List of usage examples for org.bouncycastle.cert.ocsp BasicOCSPRespBuilder addResponse
public BasicOCSPRespBuilder addResponse(CertificateID certID, CertificateStatus certStatus, Date thisUpdate,
Date nextUpdate, Extensions singleExtensions)
From source file:Controllers.OCSPController.java
License:Apache License
/** * Method to do OCSP response to client. * * @param requestBytes//from ww w .ja v a 2 s . c om * @param mode * * @return * * @throws NotImplementedException */ private byte[] processOcspRequest(byte[] requestBytes, OCSP_PROCESS_MODE mode) throws NotImplementedException { try { // get request info OCSPReq ocspRequest = new OCSPReq(requestBytes); X509CertificateHolder[] requestCerts = ocspRequest.getCerts(); Req[] requestList = ocspRequest.getRequestList(); // setup response BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder( new RespID(x509CertificateHolder.getSubject())); LOG.info("OCSP request version: " + ocspRequest.getVersionNumber() + ", Requester name: " + ocspRequest.getRequestorName() + ", is signed: " + ocspRequest.isSigned() + ", has extensions: " + ocspRequest.hasExtensions() + ", number of additional certificates: " + requestCerts.length + ", number of certificate ids to verify: " + requestList.length); int ocspResult = OCSPRespBuilder.SUCCESSFUL; switch (mode) { case AUTO: LOG.error("Auto OCSP server is not implemented in this version."); throw new NotImplementedException(); case GOOD: LOG.warn("Mocked mode, server will always return Good ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); CertificateStatus certificateStatus = CertificateStatus.GOOD; Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; case REVOKED: LOG.warn("Mocked mode, server will always return REVOKED ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); Calendar cal = new GregorianCalendar(); cal.add(Calendar.DAY_OF_MONTH, -7);//Set revoked 7 days ago. CertificateStatus certificateStatus = new RevokedStatus(cal.getTime(), 16); Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; case UNKNOWN: LOG.warn("Mocked mode, server will always return Known ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); CertificateStatus certificateStatus = new UnknownStatus(); Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; } // process nonce Extension extNonce = ocspRequest.getExtension(new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")); if (extNonce != null) { LOG.debug("Nonce is present in the request"); responseBuilder.setResponseExtensions(new Extensions(extNonce)); } else { LOG.info("Nonce is not present in the request"); if (bRequireNonce) { LOG.info("Nonce is required, fail the request"); ocspResult = OCSPRespBuilder.UNAUTHORIZED; } } X509CertificateHolder[] chain = { x509CertificateHolder }; ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey); BasicOCSPResp ocspResponse = responseBuilder.build(signer, chain, Calendar.getInstance().getTime()); OCSPRespBuilder ocspResponseBuilder = new OCSPRespBuilder(); byte[] encoded = ocspResponseBuilder.build(ocspResult, ocspResponse).getEncoded(); LOG.info("Sending OCSP response to client, size: " + encoded.length); return encoded; } catch (Exception e) { LOG.error("Exception during processing OCSP request: " + e.getMessage()); e.printStackTrace(); } return null; }
From source file:ee.ria.xroad.common.OcspTestUtils.java
License:Open Source License
/** * Creates an OCSP response for the subject's certificate with the given status. * @param subject the subject certificate * @param issuer certificate of the subject certificate issuer * @param signer certificate of the OCSP response signer * @param signerKey key of the OCSP response signer * @param certStatus OCSP response status * @param thisUpdate date this response was valid on * @param nextUpdate date when next update should be requested * @return OCSPResp/*from ww w .j a v a 2 s . com*/ * @throws Exception in case of any errors */ public static OCSPResp createOCSPResponse(X509Certificate subject, X509Certificate issuer, X509Certificate signer, PrivateKey signerKey, CertificateStatus certStatus, Date thisUpdate, Date nextUpdate) throws Exception { BasicOCSPRespBuilder builder = new BasicOCSPRespBuilder( new RespID(new X500Name(signer.getSubjectX500Principal().getName()))); CertificateID cid = CryptoUtils.createCertId(subject, issuer); if (thisUpdate != null) { builder.addResponse(cid, certStatus, thisUpdate, nextUpdate, null); } else { builder.addResponse(cid, certStatus); } ContentSigner contentSigner = CryptoUtils.createContentSigner(subject.getSigAlgName(), signerKey); Object responseObject = builder.build(contentSigner, null, new Date()); OCSPResp resp = new OCSPRespBuilder().build(OCSPRespBuilder.SUCCESSFUL, responseObject); return resp; }
From source file:eu.europa.esig.dss.cookbook.sources.AlwaysValidOCSPSource.java
License:Open Source License
