用Java读取OCSP签名证书时出现异常

Question

I'm currently working on getting a Java application (JRE 1.5+) to talk to a Windows 2008 OCSP Responder, and I'm getting a strange error on trying to read the Responder's signing cert.

I get the following exception on trying to perform an OCSP validation.

Caused by: java.security.cert.CertificateParsingException: java.io.IOException: short read on DerValue buffer
    at sun.security.x509.X509CertInfo.<init>(Unknown Source)
    at sun.security.x509.X509CertImpl.parse(Unknown Source)
    at sun.security.x509.X509CertImpl.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
    ... 6 more
Caused by: java.io.IOException: short read on DerValue buffer
    at sun.security.util.DerValue.getOctetString(Unknown Source)
    at sun.security.x509.Extension.<init>(Unknown Source)
    at sun.security.x509.CertificateExtensions.init(Unknown Source)
    at sun.security.x509.CertificateExtensions.<init>(Unknown Source)
    at sun.security.x509.X509CertInfo.parse(Unknown Source)
    ... 11 more

This suggested there was a problem reading the signing cert, so I tried importing that separately using a method similar to the below:

    public static List<Certificate> readCerts(String certFile,
        CertificateFactory cf, boolean withCRL) throws Exception {
    FileInputStream fis = new FileInputStream(certFile);
    BufferedInputStream bis = new BufferedInputStream(fis);

    List<Certificate> certs = new LinkedList<Certificate>();

    while (bis.available() > 0) {
        Certificate cert = cf
                .generateCertificate(bis);
        X509Certificate cx509 = (X509Certificate) cert;
        certs.add(cert);
    }

    return certs;
}

which gave me the same error. This only seems to happen with certificates generated from the OCSP Signing template, user certificates can be read fine.

Has anyone else encountered similar problems with X509 support in Java?

Regards, Tom

UPDATE: The cert I'm having trouble with is as below:

-----BEGIN CERTIFICATE-----
MIIDzDCCArSgAwIBAgIKYQWrDAAAAAAABjANBgkqhkiG9w0BAQUFADBFMRMwEQYK
CZImiZPyLGQBGRYDaW50MRUwEwYKCZImiZPyLGQBGRYFbG9ucWExFzAVBgNVBAMT
DmxvbnFhLVRFLUNBLUNBMB4XDTA5MDkyMTE2NDIxNloXDTA5MTAwNTE2NDIxNlow
GjEYMBYGA1UEAxMPdGUtY2EubG9ucWEuaW50MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA6rYO7X/PztBE2Do9u95ws3Ob86cySJ1iLrHLSF+VjvTQkZ3J
e0uKxoK4doSikqCZH9zXZ6qFFVMZlzq/FnIP9TLhv3uFom0y+Z0HmPAW7RtrZ8R6
1EAmcQDGpyRhzCWJqrEzgbW1v1QtF854kium97GwUWnVijGv3jQqT3hbmD7++9lh
9ILaLXMAKdTFpL1ao2eHWYf2mChRpuAox2juO1g4xjot9GXsEMhTwAg9F/pZnbKE
hhpeo1c0kgP3uus7ULlwdRnZ4O+tp79GeVKsdJbphmnC6Fc/PdT0KuHSk9Q0v192
Ger5nTQaZk/dmsyGBd8g4Q+0g0Ri+wgpUUsykQIDAQABo4HoMIHlMDYGCSsGAQQB
gjcVBwQpMCcGHysGAQQBgjcVCIHPgWyXxQ2ChYcyg8LhMoWky3ppASACAWUCAQAw
EwYDVR0lBAwwCgYIKwYBBQUHAwkwDgYDVR0PAQH/BAQDAgeAMBsGCSsGAQQBgjcV
CgQOMAwwCgYIKwYBBQUHAwkwDQYJKwYBBQUHMAEFBAAwHQYDVR0OBBYEFNblspp7
Hu07mraeMSyuBUTUnbl3MB8GA1UdIwQYMBaAFK/r521FB+GNls/fe8hrNE8UpQhv
MBoGA1UdEQQTMBGCD3RlLWNhLmxvbnFhLmludDANBgkqhkiG9w0BAQUFAAOCAQEA
FASEVcUJQlrmCD/ysycOxAIAoc2BVLhteOMoZ7V65a5/+Q5JM7Od+gKqoxLVrjb2
BDLlDFp5U8CirQ4lyWV5i1gQpLFTDcjgonp9Ky50KA0Ginn5CmTELB2THwFSQwfm
OFenSaV1mAcEzdyp/hi2xSuMqhveSanQFD0r6y45oZsd9ubdFEWI6nBRrj4hhfw0
Wo2GKUgslXqAqEezdin5JNgsPdj3qsi4+U4llyrd3gG20eoWzGHF4h7wfFiQV+fs
yEPY06Rg9G9m3GlIv+7Gp3sixb+cvZe+e0gO32mVRydTXMaAZu7ZiFk3M6AqxfDw
dO//eCu2dZCLTw6xTbUc9A==
-----END CERTIFICATE-----

Answer 1

I assume you get your factory like this,

  cf = CertificateFactory.getInstance("X509");

The default X509 factory has many limitations. It looks like your cert contains an extension the factory doesn't know how to parse. If you post the cert, I can help you to identify the offending extension.

EDIT: The offending extension is

1.3.6.1.5.5.7.48.1.5 - id-pkix-ocsp-nocheck

The only option is to remove this from the cert with Java built-in JCE. You can also try another JCE like BouncyCastle.