PKIXRevocationChecker does not use OCSP Responder URL set in Certificate
I am trying to perform certificate validation with JAVA's CertPathValidator, but am having difficulty with the revocation validation.
The certificate I am trying to validate has the OCSP URL encoded within it, but for some reason PKIXRevocationChecker does not load this URL.
I took a look at how the PKIXRevocationChecker is initialized and found that it will only check from Security.getProperty("ocsp.responderURL") if one has not been manually configured.
Is this the intended behavior of the library? I would think that the library should automatically use the OCSP responder URL if it is provided in the certificate being validated.
From the spec (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html):
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 5280) is absent from the certificate or when it requires overriding.
Read deeper into this spec, and found this matrix: 
So, PKIXParameters has a revocationEnabled property that is set to true by default, but there is also an ocsp.enable property that is set to false by default. This configuration will only cause CRL revocation to occur.
Setting ocsp.enable to true via: Security.setProperty("ocsp.enable", "true"); fixed the issue.
- Mockito.any() pass Interface with Generics
- Basic Authentication using Swagger UI
- Generate a Version.java file in Maven
- Constructing loop coverage for nested conditional loops in Java
- How to mock Amazon S3 in an integration test
- Spring - Multiple Profiles active
- Automate fixes for issues found by Sonar
- Android - phonegap error: Error parsing XML: unbound prefix
- Quarkus gRPC ExceptionHandlerProvider does not close response message with the correct status
- Do Java 21 virtual threads address the main reason to switch to reactive single-thread frameworks?
- Local Record with type of generic method
- Spring Boot 3.1: Problem with MIME-generation - works at Spring Boot 2.7
- org.mockito.exceptions.misusing.InvalidUseOfMatchersException: Invalid use of argument matchers
- Can't connect to the right DataSource in Spring Tool Suite
- No valid download found for version java21.x and package jdk: GitHub Actions and Azure App Service CI/CD
- Java 17 Record and ConfigurationProperties are not working
- Generate javadoc for domino-jna 0.9.2.1 - multiple errors
- Pact test on Junit5 what to define in @ExtendWith
- Dynamic serialization using Jackson - removing fields with specific annotations
- initialise superclass array in subclass (java)
- GPS Android - get positioning only once
- repository element was not specified in the POM inside distributionManagement element or in -DaltDep loymentRepository=id::layout::url parameter
- restassured jsonpath findAll not working as expected
- Can't get exp4j to install
- Configure Truststore in Tomcat
- Pulling Info From More Than One Class in a Constraint Stream
- How to customise the Jackson JSON mapper implicitly used by Spring Boot?
- Unable to autowire the MapStruct mapper
- Start of Simple Java program causes a white screen pause
- Refresh token not used by Spring OAuth2 when access token expires