Example usage for org.bouncycastle.cert.ocsp OCSPRespBuilder SUCCESSFUL

List of usage examples for org.bouncycastle.cert.ocsp OCSPRespBuilder SUCCESSFUL

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.cert.ocsp.*
  5. OCSPRespBuilder
  6. SUCCESSFUL

Introduction

In this page you can find the example usage for org.bouncycastle.cert.ocsp OCSPRespBuilder SUCCESSFUL.

Prototype

int SUCCESSFUL

To view the source code for org.bouncycastle.cert.ocsp OCSPRespBuilder SUCCESSFUL.

Click Source Link

Usage

From source file:be.fedict.trust.test.PKITestUtils.java

License:Open Source License

public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked,
        X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate,
        PrivateKey ocspResponderPrivateKey, String signatureAlgorithm) throws Exception {
    // request/*from  ww w .j  a  va  2  s. com*/
    OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();
    DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder()
            .setProvider(BouncyCastleProvider.PROVIDER_NAME).build();
    CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1),
            new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber());
    ocspReqBuilder.addRequest(certId);
    OCSPReq ocspReq = ocspReqBuilder.build();
    BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder(
            ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1));

    // request processing
    Req[] requestList = ocspReq.getRequestList();
    for (Req ocspRequest : requestList) {
        CertificateID certificateID = ocspRequest.getCertID();
        CertificateStatus certificateStatus;
        if (revoked) {
            certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified);
        } else {
            certificateStatus = CertificateStatus.GOOD;
        }
        basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);
    }

    // basic response generation
    X509CertificateHolder[] chain = null;
    if (!ocspResponderCertificate.equals(issuerCertificate)) {
        chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()),
                new X509CertificateHolder(issuerCertificate.getEncoded()) };
    }

    ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm)
            .build(ocspResponderPrivateKey);
    BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date());

    // response generation
    OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();
    OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

    return ocspResp;
}

From source file:be.fedict.trust.test.PKITestUtils.java

License:Open Source License

public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked,
        X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate,
        PrivateKey ocspResponderPrivateKey, String signatureAlgorithm,
        List<X509Certificate> ocspResponderCertificateChain) throws Exception {
    // request/*from w  ww.  ja v a  2  s  .c o m*/
    OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();
    DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder()
            .setProvider(BouncyCastleProvider.PROVIDER_NAME).build();
    CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1),
            new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber());
    ocspReqBuilder.addRequest(certId);
    OCSPReq ocspReq = ocspReqBuilder.build();
    BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder(
            ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1));

    // request processing
    Req[] requestList = ocspReq.getRequestList();
    for (Req ocspRequest : requestList) {
        CertificateID certificateID = ocspRequest.getCertID();
        CertificateStatus certificateStatus;
        if (revoked) {
            certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified);
        } else {
            certificateStatus = CertificateStatus.GOOD;
        }
        basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);
    }

    // basic response generation
    X509CertificateHolder[] chain;
    if (ocspResponderCertificateChain.isEmpty()) {
        chain = null;
    } else {
        chain = new X509CertificateHolder[ocspResponderCertificateChain.size()];
        for (int idx = 0; idx < chain.length; idx++) {
            chain[idx] = new X509CertificateHolder(ocspResponderCertificateChain.get(idx).getEncoded());
        }
    }

    ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").build(ocspResponderPrivateKey);
    BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date());

