You've reminded me of something I read recently: http://stackoverflow.com/questions/19897598/bouncycastle-provider-and-java-sun-provider-interopability-issue
"The problem with your code is that SUN's provider implementation of CertStore.getCertificates() returns HashSet. And HashSet makes no guarantees as to the iteration order of the set; in particular, it does not guarantee that the order will remain constant over time." If you add "bcprov" as a dependency do you see the same random failures? Colm. On Tue, Jun 3, 2014 at 4:06 PM, <[email protected]> wrote: > My apologies if this is the wrong place for this question, as it's not > strictly a CXF issue, but I'm hoping someone might be able to kick me in > the right direction ... > > In my architecture, the STS I am building will need to check certificate > revocation against one of a set of OCSP responders. Revocation checking > works well using the standard Java configuration, that is not an issue. > What is an issue though is that we are using a hierarchical OCSP > architecture, with multiple OCSP signers, each with their own certificate. > So when checking the status of a cert against a responder, depending on the > health of everything in the system, the revocation response could be signed > with any one of those OCSP signing certs. > > With a single signing cert, I can add that cert to the CXF STS's > truststore, and revocation checking works perfectly. I had thought that if > I added additional signing certs to the trust store, Java would just match > the cert in the OCSP response against any of the certs in the truststore, > but instead it looks like Java just gets confused and randomly picks one to > match against - it may not be random, but it's not consistent as I'll > sometimes get "Unable to verify OCSP Responder's signature" errors kicked > out, and sometimes get the proper status. > > Again, my apologies if this question is misdirected. Any help would be > greatly appreciated. > > Stephen W. Chappell > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
