Running OCSPCheckExample

The OCSPCheckExamplesample sample application checks the validity status of a certificate using OCSP .

To run this sample application, execute the following command line in the etjava/examples directory.

java -classpath classes;../lib/enttoolkit.jar com.entrust.toolkit.examples.ocsp.OCSPCheckExample <cert> <responder_cert> <ca_cert> [-loc <responder> ]

Parameter	Value
<cert>	The file path of the certificate whose validity will be checked.
<responder_cert>	The file path of the responder certificate.
<ca_cert>	The file path of the CA certificate to validate the `<cert>` certificate.
<responder>	The access location of the OCSP responder. Optional.

For example:

C:\etjava\examples>java -classpath classes;../lib/enttoolkit.jar com.entrust.toolkit.examples.ocsp.OCSPCheckExample User.cer Server.cer RootCACert.cer -loc "http://ocsp.openvalidation.org:8083"
CertificationException Caught! Details of Exception:
com.entrust.toolkit.exceptions.RevocationException: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure User Test Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
1. The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure User Test Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
2. The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
Contents of stack trace: 
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.doProcessOCSP(OCSPRevocationChecker.java:1489)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:430)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.checkSingleRevocation(RevocationManager.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.check(RevocationManager.java:299)
at com.entrust.toolkit.x509.certstore.CollectionCS.checkEndUser(CollectionCS.java:601)
at com.entrust.toolkit.x509.certstore.CollectionCS.validateHelper(CollectionCS.java:964)
at com.entrust.toolkit.x509.certstore.CollectionCS.internalValidate(CollectionCS.java:731)
at com.entrust.toolkit.x509.certstore.CollectionCS.validate(CollectionCS.java:367)
at com.entrust.toolkit.x509.CertVerifier.validate(CertVerifier.java:511)
at com.entrust.toolkit.examples.ocsp.OCSPCheckExample.main(OCSPCheckExample.java:118)
Caused by: com.entrust.toolkit.exceptions.RevocationException: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.doProcessOCSP(OCSPRevocationChecker.java:1489)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:430)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.checkSingleRevocation(RevocationManager.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.check(RevocationManager.java:299)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.checkResponderCertRevocation(OCSPRevocationChecker.java:682)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.doProcessOCSP(OCSPRevocationChecker.java:1400)
... 10 more

To see how the response is processed, turn on RevocationChecker tracing using the following system property.

com.entrust.toolkit.x509.revocation.RevocationChecker.trace=5

Here is the same example with this system property turned on and the resulting output.