@Override public OCSPToken getOCSPToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken) { try {/* w ww .j av a2 s .co m*/ final X509Certificate cert = certificateToken.getCertificate(); final BigInteger serialNumber = cert.getSerialNumber(); X509Certificate issuerCert = issuerCertificateToken.getCertificate(); final OCSPReq ocspReq = generateOCSPRequest(issuerCert, serialNumber); final DigestCalculator digestCalculator = DSSRevocationUtils.getSHA1DigestCalculator(); final BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder(issuerCert.getPublicKey(), digestCalculator); final Extension extension = ocspReq.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (extension != null) { basicOCSPRespBuilder.setResponseExtensions(new Extensions(new Extension[] { extension })); } final Req[] requests = ocspReq.getRequestList(); for (int ii = 0; ii != requests.length; ii++) { final Req req = requests[ii]; final CertificateID certID = req.getCertID(); boolean isOK = true; if (isOK) { basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD, ocspDate, null, null); } else { Date revocationDate = DSSUtils.getDate(ocspDate, -1); basicOCSPRespBuilder.addResponse(certID, new RevokedStatus(revocationDate, CRLReason.privilegeWithdrawn)); } } final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(privateKey); final X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(issuerCert.getEncoded()); final X509CertificateHolder[] chain = { x509CertificateHolder }; BasicOCSPResp basicResp = basicOCSPRespBuilder.build(contentSigner, chain, ocspDate); final SingleResp[] responses = basicResp.getResponses(); final OCSPToken ocspToken = new OCSPToken(); ocspToken.setBasicOCSPResp(basicResp); ocspToken.setBestSingleResp(responses[0]); return ocspToken; } catch (OCSPException e) { throw new DSSException(e); } catch (IOException e) { throw new DSSException(e); } catch (CertificateEncodingException e) { throw new DSSException(e); } catch (OperatorCreationException e) { throw new DSSException(e); } }
From source file:org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.java
License:Open Source License
private BasicOCSPResp generateBasicOcspResp(Extensions exts, List<OCSPResponseItem> responses, String sigAlg, X509Certificate signerCert, OcspSigningCacheEntry ocspSigningCacheEntry, Date producedAt) throws OCSPException, NoSuchProviderException, CryptoTokenOfflineException { final PrivateKey signerKey = ocspSigningCacheEntry.getPrivateKey(); final String provider = ocspSigningCacheEntry.getSignatureProviderName(); BasicOCSPResp returnval = null;//from w w w. ja va 2 s. c o m BasicOCSPRespBuilder basicRes = new BasicOCSPRespBuilder(ocspSigningCacheEntry.getRespId()); if (responses != null) { for (OCSPResponseItem item : responses) { basicRes.addResponse(item.getCertID(), item.getCertStatus(), item.getThisUpdate(), item.getNextUpdate(), item.getExtensions()); } } if (exts != null) { @SuppressWarnings("rawtypes") Enumeration oids = exts.oids(); if (oids.hasMoreElements()) { basicRes.setResponseExtensions(exts); } } final X509Certificate[] chain = ocspSigningCacheEntry.getResponseCertChain(); if (log.isDebugEnabled()) { log.debug("The response certificate chain contains " + chain.length + " certificates"); } /* * The below code breaks the EJB standard by creating its own thread pool and creating a single thread (of the HsmResponseThread * type). The reason for this is that the HSM may deadlock when requesting an OCSP response, which we need to guard against. Since * there is no way of performing this action within the EJB3.0 standard, we are consciously creating threads here. * * Note that this does in no way break the spirit of the EJB standard, which is to not interrupt EJB's transaction handling by * competing with its own thread pool, since these operations have no database impact. */ final Future<BasicOCSPResp> task = service .submit(new HsmResponseThread(basicRes, sigAlg, signerKey, chain, provider, producedAt)); try { returnval = task.get(HsmResponseThread.HSM_TIMEOUT_SECONDS, TimeUnit.SECONDS); } catch (InterruptedException e) { task.cancel(true); throw new Error("OCSP response retrieval was interrupted while running. This should not happen", e); } catch (ExecutionException e) { task.cancel(true); throw new OcspFailureException("Failure encountered while retrieving OCSP response.", e); } catch (TimeoutException e) { task.cancel(true); throw new CryptoTokenOfflineException("HSM timed out while trying to get OCSP response", e); } if (log.isDebugEnabled()) { log.debug("Signing OCSP response with OCSP signer cert: " + signerCert.getSubjectDN().getName()); } if (!returnval.getResponderId().equals(ocspSigningCacheEntry.getRespId())) { log.error("Response responderId does not match signer certificate responderId!"); throw new OcspFailureException("Response responderId does not match signer certificate responderId!"); } if (!ocspSigningCacheEntry.checkResponseSignatureVerified()) { // We only check the response signature the first time for each OcspSigningCacheEntry to detect a misbehaving HSM. // The client is still responsible for validating the signature, see RFC 6960 Section 3.2.2 boolean verify; try { verify = returnval .isSignatureValid(new JcaContentVerifierProviderBuilder().build(signerCert.getPublicKey())); } catch (OperatorCreationException e) { // Very fatal error throw new EJBException("Can not create Jca content signer: ", e); } if (verify) { if (log.isDebugEnabled()) { log.debug("The OCSP response is verifying."); } } else { log.error("The response is NOT verifying! Attempted to sign using " + CertTools.getSubjectDN(signerCert) + " but signature was not valid."); throw new OcspFailureException("Attempted to sign using " + CertTools.getSubjectDN(signerCert) + " but signature was not valid."); } } return returnval; }