    // response generation
    OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();
    OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

    return ocspResp;
}

From source file:Controllers.OCSPController.java

License:Apache License

/**
 * Method to do OCSP response to client.
 *
 * @param requestBytes//w  w  w .ja  v a 2s  .  c  o  m
 * @param mode
 *
 * @return
 *
 * @throws NotImplementedException
 */
private byte[] processOcspRequest(byte[] requestBytes, OCSP_PROCESS_MODE mode) throws NotImplementedException {
    try {
        // get request info
        OCSPReq ocspRequest = new OCSPReq(requestBytes);
        X509CertificateHolder[] requestCerts = ocspRequest.getCerts();
        Req[] requestList = ocspRequest.getRequestList();
        // setup response
        BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder(
                new RespID(x509CertificateHolder.getSubject()));
        LOG.info("OCSP request version: " + ocspRequest.getVersionNumber() + ", Requester name: "
                + ocspRequest.getRequestorName() + ", is signed: " + ocspRequest.isSigned()
                + ", has extensions: " + ocspRequest.hasExtensions() + ", number of additional certificates: "
                + requestCerts.length + ", number of certificate ids to verify: " + requestList.length);
        int ocspResult = OCSPRespBuilder.SUCCESSFUL;
        switch (mode) {
        case AUTO:
            LOG.error("Auto OCSP server is not implemented in this version.");
            throw new NotImplementedException();
        case GOOD:
            LOG.warn("Mocked mode, server will always return Good ocsp response");
            for (Req req : requestList) {
                CertificateID certId = req.getCertID();
                String serialNumber = "0x" + certId.getSerialNumber().toString(16);
                LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber));
                CertificateStatus certificateStatus = CertificateStatus.GOOD;
                Calendar thisUpdate = new GregorianCalendar();
                Date now = thisUpdate.getTime();
                thisUpdate.add(Calendar.DAY_OF_MONTH, 7);
                Date nexUpdate = thisUpdate.getTime();
                responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null);
            }
            break;
        case REVOKED:
            LOG.warn("Mocked mode, server will always return REVOKED ocsp response");
            for (Req req : requestList) {
                CertificateID certId = req.getCertID();
                String serialNumber = "0x" + certId.getSerialNumber().toString(16);
                LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber));
                Calendar cal = new GregorianCalendar();
                cal.add(Calendar.DAY_OF_MONTH, -7);//Set revoked 7 days ago.
                CertificateStatus certificateStatus = new RevokedStatus(cal.getTime(), 16);
                Calendar thisUpdate = new GregorianCalendar();
                Date now = thisUpdate.getTime();
                thisUpdate.add(Calendar.DAY_OF_MONTH, 7);
                Date nexUpdate = thisUpdate.getTime();
                responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null);
            }
            break;
        case UNKNOWN:
            LOG.warn("Mocked mode, server will always return Known ocsp response");
            for (Req req : requestList) {
                CertificateID certId = req.getCertID();
                String serialNumber = "0x" + certId.getSerialNumber().toString(16);
                LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber));
                CertificateStatus certificateStatus = new UnknownStatus();
                Calendar thisUpdate = new GregorianCalendar();
                Date now = thisUpdate.getTime();
                thisUpdate.add(Calendar.DAY_OF_MONTH, 7);
                Date nexUpdate = thisUpdate.getTime();
                responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null);
            }
            break;
        }
        // process nonce
        Extension extNonce = ocspRequest.getExtension(new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1.2"));
        if (extNonce != null) {
            LOG.debug("Nonce is present in the request");
            responseBuilder.setResponseExtensions(new Extensions(extNonce));
        } else {
            LOG.info("Nonce is not present in the request");
            if (bRequireNonce) {
                LOG.info("Nonce is required, fail the request");
                ocspResult = OCSPRespBuilder.UNAUTHORIZED;
            }
        }
        X509CertificateHolder[] chain = { x509CertificateHolder };
        ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey);
        BasicOCSPResp ocspResponse = responseBuilder.build(signer, chain, Calendar.getInstance().getTime());
        OCSPRespBuilder ocspResponseBuilder = new OCSPRespBuilder();
        byte[] encoded = ocspResponseBuilder.build(ocspResult, ocspResponse).getEncoded();
        LOG.info("Sending OCSP response to client, size: " + encoded.length);
        return encoded;

    } catch (Exception e) {
        LOG.error("Exception during processing OCSP request: " + e.getMessage());
        e.printStackTrace();
    }
    return null;
}

