OCSP Validator
This implementation is using JDK's default OCSP feature to examine and reject the certificate used to validate the validation response. Default mechanism is using the OCSPAIA extension field. If the OCSPAIA extension is null, the OCSP responder Url is used.
import java.io.File;
import java.io.FileInputStream;
import java.net.URI;
import java.security.cert.X509Certificate;
import sun.security.provider.certpath.OCSP;
import sun.security.provider.certpath.OCSP.RevocationStatus;
import sun.security.x509.X509CertImpl;
public class OCSPValidator {
public boolean checkIssuerUsingOCSP(X509Certificate cert, X509Certificate signer_issuerCert) {
try {
RevocationStatus revocationStatus = null;
if ((OCSP.getResponderURI(cert)) != null) {// validate using OCSPAIA extension
revocationStatus = OCSP.check(cert, signer_issuerCert);
} else {// validate using OCSPResponder URL
URI vesUri = new URI("http://OCSPresponderURL:8080");
X509Certificate servercert = new X509CertImpl(new FileInputStream(new File("SigningCertificate")));
revocationStatus = OCSP.check(cert, signer_issuerCert, vesUri, servercert, null);
}
if (revocationStatus != null
&& revocationStatus.getCertStatus().equals( sun.security.provider.certpath.OCSP.RevocationStatus.CertStatus.GOOD)) {
return true;
}
return false;
} catch (Exception e) {
return false;
}
}
}