From source file:org.jruby.ext.openssl.OCSPBasicResponse.java
License:Common Public License
@JRubyMethod(name = "sign", rest = true) public IRubyObject sign(final ThreadContext context, IRubyObject[] args) { Ruby runtime = context.getRuntime(); int flag = 0; IRubyObject additionalCerts = context.nil; IRubyObject flags = context.nil;/*w w w .j a v a 2 s .c o m*/ IRubyObject digest = context.nil; Digest digestInstance = new Digest(runtime, _Digest(runtime)); List<X509CertificateHolder> addlCerts = new ArrayList<X509CertificateHolder>(); switch (Arity.checkArgumentCount(runtime, args, 2, 5)) { case 3: additionalCerts = args[2]; break; case 4: additionalCerts = args[2]; flags = args[3]; break; case 5: additionalCerts = args[2]; flags = args[3]; digest = args[4]; break; default: break; } if (digest.isNil()) digest = digestInstance.initialize(context, new IRubyObject[] { RubyString.newString(runtime, "SHA1") }); if (!flags.isNil()) flag = RubyFixnum.fix2int(flags); if (additionalCerts.isNil()) flag |= RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOCERTS)); X509Cert signer = (X509Cert) args[0]; PKey signerKey = (PKey) args[1]; String keyAlg = signerKey.getAlgorithm(); String digAlg = ((Digest) digest).getShortAlgorithm(); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(digAlg + "with" + keyAlg); signerBuilder.setProvider("BC"); ContentSigner contentSigner = null; try { contentSigner = signerBuilder.build(signerKey.getPrivateKey()); } catch (OperatorCreationException e) { throw newOCSPError(runtime, e); } BasicOCSPRespBuilder respBuilder = null; try { if ((flag & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_RESPID_KEY))) != 0) { JcaDigestCalculatorProviderBuilder dcpb = new JcaDigestCalculatorProviderBuilder(); dcpb.setProvider("BC"); DigestCalculatorProvider dcp = dcpb.build(); DigestCalculator calculator = dcp.get(contentSigner.getAlgorithmIdentifier()); respBuilder = new BasicOCSPRespBuilder( SubjectPublicKeyInfo.getInstance(signerKey.getPublicKey().getEncoded()), calculator); } else { respBuilder = new BasicOCSPRespBuilder(new RespID(signer.getSubject().getX500Name())); } } catch (Exception e) { throw newOCSPError(runtime, e); } X509CertificateHolder[] chain = null; try { if ((flag & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOCERTS))) == 0) { addlCerts.add(new X509CertificateHolder(signer.getAuxCert().getEncoded())); if (!additionalCerts.isNil()) { Iterator<java.security.cert.Certificate> rubyAddlCerts = ((RubyArray) additionalCerts) .iterator(); while (rubyAddlCerts.hasNext()) { java.security.cert.Certificate cert = rubyAddlCerts.next(); addlCerts.add(new X509CertificateHolder(cert.getEncoded())); } } chain = addlCerts.toArray(new X509CertificateHolder[addlCerts.size()]); } } catch (Exception e) { throw newOCSPError(runtime, e); } Date producedAt = null; if ((flag & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOTIME))) == 0) { producedAt = new Date(); } for (OCSPSingleResponse resp : singleResponses) { SingleResp singleResp = new SingleResp(resp.getBCSingleResp()); respBuilder.addResponse(singleResp.getCertID(), singleResp.getCertStatus(), singleResp.getThisUpdate(), singleResp.getNextUpdate(), resp.getBCSingleResp().getSingleExtensions()); } try { Extension[] respExtAry = new Extension[extensions.size()]; Extensions respExtensions = new Extensions(extensions.toArray(respExtAry)); BasicOCSPResp bcBasicOCSPResp = respBuilder.setResponseExtensions(respExtensions).build(contentSigner, chain, producedAt); asn1BCBasicOCSPResp = BasicOCSPResponse.getInstance(bcBasicOCSPResp.getEncoded()); } catch (Exception e) { throw newOCSPError(runtime, e); } return this; }
From source file:org.signserver.test.utils.builders.ocsp.OCSPResponseBuilder.java
License:Open Source License