From source file:ee.ria.xroad.common.OcspTestUtils.java

License:Open Source License

/**
 * Creates an OCSP response for the subject's certificate with the given status.
 * @param subject the subject certificate
 * @param issuer certificate of the subject certificate issuer
 * @param signer certificate of the OCSP response signer
 * @param signerKey key of the OCSP response signer
 * @param certStatus OCSP response status
 * @param thisUpdate date this response was valid on
 * @param nextUpdate date when next update should be requested
 * @return OCSPResp//from w  ww.  j  a va 2  s.  co m
 * @throws Exception in case of any errors
 */
public static OCSPResp createOCSPResponse(X509Certificate subject, X509Certificate issuer,
        X509Certificate signer, PrivateKey signerKey, CertificateStatus certStatus, Date thisUpdate,
        Date nextUpdate) throws Exception {
    BasicOCSPRespBuilder builder = new BasicOCSPRespBuilder(
            new RespID(new X500Name(signer.getSubjectX500Principal().getName())));
    CertificateID cid = CryptoUtils.createCertId(subject, issuer);

    if (thisUpdate != null) {
        builder.addResponse(cid, certStatus, thisUpdate, nextUpdate, null);
    } else {
        builder.addResponse(cid, certStatus);
    }

    ContentSigner contentSigner = CryptoUtils.createContentSigner(subject.getSigAlgName(), signerKey);

    Object responseObject = builder.build(contentSigner, null, new Date());

    OCSPResp resp = new OCSPRespBuilder().build(OCSPRespBuilder.SUCCESSFUL, responseObject);
    return resp;
}

From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java

License:Apache License

public OCSPResp generateOCSPResponse(BasicOCSPRespBuilder respBuilder) {
    PrivateKeyEntry signingCert = getSigningCertEntry();
    try {/*w w  w  .  ja  v  a2 s.  c  o m*/
        ContentSigner contentSigner = new JcaContentSignerBuilder(SIGNER_ALGORITHM)
                .setProvider(BC_PROVIDER_NAME).build(signingCert.getPrivateKey());
        BasicOCSPResp basicResp = respBuilder
                .build(contentSigner,
                        new X509CertificateHolder[] {
                                new X509CertificateHolder(signingCert.getCertificate().getEncoded()) },
                        new Date());
        // Set response as successful
        int response = OCSPRespBuilder.SUCCESSFUL;
        // build the response
        return new OCSPRespBuilder().build(response, basicResp);
    } catch (Exception e) {
        return null;
    }
}

From source file:net.maritimecloud.pki.Revocation.java

License:Apache License

/**
 * Generates a OCSPResp.//from w  w w  .  j a  v  a 2 s.com
 *
 * @param respBuilder A BasicOCSPRespBuilder
 * @param signingCert PrivateKeyEntry of the signing certificate.
 * @return a OCSPResp
 */
public static OCSPResp generateOCSPResponse(BasicOCSPRespBuilder respBuilder,
        KeyStore.PrivateKeyEntry signingCert) {
    try {
        ContentSigner contentSigner = new JcaContentSignerBuilder(SIGNER_ALGORITHM)
                .setProvider(BC_PROVIDER_NAME).build(signingCert.getPrivateKey());
        BasicOCSPResp basicResp = respBuilder
                .build(contentSigner,
                        new X509CertificateHolder[] {
                                new X509CertificateHolder(signingCert.getCertificate().getEncoded()) },
                        new Date());
        // Set response as successful
        int response = OCSPRespBuilder.SUCCESSFUL;
        // build the response
        return new OCSPRespBuilder().build(response, basicResp);
    } catch (Exception e) {
        return null;
    }
}

From source file:org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator.java

License:Apache License

/**
 * Gets the OCSP status for the specified subject and issuer certificates.
 *
 * @param ocspStatusKey status key//  w w w  .j  av  a 2s . c o m
 * @return ocsp status
 */
private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) {
    final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate();
    final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate();

