List of usage examples for org.bouncycastle.asn1.x509 Extension getExtnValue
public ASN1OctetString getExtnValue()
From source file:org.xipki.pki.ocsp.client.impl.AbstractOcspRequestor.java
License:Open Source License
@Override public OCSPResp ask(final X509Certificate issuerCert, final BigInteger[] serialNumbers, final URL responderUrl, final RequestOptions requestOptions, final RequestResponseDebug debug) throws OcspResponseException, OcspRequestorException { ParamUtil.requireNonNull("issuerCert", issuerCert); ParamUtil.requireNonNull("requestOptions", requestOptions); ParamUtil.requireNonNull("responderUrl", responderUrl); byte[] nonce = null; if (requestOptions.isUseNonce()) { nonce = nextNonce(requestOptions.getNonceLen()); }/*from w w w. jav a 2 s . co m*/ OCSPReq ocspReq = buildRequest(issuerCert, serialNumbers, nonce, requestOptions); byte[] encodedReq; try { encodedReq = ocspReq.getEncoded(); } catch (IOException ex) { throw new OcspRequestorException("could not encode OCSP request: " + ex.getMessage(), ex); } RequestResponsePair msgPair = null; if (debug != null) { msgPair = new RequestResponsePair(); debug.add(msgPair); msgPair.setRequest(encodedReq); } byte[] encodedResp; try { encodedResp = send(encodedReq, responderUrl, requestOptions); } catch (IOException ex) { throw new ResponderUnreachableException("IOException: " + ex.getMessage(), ex); } if (msgPair != null) { msgPair.setResponse(encodedResp); } OCSPResp ocspResp; try { ocspResp = new OCSPResp(encodedResp); } catch (IOException ex) { throw new InvalidOcspResponseException("IOException: " + ex.getMessage(), ex); } Object respObject; try { respObject = ocspResp.getResponseObject(); } catch (OCSPException ex) { throw new InvalidOcspResponseException("responseObject is invalid"); } if (ocspResp.getStatus() != 0) { return ocspResp; } if (!(respObject instanceof BasicOCSPResp)) { return ocspResp; } BasicOCSPResp basicOcspResp = (BasicOCSPResp) respObject; if (nonce != null) { Extension nonceExtn = basicOcspResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (nonceExtn == null) { throw new OcspNonceUnmatchedException(nonce, null); } byte[] receivedNonce = nonceExtn.getExtnValue().getOctets(); if (!Arrays.equals(nonce, receivedNonce)) { throw new OcspNonceUnmatchedException(nonce, receivedNonce); } } SingleResp[] singleResponses = basicOcspResp.getResponses(); if (singleResponses == null || singleResponses.length == 0) { StringBuilder sb = new StringBuilder(100); sb.append("response with no singleResponse is returned, expected is "); sb.append(serialNumbers.length); throw new OcspTargetUnmatchedException(sb.toString()); } final int countSingleResponses = singleResponses.length; if (countSingleResponses != serialNumbers.length) { StringBuilder sb = new StringBuilder(100); sb.append("response with ").append(countSingleResponses).append(" singleResponse"); if (countSingleResponses > 1) { sb.append("s"); } sb.append(" is returned, expected is ").append(serialNumbers.length); throw new OcspTargetUnmatchedException(sb.toString()); } CertificateID certId = ocspReq.getRequestList()[0].getCertID(); ASN1ObjectIdentifier issuerHashAlg = certId.getHashAlgOID(); byte[] issuerKeyHash = certId.getIssuerKeyHash(); byte[] issuerNameHash = certId.getIssuerNameHash(); if (serialNumbers.length == 1) { SingleResp singleResp = singleResponses[0]; CertificateID cid = singleResp.getCertID(); boolean issuerMatch = issuerHashAlg.equals(cid.getHashAlgOID()) && Arrays.equals(issuerKeyHash, cid.getIssuerKeyHash()) && Arrays.equals(issuerNameHash, cid.getIssuerNameHash()); if (!issuerMatch) { throw new OcspTargetUnmatchedException("the issuer is not requested"); } BigInteger serialNumber = cid.getSerialNumber(); if (!serialNumbers[0].equals(serialNumber)) { throw new OcspTargetUnmatchedException("the serialNumber is not requested"); } } else { List<BigInteger> tmpSerials1 = Arrays.asList(serialNumbers); List<BigInteger> tmpSerials2 = new ArrayList<>(tmpSerials1); for (int i = 0; i < countSingleResponses; i++) { SingleResp singleResp = singleResponses[i]; CertificateID cid = singleResp.getCertID(); boolean issuerMatch = issuerHashAlg.equals(cid.getHashAlgOID()) && Arrays.equals(issuerKeyHash, cid.getIssuerKeyHash()) && Arrays.equals(issuerNameHash, cid.getIssuerNameHash()); if (!issuerMatch) { throw new OcspTargetUnmatchedException( "the issuer specified in singleResponse[" + i + "] is not requested"); } BigInteger serialNumber = cid.getSerialNumber(); if (!tmpSerials2.remove(serialNumber)) { if (tmpSerials1.contains(serialNumber)) { throw new OcspTargetUnmatchedException("serialNumber " + LogUtil.formatCsn(serialNumber) + "is contained in at least two singleResponses"); } else { throw new OcspTargetUnmatchedException("serialNumber " + LogUtil.formatCsn(serialNumber) + " specified in singleResponse[" + i + "] is not requested"); } } } // end for } // end if return ocspResp; }
From source file:org.xipki.pki.ocsp.server.impl.OcspServer.java
License:Open Source License
public OcspRespWithCacheInfo answer(final Responder responder, final OCSPReq request, final boolean viaGet, final AuditEvent event) { ParamUtil.requireNonNull("responder", responder); ParamUtil.requireNonNull("request", request); RequestOption reqOpt = responder.getRequestOption(); ResponderSigner signer = responder.getSigner(); ResponseOption repOpt = responder.getResponseOption(); String msgId = null;// w w w .j a v a 2s . co m if (event != null) { msgId = RandomUtil.nextHexLong(); event.addEventData(OcspAuditConstants.NAME_mid, msgId); } int version = request.getVersionNumber(); if (!reqOpt.isVersionAllowed(version)) { String message = "invalid request version " + version; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } try { OcspRespWithCacheInfo resp = checkSignature(request, reqOpt, event); if (resp != null) { return resp; } OcspRespControl repControl = new OcspRespControl(); repControl.couldCacheInfo = viaGet; List<Extension> responseExtensions = new ArrayList<>(2); Req[] requestList = request.getRequestList(); // CHECKSTYLE:SKIP int requestsSize = requestList.length; Set<ASN1ObjectIdentifier> criticalExtensionOids = new HashSet<>(); Set<?> tmp = request.getCriticalExtensionOIDs(); if (tmp != null) { for (Object oid : tmp) { criticalExtensionOids.add((ASN1ObjectIdentifier) oid); } } RespID respId = signer.getResponder(repOpt.isResponderIdByName()); BasicOCSPRespBuilder basicOcspBuilder = new BasicOCSPRespBuilder(respId); ASN1ObjectIdentifier extensionType = OCSPObjectIdentifiers.id_pkix_ocsp_nonce; criticalExtensionOids.remove(extensionType); Extension nonceExtn = request.getExtension(extensionType); if (nonceExtn != null) { byte[] nonce = nonceExtn.getExtnValue().getOctets(); int len = nonce.length; int min = reqOpt.getNonceMinLen(); int max = reqOpt.getNonceMaxLen(); if (len < min || len > max) { LOG.warn("length of nonce {} not within [{},{}]", len, min, max); StringBuilder sb = new StringBuilder(50); sb.append("length of nonce ").append(len); sb.append(" not within [").append(min).append(", ").append(max).append("]"); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, sb.toString()); return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } repControl.couldCacheInfo = false; responseExtensions.add(nonceExtn); } else if (reqOpt.isNonceRequired()) { String message = "nonce required, but is not present in the request"; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } for (int i = 0; i < requestsSize; i++) { AuditEvent singleEvent = null; if (event != null) { singleEvent = new AuditEvent(new Date()); singleEvent.setApplicationName(OcspAuditConstants.APPNAME); singleEvent.setName(OcspAuditConstants.NAME_PERF); singleEvent.addEventData(OcspAuditConstants.NAME_mid, msgId); } OcspRespWithCacheInfo ocspResp = null; try { ocspResp = processCertReq(requestList[i], basicOcspBuilder, responder, reqOpt, repOpt, repControl, singleEvent); } finally { if (singleEvent != null) { singleEvent.finish(); auditServiceRegister.getAuditService().doLogEvent(singleEvent); } } if (ocspResp != null) { return ocspResp; } } if (repControl.includeExtendedRevokeExtension) { responseExtensions.add(new Extension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke, true, Arrays.copyOf(DERNullBytes, DERNullBytes.length))); } if (CollectionUtil.isNonEmpty(responseExtensions)) { basicOcspBuilder .setResponseExtensions(new Extensions(responseExtensions.toArray(new Extension[0]))); } ConcurrentContentSigner concurrentSigner = null; if (responder.getResponderOption().getMode() != OcspMode.RFC2560) { extensionType = ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs; criticalExtensionOids.remove(extensionType); Extension ext = request.getExtension(extensionType); if (ext != null) { ASN1Sequence preferredSigAlgs = ASN1Sequence.getInstance(ext.getParsedValue()); concurrentSigner = signer.getSignerForPreferredSigAlgs(preferredSigAlgs); } } if (CollectionUtil.isNonEmpty(criticalExtensionOids)) { return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } if (concurrentSigner == null) { concurrentSigner = signer.getFirstSigner(); } X509CertificateHolder[] certsInResp; EmbedCertsMode certsMode = repOpt.getEmbedCertsMode(); if (certsMode == null || certsMode == EmbedCertsMode.SIGNER) { certsInResp = new X509CertificateHolder[] { signer.getBcCertificate() }; } else if (certsMode == EmbedCertsMode.SIGNER_AND_CA) { certsInResp = signer.getBcCertificateChain(); } else { // NONE certsInResp = null; } BasicOCSPResp basicOcspResp; try { basicOcspResp = concurrentSigner.build(basicOcspBuilder, certsInResp, new Date()); } catch (NoIdleSignerException ex) { return createUnsuccessfulOcspResp(OcspResponseStatus.tryLater); } catch (OCSPException ex) { LogUtil.error(LOG, ex, "answer() basicOcspBuilder.build"); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "BasicOCSPRespBuilder.build() with OCSPException"); return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); try { OCSPResp ocspResp = ocspRespBuilder.build(OcspResponseStatus.successful.getStatus(), basicOcspResp); if (repControl.couldCacheInfo) { ResponseCacheInfo cacheInfo = new ResponseCacheInfo(repControl.cacheThisUpdate); if (repControl.cacheNextUpdate != Long.MAX_VALUE) { cacheInfo.setNextUpdate(repControl.cacheNextUpdate); } return new OcspRespWithCacheInfo(ocspResp, cacheInfo); } else { return new OcspRespWithCacheInfo(ocspResp, null); } } catch (OCSPException ex) { LogUtil.error(LOG, ex, "answer() ocspRespBuilder.build"); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "OCSPRespBuilder.build() with OCSPException"); return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } } catch (Throwable th) { LogUtil.error(LOG, th); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "internal error"); return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } }
From source file:org.xwiki.crypto.pkix.internal.extension.BcX509Extensions.java
License:Open Source License
@Override public byte[] getExtensionValue(String oid) { Extension ext = this.extensions.getExtension(new ASN1ObjectIdentifier(oid)); if (ext == null) { return null; }/*from w ww. j a v a 2 s. c om*/ return ext.getExtnValue().getOctets(); }