private BasicOCSPResp buildBasicOCSPResp() throws OCSPResponseBuilderException { try {//from ww w . ja va 2s .c om BasicOCSPRespBuilder gen = new BasicOCSPRespBuilder(new RespID(new X500Name(getResponderName()))); if (getNonce() != null) { extensions.add( new OcspExt(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce))); } Extension[] extArray = new Extension[extensions.size()]; int i = 0; for (OcspExt ext : extensions) { extArray[i++] = new Extension(ext.getOid(), ext.isIsCritical(), ext.getValue()); } if (extArray.length > 0) { gen.setResponseExtensions(new Extensions(extArray)); } for (OcspRespObject r : responses) { gen.addResponse(r.getCertId(), r.getCertStatus(), r.getThisUpdate(), r.getNextUpdate(), r.getExtensions()); } ContentSigner contentSigner = /*new BufferingContentSigner(*/new JcaContentSignerBuilder( getSignatureAlgorithm()).setProvider("BC").build(getIssuerPrivateKey());//, 20480); BasicOCSPResp response = gen.build(contentSigner, getChain(), getProducedAt()); return response; } catch (OCSPException ex) { throw new OCSPResponseBuilderException(ex); } catch (NoSuchAlgorithmException ex) { throw new OCSPResponseBuilderException(ex); } catch (NoSuchProviderException ex) { throw new OCSPResponseBuilderException(ex); } catch (OperatorCreationException ex) { throw new OCSPResponseBuilderException(ex); } }
From source file:org.xipki.ocsp.server.impl.OcspServer.java
License:Open Source License
public OcspRespWithCacheInfo answer(final Responder responder, final OCSPReq request, final AuditEvent auditEvent, final boolean viaGet) { ResponderOption responderOption = responder.getResponderOption(); RequestOption requestOption = responder.getRequestOption(); ResponseOption responseOption = responder.getResponseOption(); ResponderSigner signer = responder.getSigner(); AuditOption auditOption = responder.getAuditOption(); CertprofileOption certprofileOption = responder.getCertprofileOption(); int version = request.getVersionNumber(); if (requestOption.isVersionAllowed(version) == false) { String message = "invalid request version " + version; LOG.warn(message);/*w w w . j av a 2s . co m*/ if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, message); } return createUnsuccessfullOCSPResp(OcspResponseStatus.malformedRequest); } try { OcspRespWithCacheInfo resp = checkSignature(request, requestOption, auditEvent); if (resp != null) { return resp; } boolean couldCacheInfo = viaGet; List<Extension> responseExtensions = new ArrayList<>(2); Req[] requestList = request.getRequestList(); int n = requestList.length; Set<ASN1ObjectIdentifier> criticalExtensionOIDs = new HashSet<>(); Set<?> tmp = request.getCriticalExtensionOIDs(); if (tmp != null) { for (Object oid : tmp) { criticalExtensionOIDs.add((ASN1ObjectIdentifier) oid); } } RespID respID = new RespID(signer.getResponderId()); BasicOCSPRespBuilder basicOcspBuilder = new BasicOCSPRespBuilder(respID); ASN1ObjectIdentifier extensionType = OCSPObjectIdentifiers.id_pkix_ocsp_nonce; criticalExtensionOIDs.remove(extensionType); Extension nonceExtn = request.getExtension(extensionType); if (nonceExtn != null) { byte[] nonce = nonceExtn.getExtnValue().getOctets(); int len = nonce.length; int min = requestOption.getNonceMinLen(); int max = requestOption.getNonceMaxLen(); if (len < min || len > max) { LOG.warn("length of nonce {} not within [{},{}]", new Object[] { len, min, max }); if (auditEvent != null) { StringBuilder sb = new StringBuilder(); sb.append("length of nonce ").append(len); sb.append(" not within [").append(min).append(", ").append(max); fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, sb.toString()); } return createUnsuccessfullOCSPResp(OcspResponseStatus.malformedRequest); } couldCacheInfo = false; responseExtensions.add(nonceExtn); } else if (requestOption.isNonceRequired()) { String message = "nonce required, but is not present in the request"; LOG.warn(message); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, message); } return createUnsuccessfullOCSPResp(OcspResponseStatus.malformedRequest); } boolean includeExtendedRevokeExtension = false; long cacheThisUpdate = 0; long cacheNextUpdate = Long.MAX_VALUE; for (int i = 0; i < n; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); } Req req = requestList[i]; CertificateID certID = req.getCertID(); String certIdHashAlgo = certID.getHashAlgOID().getId(); HashAlgoType reqHashAlgo = HashAlgoType.getHashAlgoType(certIdHashAlgo); if (reqHashAlgo == null) { LOG.warn("unknown CertID.hashAlgorithm {}", certIdHashAlgo); if (childAuditEvent != null) { fillAuditEvent(childAuditEvent, AuditLevel.INFO, AuditStatus.FAILED, "unknown CertID.hashAlgorithm " + certIdHashAlgo); } return createUnsuccessfullOCSPResp(OcspResponseStatus.malformedRequest); } else if (requestOption.allows(reqHashAlgo) == false) { LOG.warn("CertID.hashAlgorithm {} not allowed", certIdHashAlgo); if (childAuditEvent != null) { fillAuditEvent(childAuditEvent, AuditLevel.INFO, AuditStatus.FAILED, "CertID.hashAlgorithm " + certIdHashAlgo + " not allowed"); } return createUnsuccessfullOCSPResp(OcspResponseStatus.malformedRequest); } CertStatusInfo certStatusInfo = null; CertStatusStore answeredStore = null; boolean exceptionOccurs = false; for (CertStatusStore store : responder.getStores()) { try { certStatusInfo = store.getCertStatus(reqHashAlgo, certID.getIssuerNameHash(), certID.getIssuerKeyHash(), certID.getSerialNumber(), responseOption.isIncludeCerthash(), responseOption.getCertHashAlgo(), certprofileOption); if (certStatusInfo.getCertStatus() != CertStatus.ISSUER_UNKNOWN) { answeredStore = store; break; } } catch (CertStatusStoreException e) { exceptionOccurs = true; final String message = "getCertStatus() of CertStatusStore " + store.getName(); if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); } } if (certStatusInfo == null) { if (childAuditEvent != null) { fillAuditEvent(childAuditEvent, AuditLevel.ERROR, AuditStatus.FAILED, "no CertStatusStore can answer the request"); } if (exceptionOccurs) { return createUnsuccessfullOCSPResp(OcspResponseStatus.tryLater); } else { certStatusInfo = CertStatusInfo.getIssuerUnknownCertStatusInfo(new Date(), null); } } else if (answeredStore != null) { if (responderOption.isInheritCaRevocation()) { CertRevocationInfo caRevInfo = answeredStore.getCARevocationInfo(reqHashAlgo, certID.getIssuerNameHash(), certID.getIssuerKeyHash()); if (caRevInfo != null) { CertStatus certStatus = certStatusInfo.getCertStatus(); boolean replaced = false; if (certStatus == CertStatus.GOOD || certStatus == CertStatus.UNKNOWN) { replaced = true; } else if (certStatus == CertStatus.REVOKED) { if (certStatusInfo.getRevocationInfo().getRevocationTime() .after(caRevInfo.getRevocationTime())) { replaced = true; } } if (replaced) { CertRevocationInfo newRevInfo; if (caRevInfo.getReason() == CRLReason.CA_COMPROMISE) { newRevInfo = caRevInfo; } else { newRevInfo = new CertRevocationInfo(CRLReason.CA_COMPROMISE, caRevInfo.getRevocationTime(), caRevInfo.getInvalidityTime()); } certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(newRevInfo, certStatusInfo.getCertHashAlgo(), certStatusInfo.getCertHash(), certStatusInfo.getThisUpdate(), certStatusInfo.getNextUpdate(), certStatusInfo.getCertprofile()); } } } } if (childAuditEvent != null) { String certprofile = certStatusInfo.getCertprofile(); String auditCertType; if (certprofile != null) { auditCertType = auditOption.getCertprofileMapping().get(certprofile); if (auditCertType == null) { auditCertType = certprofile; } } else { auditCertType = "UNKNOWN"; } childAuditEvent.addEventData(new AuditEventData("certType", auditCertType)); } // certStatusInfo could not be null in any case, since at least one store is configured Date thisUpdate = certStatusInfo.getThisUpdate(); if (thisUpdate == null) { thisUpdate = new Date(); } Date nextUpdate = certStatusInfo.getNextUpdate(); List<Extension> extensions = new LinkedList<>(); boolean unknownAsRevoked = false; CertificateStatus bcCertStatus = null; switch (certStatusInfo.getCertStatus()) { case GOOD: bcCertStatus = null; break; case ISSUER_UNKNOWN: couldCacheInfo = false; bcCertStatus = new UnknownStatus(); break; case UNKNOWN: case IGNORE: couldCacheInfo = false; if (responderOption.getMode() == OCSPMode.RFC2560) { bcCertStatus = new UnknownStatus(); } else// (ocspMode == OCSPMode.RFC6960) { unknownAsRevoked = true; includeExtendedRevokeExtension = true; bcCertStatus = new RevokedStatus(new Date(0L), CRLReason.CERTIFICATE_HOLD.getCode()); } break; case REVOKED: CertRevocationInfo revInfo = certStatusInfo.getRevocationInfo(); ASN1GeneralizedTime revTime = new ASN1GeneralizedTime(revInfo.getRevocationTime()); org.bouncycastle.asn1.x509.CRLReason _reason = null; if (responseOption.isIncludeRevReason()) { _reason = org.bouncycastle.asn1.x509.CRLReason.lookup(revInfo.getReason().getCode()); } RevokedInfo _revInfo = new RevokedInfo(revTime, _reason); bcCertStatus = new RevokedStatus(_revInfo); Date invalidityDate = revInfo.getInvalidityTime(); if (responseOption.isIncludeInvalidityDate() && invalidityDate != null && invalidityDate.equals(revTime) == false) { Extension extension = new Extension(Extension.invalidityDate, false, new ASN1GeneralizedTime(invalidityDate).getEncoded()); extensions.add(extension); } break; } byte[] certHash = certStatusInfo.getCertHash(); if (certHash != null) { ASN1ObjectIdentifier hashAlgoOid = new ASN1ObjectIdentifier( certStatusInfo.getCertHashAlgo().getOid()); AlgorithmIdentifier aId = new AlgorithmIdentifier(hashAlgoOid, DERNull.INSTANCE); CertHash bcCertHash = new CertHash(aId, certHash); byte[] encodedCertHash; try { encodedCertHash = bcCertHash.getEncoded(); } catch (IOException e) { final String message = "answer() bcCertHash.getEncoded"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); if (childAuditEvent != null) { fillAuditEvent(childAuditEvent, AuditLevel.ERROR, AuditStatus.FAILED, "CertHash.getEncoded() with IOException"); } return createUnsuccessfullOCSPResp(OcspResponseStatus.internalError); } Extension extension = new Extension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash, false, encodedCertHash); extensions.add(extension); } if (certStatusInfo.getArchiveCutOff() != null) { Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff, false, new ASN1GeneralizedTime(certStatusInfo.getArchiveCutOff()).getEncoded()); extensions.add(extension); } String certStatusText; if (bcCertStatus instanceof UnknownStatus) { certStatusText = "unknown"; } else if (bcCertStatus instanceof RevokedStatus) { certStatusText = unknownAsRevoked ? "unknown_as_revoked" : "revoked"; } else