x509certificate certpath validation

Our use-case requires validating certificate revocation via OCSP on a PKIX set-up. My starting point was the code at this related question: OCSP Revocation on client certificate

I'm doing it manually at the application level since tomcat doesn't support it. However, I'm having some trouble building the certPath and I think I'm missing some fundamental understanding.

First I try to create the certPath for the incoming client x509Certificate.

KeyStore store is initialized correctly and contains only the root certificates that match the client x509Certificate.

EDIT: I got the same result after adding the intermediate certificates as well.

X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();

However, I get an error at run-time:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What could be missing?

As you have it, I'm not sure how the CPB would find the subject certificate (x509certificate) to build a path to, unless it's in your keystore, which it typically wouldn't be. Simply providing the subject name isn't enough to build a validated path; the discovery & validation algorithm needs the full subject certificate. See what happens if you replace

certSelector.setSubject(x509certificate.getSubjectX500Principal());

with

certSelector.setCertificate(x509certificate);

You indicate that you added intermediates certificates. Since you did not update your code snippet I wondered how added these certificates? You should add these certificates as a CertStore

X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509certificate.getSubjectX500Principal());
PKIXParameters params = new PKIXBuilderParameters(store,certSelector);
CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */)));
params.addCertStore(cstore);
CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
CertPath certPath = cpb.build(params).getCertPath();

来源：https://stackoverflow.com/questions/5237970/x509certificate-certpath-validation

标签

java

security

Tomcat

x509certificate

pki