#11 Online Certificate Status Protocol

Blog Post created by Alameyo on Jul 28, 2017

Hi there ,


This week I was implementing Online Certificate Status Protocol. Java allow to implement it in form of PKIXRevocationChecker which is added to the parameters of certificate path which is later validated. PKIXRevocationChecker is abstract class so it need some work on implementation and it is Openfire's way to handle this problem (well, it also use more abstract PKIXCertPathChecker class). Before I come to the my solution for PKIXRevocationChecker let's try to grasp some knowledge about what is OCSP?


It's protocol defined in rfc6960 for checking certificate revocation. In many ways it is superior to the CRLs as it doesn't require downloading whole lists for certificates which we aren't processing. However is not included in the basic PKI document while CRL way of checking of revocation is. Why? I can only guess but it is maybe bit more complicated and requires constantly working server, while in theory CRL's can be cached for group certificates and used for some period of time. Anyway OCSP isn't so popular as CRLs so any implementation of it should support CRL as backup.

OCSP include two parts: client request and server response.


An OCSP request contains:

   - protocol version

   - service request

   - target certificate identifier

   - optional extensions

Basic response include:

  - version of the response syntax

  - identifier of the responder

  - time when the response was generated

  - responses for each of the certificates in a request  - that means by one request response we can check group of certificates. Response can be good, revoked or unknown.

  - optional extensions

  - signature algorithm OID

  - signature computed across a hash of the response

Protocol states that there can be many types of response but at least that one basic have to be supported in every server side implementation of OCSP.


Now back to Java implementation of OCSP. While creating own checker is completely fine I found out that according to the Java PKI Programmer's Guide I can use CertPathBuilder to get instance of OCSP checker ( which also checks as backup CRLs ). Then I can change some of the options in this checker and add it to the parameters used in certificate chain validation. That's all. Why Openfire doesn't use it? The reason might be that this PKIXRevocationChecker was introduced in Java 8, while Openfire is much older software. So Openfire's way is perfectly cool, just person who did it couldn't use Java 8 then, which simplify it now.


See you next week,