if (bcCertStatus == null) { certStatusText = "good"; } else { certStatusText = "should-not-happen"; } if (childAuditEvent != null) { childAuditEvent.setLevel(AuditLevel.INFO); childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); childAuditEvent.addEventData(new AuditEventData("certStatus", certStatusText)); } if (LOG.isDebugEnabled()) { StringBuilder sb = new StringBuilder(); sb.append("certHashAlgo: ").append(certID.getHashAlgOID().getId()).append(", "); String hexCertHash = null; if (certHash != null) { hexCertHash = Hex.toHexString(certHash).toUpperCase(); } sb.append("issuerKeyHash: ").append(Hex.toHexString(certID.getIssuerKeyHash()).toUpperCase()) .append(", "); sb.append("issuerNameHash: ").append(Hex.toHexString(certID.getIssuerNameHash()).toUpperCase()) .append(", "); sb.append("serialNumber: ").append(certID.getSerialNumber()).append(", "); sb.append("certStatus: ").append(certStatusText).append(", "); sb.append("thisUpdate: ").append(thisUpdate).append(", "); sb.append("nextUpdate: ").append(nextUpdate).append(", "); sb.append("certHash: ").append(hexCertHash); LOG.debug(sb.toString()); } basicOcspBuilder.addResponse(certID, bcCertStatus, thisUpdate, nextUpdate, CollectionUtil.isEmpty(extensions) ? null : new Extensions(extensions.toArray(new Extension[0]))); cacheThisUpdate = Math.max(cacheThisUpdate, thisUpdate.getTime()); if (nextUpdate != null) { cacheNextUpdate = Math.min(cacheNextUpdate, nextUpdate.getTime()); } } if (includeExtendedRevokeExtension) { responseExtensions.add(new Extension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke, true, DERNull.INSTANCE.getEncoded())); } if (CollectionUtil.isNotEmpty(responseExtensions)) { basicOcspBuilder .setResponseExtensions(new Extensions(responseExtensions.toArray(new Extension[0]))); } ConcurrentContentSigner concurrentSigner = null; if (responderOption.getMode() != OCSPMode.RFC2560) { extensionType = ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs; criticalExtensionOIDs.remove(extensionType); Extension ext = request.getExtension(extensionType); if (ext != null) { ASN1Sequence preferredSigAlgs = ASN1Sequence.getInstance(ext.getParsedValue()); concurrentSigner = signer.getSignerForPreferredSigAlgs(preferredSigAlgs); } } if (CollectionUtil.isNotEmpty(criticalExtensionOIDs)) { return createUnsuccessfullOCSPResp(OcspResponseStatus.malformedRequest); } if (concurrentSigner == null) { concurrentSigner = signer.getFirstSigner(); } ContentSigner singleSigner; try { singleSigner = concurrentSigner.borrowContentSigner(); } catch (NoIdleSignerException e) { return createUnsuccessfullOCSPResp(OcspResponseStatus.tryLater); } X509CertificateHolder[] certsInResp; EmbedCertsMode certsMode = responseOption.getEmbedCertsMode(); if (certsMode == null || certsMode == EmbedCertsMode.SIGNER) { certsInResp = new X509CertificateHolder[] { signer.getBcCertificate() }; } else if (certsMode == EmbedCertsMode.SIGNER_AND_CA) { certsInResp = signer.getBcCertificateChain(); } else { // NONE certsInResp = null; } BasicOCSPResp basicOcspResp; try { basicOcspResp = basicOcspBuilder.build(singleSigner, certsInResp, new Date()); } catch (OCSPException e) { final String message = "answer() basicOcspBuilder.build"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.ERROR, AuditStatus.FAILED, "BasicOCSPRespBuilder.build() with OCSPException"); } return createUnsuccessfullOCSPResp(OcspResponseStatus.internalError); } finally { concurrentSigner.returnContentSigner(singleSigner); } OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); try { OCSPResp ocspResp = ocspRespBuilder.build(OcspResponseStatus.successfull.getStatus(), basicOcspResp); if (couldCacheInfo) { ResponseCacheInfo cacheInfo = new ResponseCacheInfo(cacheThisUpdate); if (cacheNextUpdate != Long.MAX_VALUE) { cacheInfo.setNextUpdate(cacheNextUpdate); } return new OcspRespWithCacheInfo(ocspResp, cacheInfo); } else { return new OcspRespWithCacheInfo(ocspResp, null); } } catch (OCSPException e) { final String message = "answer() ocspRespBuilder.build"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.ERROR, AuditStatus.FAILED, "OCSPRespBuilder.build() with OCSPException"); } return createUnsuccessfullOCSPResp(OcspResponseStatus.internalError); } } catch (Throwable t) { final String message = "Throwable"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), t.getClass().getName(), t.getMessage()); } LOG.debug(message, t); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.ERROR, AuditStatus.FAILED, "internal error"); } return createUnsuccessfullOCSPResp(OcspResponseStatus.internalError); } }
From source file:org.xipki.pki.ocsp.server.impl.OcspServer.java
License:Open Source License
