Example usage for io.netty.handler.ssl OpenSsl isOcspSupported

List of usage examples for io.netty.handler.ssl OpenSsl isOcspSupported

  1. HOME
  2. Java
  3. io.netty
  4. io.netty.handler.ssl.*
  5. OpenSsl
  6. isOcspSupported

Introduction

In this page you can find the example usage for io.netty.handler.ssl OpenSsl isOcspSupported.

Prototype

public static boolean isOcspSupported()

Source Link

Document

Returns true if the used version of OpenSSL supports OCSP stapling.

Usage

From source file:io.netty.example.ocsp.OcspClientExample.java

License:Apache License

public static void main(String[] args) throws Exception {
    if (!OpenSsl.isAvailable()) {
        throw new IllegalStateException("OpenSSL is not available!");
    }/* w  ww  .  ja  v a  2s.c o  m*/

    if (!OpenSsl.isOcspSupported()) {
        throw new IllegalStateException("OCSP is not supported!");
    }

    // Using Wikipedia as an example. I'd rather use Netty's own website
    // but the server (Cloudflare) doesn't support OCSP stapling. A few
    // other examples could be Microsoft or Squarespace. Use OpenSSL's
    // CLI client to assess if a server supports OCSP stapling. E.g.:
    //
    // openssl s_client -tlsextdebug -status -connect www.squarespace.com:443
    //
    String host = "www.wikipedia.org";

    ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forClient()
            .sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();

    try {
        EventLoopGroup group = new NioEventLoopGroup();
        try {
            Promise<FullHttpResponse> promise = group.next().newPromise();

            Bootstrap bootstrap = new Bootstrap().channel(NioSocketChannel.class).group(group)
                    .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 5 * 1000)
                    .handler(newClientHandler(context, host, promise));

            Channel channel = bootstrap.connect(host, 443).syncUninterruptibly().channel();

            try {
                FullHttpResponse response = promise.get();
                ReferenceCountUtil.release(response);
            } finally {
                channel.close();
            }
        } finally {
            group.shutdownGracefully();
        }
    } finally {
        context.release();
    }
}

From source file:io.netty.example.ocsp.OcspServerExample.java

License:Apache License

public static void main(String[] args) throws Exception {
    // We assume there's a private key.
    PrivateKey privateKey = null;

    // Step 1: Load the certificate chain for netty.io. We'll need the certificate
    // and the issuer's certificate and we don't need any of the intermediate certs.
    // The array is assumed to be a certain order to keep things simple.
    X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem");

    X509Certificate certificate = keyCertChain[0];
    X509Certificate issuer = keyCertChain[keyCertChain.length - 1];

    // Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded
    // into the certificate! Notice that it's an HTTP URL.
    URI uri = OcspUtils.ocspUri(certificate);
    System.out.println("OCSP Responder URI: " + uri);

    if (uri == null) {
        throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder");
    }// w w  w  . j a v  a 2  s .  c  o  m

    // Step 3: Construct the OCSP request
    OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build();

    // Step 4: Do the request to the CA's OCSP responder
    OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS);
    if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
        throw new IllegalStateException("response-status=" + response.getStatus());
    }

    // Step 5: Is my certificate any good or has the CA revoked it?
    BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
    SingleResp first = basicResponse.getResponses()[0];

    CertificateStatus status = first.getCertStatus();
    System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status));
    System.out.println("This Update: " + first.getThisUpdate());
    System.out.println("Next Update: " + first.getNextUpdate());

    if (status != null) {
        throw new IllegalStateException("certificate-status=" + status);
    }

    BigInteger certSerial = certificate.getSerialNumber();
    BigInteger ocspSerial = first.getCertID().getSerialNumber();
    if (!certSerial.equals(ocspSerial)) {
        throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial);
    }

    // Step 6: Cache the OCSP response and use it as long as it's not
    // expired. The exact semantics are beyond the scope of this example.

    if (!OpenSsl.isAvailable()) {
        throw new IllegalStateException("OpenSSL is not available!");
    }

    if (!OpenSsl.isOcspSupported()) {
        throw new IllegalStateException("OCSP is not supported!");
    }

    if (privateKey == null) {
        throw new IllegalStateException(
                "Because we don't have a PrivateKey we can't continue past this point.");
    }

    ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder
            .forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();

    try {
        ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response));

        // so on and so forth...
    } finally {
        context.release();
    }
}