I can add that cert to the CXF STS's truststore,
> and
> revocation checking works perfectly. I had thought that if I added additional
> signing certs to the trust store, Java would just match the cert in the OCSP
> response against any of the certs in the truststore, but instead it looks
> like Java
> just gets confused and randomly picks one to match against - it may not be
> random, but it's not consistent as I'll sometimes get "Unable to verify OCSP
> Responder's signature" errors kicked out, and sometimes get the proper status.
>
> Again, my apologies if this question is misdirected. Any help would be greatly
> appreciated.
>
> Stephen W. Chappell