private OcspRespWithCacheInfo processCertReq(Req req, BasicOCSPRespBuilder builder, Responder responder, RequestOption reqOpt, ResponseOption repOpt, OcspRespControl repControl, AuditEvent event) throws IOException { CertificateID certId = req.getCertID(); String certIdHashAlgo = certId.getHashAlgOID().getId(); HashAlgoType reqHashAlgo = HashAlgoType.getHashAlgoType(certIdHashAlgo); if (reqHashAlgo == null) { LOG.warn("unknown CertID.hashAlgorithm {}", certIdHashAlgo); if (event != null) { fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "unknown CertID.hashAlgorithm " + certIdHashAlgo); }/*from w ww . j a v a 2 s .c o m*/ return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } else if (!reqOpt.allows(reqHashAlgo)) { LOG.warn("CertID.hashAlgorithm {} not allowed", certIdHashAlgo); if (event != null) { fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "not allowed CertID.hashAlgorithm " + certIdHashAlgo); } return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } if (event != null) { event.addEventData(OcspAuditConstants.NAME_serial, certId.getSerialNumber()); } CertStatusInfo certStatusInfo = null; OcspStore answeredStore = null; boolean exceptionOccurs = false; Date now = new Date(); for (OcspStore store : responder.getStores()) { try { certStatusInfo = store.getCertStatus(now, reqHashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash(), certId.getSerialNumber(), repOpt.isIncludeCerthash(), repOpt.getCertHashAlgo(), responder.getCertprofileOption()); if (certStatusInfo != null && certStatusInfo.getCertStatus() != CertStatus.ISSUER_UNKNOWN) { answeredStore = store; break; } } catch (OcspStoreException ex) { exceptionOccurs = true; LogUtil.error(LOG, ex, "getCertStatus() of CertStatusStore " + store.getName()); } // end try } // end for if (certStatusInfo == null) { if (exceptionOccurs) { fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "no CertStatusStore can answer the request"); return createUnsuccessfulOcspResp(OcspResponseStatus.tryLater); } else { certStatusInfo = CertStatusInfo.getIssuerUnknownCertStatusInfo(new Date(), null); } } else if (answeredStore != null && responder.getResponderOption().isInheritCaRevocation()) { CertRevocationInfo caRevInfo = answeredStore.getCaRevocationInfo(reqHashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash()); if (caRevInfo != null) { CertStatus certStatus = certStatusInfo.getCertStatus(); boolean replaced = false; if (certStatus == CertStatus.GOOD || certStatus == CertStatus.UNKNOWN) { replaced = true; } else if (certStatus == CertStatus.REVOKED) { if (certStatusInfo.getRevocationInfo().getRevocationTime() .after(caRevInfo.getRevocationTime())) { replaced = true; } } if (replaced) { CertRevocationInfo newRevInfo; if (caRevInfo.getReason() == CrlReason.CA_COMPROMISE) { newRevInfo = caRevInfo; } else { newRevInfo = new CertRevocationInfo(CrlReason.CA_COMPROMISE, caRevInfo.getRevocationTime(), caRevInfo.getInvalidityTime()); } certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(newRevInfo, certStatusInfo.getCertHashAlgo(), certStatusInfo.getCertHash(), certStatusInfo.getThisUpdate(), certStatusInfo.getNextUpdate(), certStatusInfo.getCertprofile()); } // end if(replaced) } // end if } // end if if (event != null) { String certprofile = certStatusInfo.getCertprofile(); String auditCertType; if (certprofile != null) { auditCertType = responder.getAuditOption().getCertprofileMapping().get(certprofile); if (auditCertType == null) { auditCertType = certprofile; } } else { auditCertType = "UNKNOWN"; } event.addEventData(OcspAuditConstants.NAME_type, auditCertType); } // certStatusInfo must not be null in any case, since at least one store // is configured Date thisUpdate = certStatusInfo.getThisUpdate(); if (thisUpdate == null) { thisUpdate = new Date(); } Date nextUpdate = certStatusInfo.getNextUpdate(); List<Extension> extensions = new LinkedList<>(); boolean unknownAsRevoked = false; CertificateStatus bcCertStatus; switch (certStatusInfo.getCertStatus()) { case GOOD: bcCertStatus = null; break; case ISSUER_UNKNOWN: repControl.couldCacheInfo = false; bcCertStatus = new UnknownStatus(); break; case UNKNOWN: case IGNORE: repControl.couldCacheInfo = false; if (responder.getResponderOption().getMode() == OcspMode.RFC2560) { bcCertStatus = new UnknownStatus(); } else { // (ocspMode == OCSPMode.RFC6960) unknownAsRevoked = true; repControl.includeExtendedRevokeExtension = true; bcCertStatus = new RevokedStatus(new Date(0L), CrlReason.CERTIFICATE_HOLD.getCode()); } break; case REVOKED: CertRevocationInfo revInfo = certStatusInfo.getRevocationInfo(); ASN1GeneralizedTime revTime = new ASN1GeneralizedTime(revInfo.getRevocationTime()); org.bouncycastle.asn1.x509.CRLReason tmpReason = null; if (repOpt.isIncludeRevReason()) { tmpReason = org.bouncycastle.asn1.x509.CRLReason.lookup(revInfo.getReason().getCode()); } RevokedInfo tmpRevInfo = new RevokedInfo(revTime, tmpReason); bcCertStatus = new RevokedStatus(tmpRevInfo); Date invalidityDate = revInfo.getInvalidityTime(); if (repOpt.isIncludeInvalidityDate() && invalidityDate != null && !invalidityDate.equals(revInfo.getRevocationTime())) { Extension extension = new Extension(Extension.invalidityDate, false, new ASN1GeneralizedTime(invalidityDate).getEncoded()); extensions.add(extension); } break; default: throw new