C:\etjava\examples>java -Dcom.entrust.toolkit.x509.revocation.RevocationChecker.trace=5 -classpath classes;../lib/enttoolkit.jar com.entrust.toolkit.examples.ocsp.OCSPCheckExample User.cer Server.cer RootCACert.cer -loc "http://ocsp.openvalidation.org:8083"
RevocationChecker: RevocationManager: check() - Checking Revocation of certificate with DN EMail=insecure@test.insecure,cn=Insecure User Test Cert,o=InsecureTestCertificate,c=de using com.entrust.toolkit.x509.revocation.OCSPRevocationChecker
RevocationChecker: OCSRevocationChecker(): check() - The Certificate does not contain an AIA extension that can be followed by this configuration
RevocationChecker: OCSPRevocationChecker: sendOCSPRequest() - Sending OCSP request to http://ocsp.openvalidation.org:8083
RevocationChecker: OCSPRevocationChecker: sendOCSPRequest() - Received response from http://ocsp.openvalidation.org:8083
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - The responder sent an OCSP Response type of Successful. Response will now be processed.
RevocationChecker: OCSPRevocationChecker: checkThisUpdateTime() - ThisUpdateTime is Wed Jul 12 14:50:03 EDT 2006
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - No NextUpdateTime was specified in the OCSP response
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - ThisUpdate and NextUpdate times are valid in the OCSP response
RevocationChecker: OCSPRevocationChecker: checkIssuers() - found 1 issuers for certificate with DN EMail=insecure@test.insecure,cn=For Tests Only,o=InsecureTestCertificate,c=de
RevocationChecker: OCSPRevocationChecker: validateSignature(): Signature was verified by Cert with DN: EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de
RevocationChecker: OCSPRevocationChecker: checkSignerRevocation() - Checking revocation of the certificate which signed the OCSP response!
RevocationChecker: OCSPRevocationChecker: checkResponderCertRevocation() - The certificate which signed the OCSP response does not contain the id-pkix-ocsp-nocheck extension!
RevocationChecker: OCSPRevocationChecker: checkResponderCertRevocation() - Using local Revocation configuration to try and find revocation information for the certificate which signed the OCSP response.
RevocationChecker: RevocationManager: check() - Checking Revocation of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de using com.entrust.toolkit.x509.revocation.OCSPRevocationChecker
RevocationChecker: OCSRevocationChecker(): check() - The Certificate does not contain an AIA extension that can be followed by this configuration
RevocationChecker: OCSPRevocationChecker: sendOCSPRequest() - Sending OCSP request to http://ocsp.openvalidation.org:8083
RevocationChecker: OCSPRevocationChecker: sendOCSPRequest() - Received response from http://ocsp.openvalidation.org:8083
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - The responder sent an OCSP Response type of Successful. Response will now be processed.
RevocationChecker: OCSPRevocationChecker: checkThisUpdateTime() - ThisUpdateTime is Wed Jul 12 14:50:04 EDT 2006
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - No NextUpdateTime was specified in the OCSP response
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - ThisUpdate and NextUpdate times are valid in the OCSP response
RevocationChecker: OCSPRevocationChecker: checkIssuers() - found 1 issuers for certificate with DN EMail=insecure@test.insecure,cn=For Tests Only,o=InsecureTestCertificate,c=de
RevocationChecker: OCSPRevocationChecker: validateSignature(): Signature was verified by Cert with DN: EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de
RevocationChecker: OCSPRevocationChecker: checkSignerRevocation() - Checking revocation of the certificate which signed the OCSP response!
RevocationChecker: OCSPRevocationChecker: checkResponderCertRevocation() - The certificate which signed the OCSP response matches certificate whose revocation has been requested. Certificate has been authorized
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - The OCSP Response Signature has been validated!
RevocationChecker: RevocationManager: checkSingleRevocation() - The certificate is revoked!
RevocationChecker: RevocationManager: check() - Revocation Exception caught with the following message: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
RevocationChecker: OCSPRevocationChecker: checkResponderCertRevocation() - The OCSP responder Certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de is revoked! 
RevocationChecker: OCSPRevocationChecker: checkResponderCertRevocation() - Revocation check of all authorized responder certificates failed!
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - The OCSP Responder Certificate was revoked and contained the following data: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
RevocationChecker: OCSPRevocationChecker(): doProcessOCSP() - The OCSP Response Signature has been validated!
RevocationChecker: RevocationManager: checkSingleRevocation() - The certificate is revoked!
RevocationChecker: RevocationManager: check() - Revocation Exception caught with the following message: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure User Test Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
CertificationException Caught! Details of Exception:
1. The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure User Test Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
2. The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
Contents of stack trace: 
com.entrust.toolkit.exceptions.RevocationException: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure User Test Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.doProcessOCSP(OCSPRevocationChecker.java:1489)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:430)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.checkSingleRevocation(RevocationManager.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.check(RevocationManager.java:299)
at com.entrust.toolkit.x509.certstore.CollectionCS.checkEndUser(CollectionCS.java:601)
at com.entrust.toolkit.x509.certstore.CollectionCS.validateHelper(CollectionCS.java:964)
at com.entrust.toolkit.x509.certstore.CollectionCS.internalValidate(CollectionCS.java:731)
at com.entrust.toolkit.x509.certstore.CollectionCS.validate(CollectionCS.java:367)
at com.entrust.toolkit.x509.CertVerifier.validate(CertVerifier.java:511)
at com.entrust.toolkit.examples.ocsp.OCSPCheckExample.main(OCSPCheckExample.java:118)
Caused by: com.entrust.toolkit.exceptions.RevocationException: The revocation status of certificate with DN EMail=insecure@test.insecure,cn=Insecure Test OCSPServer Cert,o=InsecureTestCertificate,c=de was revoked on Wed Dec 31 19:00:00 EST 1969 for reason: No ReasonCode specified
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.doProcessOCSP(OCSPRevocationChecker.java:1489)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:430)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.check(OCSPRevocationChecker.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.checkSingleRevocation(RevocationManager.java:248)
at com.entrust.toolkit.x509.revocation.RevocationManager.check(RevocationManager.java:299)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.checkResponderCertRevocation(OCSPRevocationChecker.java:682)
at com.entrust.toolkit.x509.revocation.OCSPRevocationChecker.doProcessOCSP(OCSPRevocationChecker.java:1400)