RuntimeException("unknown CertificateStatus:" + certStatusInfo.getCertStatus()); } // end switch byte[] certHash = certStatusInfo.getCertHash(); if (certHash != null) { ASN1ObjectIdentifier hashAlgOid = certStatusInfo.getCertHashAlgo().getOid(); AlgorithmIdentifier hashAlgId = new AlgorithmIdentifier(hashAlgOid, DERNull.INSTANCE); CertHash bcCertHash = new CertHash(hashAlgId, certHash); byte[] encodedCertHash; try { encodedCertHash = bcCertHash.getEncoded(); } catch (IOException ex) { LogUtil.error(LOG, ex, "answer() bcCertHash.getEncoded"); if (event != null) { fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "CertHash.getEncoded() with IOException"); } return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } Extension extension = new Extension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash, false, encodedCertHash); extensions.add(extension); } // end if(certHash != null) if (certStatusInfo.getArchiveCutOff() != null) { Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff, false, new ASN1GeneralizedTime(certStatusInfo.getArchiveCutOff()).getEncoded()); extensions.add(extension); } String certStatusText; if (bcCertStatus instanceof UnknownStatus) { certStatusText = "unknown"; } else if (bcCertStatus instanceof RevokedStatus) { certStatusText = unknownAsRevoked ? "unknown_as_revoked" : "revoked"; } else if (bcCertStatus == null) { certStatusText = "good"; } else { certStatusText = "should-not-happen"; } if (event != null) { event.setLevel(AuditLevel.INFO); event.setStatus(AuditStatus.SUCCESSFUL); event.addEventData(OcspAuditConstants.NAME_status, certStatusText); } if (LOG.isDebugEnabled()) { StringBuilder sb = new StringBuilder(250); sb.append("certHashAlgo: ").append(certId.getHashAlgOID().getId()).append(", "); sb.append("issuerNameHash: ").append(Hex.toHexString(certId.getIssuerNameHash()).toUpperCase()) .append(", "); sb.append("issuerKeyHash: ").append(Hex.toHexString(certId.getIssuerKeyHash()).toUpperCase()) .append(", "); sb.append("serialNumber: ").append(LogUtil.formatCsn(certId.getSerialNumber())).append(", "); sb.append("certStatus: ").append(certStatusText).append(", "); sb.append("thisUpdate: ").append(thisUpdate).append(", "); sb.append("nextUpdate: ").append(nextUpdate); if (certHash != null) { sb.append(", certHash: ").append(Hex.toHexString(certHash).toUpperCase()); } LOG.debug(sb.toString()); } Extensions extns = null; if (CollectionUtil.isNonEmpty(extensions)) { extns = new Extensions(extensions.toArray(new Extension[0])); } builder.addResponse(certId, bcCertStatus, thisUpdate, nextUpdate, extns); repControl.cacheThisUpdate = Math.max(repControl.cacheThisUpdate, thisUpdate.getTime()); if (nextUpdate != null) { repControl.cacheNextUpdate = Math.min(repControl.cacheNextUpdate, nextUpdate.getTime()); } return null; }
From source file:prototype.AlwaysValidOcspSource.java
License:GNU General Public License
@Override public OCSPToken getOCSPToken(CertificateToken certificateToken, CertificatePool certificatePool) { try {//from ww w .j a va 2 s . c om final X509Certificate cert = certificateToken.getCertificate(); final BigInteger serialNumber = cert.getSerialNumber(); X500Principal issuerX500Principal = certificateToken.getIssuerX500Principal(); final X509Certificate issuerCert = certificatePool.get(issuerX500Principal).get(0).getCertificate(); final OCSPReq ocspReq = generateOCSPRequest(issuerCert, serialNumber); final DigestCalculator digestCalculator = DSSUtils.getSHA1DigestCalculator(); final BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder(issuerCert.getPublicKey(), digestCalculator); final Extension extension = ocspReq.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (extension != null) { basicOCSPRespBuilder.setResponseExtensions(new Extensions(new Extension[] { extension })); } final Req[] requests = ocspReq.getRequestList(); for (int ii = 0; ii != requests.length; ii++) { final Req req = requests[ii]; final CertificateID certID = req.getCertID(); boolean isOK = true; if (isOK) { basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD, ocspDate, null, null); } else { Date revocationDate = DSSUtils.getDate(ocspDate, -1); basicOCSPRespBuilder.addResponse(certID, new RevokedStatus(revocationDate, CRLReason.privilegeWithdrawn)); } } final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(privateKey); final X509CertificateHolder[] chain = { new X509CertificateHolder(issuerCert.getEncoded()), new X509CertificateHolder(signingCert.getEncoded()) }; BasicOCSPResp basicResp = basicOCSPRespBuilder.build(contentSigner, chain, ocspDate); SingleResp singleResp = basicResp.getResponses()[0]; final OCSPToken ocspToken = new OCSPToken(basicResp, singleResp, certificatePool); certificateToken.setRevocationToken(ocspToken); return ocspToken; } catch (OCSPException e) { throw new DSSException(e); } catch (IOException e) { throw new DSSException(e); } catch (CertificateEncodingException e) { throw new DSSException(e); } catch (OperatorCreationException e) { throw new DSSException(e); } }