    // initialize the default status
    final OcspStatus ocspStatus = new OcspStatus();
    ocspStatus.setVerificationStatus(VerificationStatus.Unknown);
    ocspStatus.setValidationStatus(ValidationStatus.Unknown);

    try {
        // prepare the request
        final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber();
        final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder()
                .setProvider("BC").build();
        final CertificateID certificateId = new CertificateID(
                calculatorProviderBuilder.get(CertificateID.HASH_SHA1),
                new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber);

        // generate the request
        final OCSPReqBuilder requestGenerator = new OCSPReqBuilder();
        requestGenerator.addRequest(certificateId);

        // Create a nonce to avoid replay attack
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true,
                new DEROctetString(nonce.toByteArray()));
        requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext }));

        final OCSPReq ocspRequest = requestGenerator.build();

        // perform the request
        final Response response = getClientResponse(ocspRequest);

        // ensure the request was completed successfully
        if (Response.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus()));
            return ocspStatus;
        }

        // interpret the response
        OCSPResp ocspResponse = new OCSPResp(response.readEntity(InputStream.class));

        // verify the response status
        switch (ocspResponse.getStatus()) {
        case OCSPRespBuilder.SUCCESSFUL:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful);
            break;
        case OCSPRespBuilder.INTERNAL_ERROR:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError);
            break;
        case OCSPRespBuilder.MALFORMED_REQUEST:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest);
            break;
        case OCSPRespBuilder.SIG_REQUIRED:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired);
            break;
        case OCSPRespBuilder.TRY_LATER:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater);
            break;
        case OCSPRespBuilder.UNAUTHORIZED:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized);
            break;
        default:
            ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown);
            break;
        }

        // only proceed if the response was successful
        if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).",
                    ocspStatus.getResponseStatus().toString()));
            return ocspStatus;
        }

        // ensure the appropriate response object
        final Object ocspResponseObject = ocspResponse.getResponseObject();
        if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) {
            logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject));
            return ocspStatus;
        }

        // get the response object
        final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject();

        // attempt to locate the responder certificate
        final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts();
        if (responderCertificates.length != 1) {
            logger.warn(String.format("Unexpected number of OCSP responder certificates: %s",
                    responderCertificates.length));
            return ocspStatus;
        }

        // get the responder certificate
        final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate(
                responderCertificates[0], issuerCertificate);
        if (trustedResponderCertificate != null) {
            // verify the response
            if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC")
                    .build(trustedResponderCertificate.getPublicKey()))) {
                ocspStatus.setVerificationStatus(VerificationStatus.Verified);
            } else {
                ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
            }
        } else {
            ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
        }

        // validate the response
        final SingleResp[] responses = basicOcspResponse.getResponses();
        for (SingleResp singleResponse : responses) {
            final CertificateID responseCertificateId = singleResponse.getCertID();
            final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber();

            if (responseSerialNumber.equals(subjectSerialNumber)) {
                Object certStatus = singleResponse.getCertStatus();

                // interpret the certificate status
                if (CertificateStatus.GOOD == certStatus) {
                    ocspStatus.setValidationStatus(ValidationStatus.Good);
                } else if (certStatus instanceof RevokedStatus) {
                    ocspStatus.setValidationStatus(ValidationStatus.Revoked);
                } else {
                    ocspStatus.setValidationStatus(ValidationStatus.Unknown);
                }
            }
        }
    } catch (final OCSPException | IOException | ProcessingException | OperatorCreationException e) {
        logger.error(e.getMessage(), e);
    } catch (CertificateException e) {
        e.printStackTrace();
    }

    return ocspStatus;
}

From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java

License:Apache License

public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked,
        X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate,
        PrivateKey ocspResponderPrivateKey, String signatureAlgorithm, long nonceTimeinMillis)
        throws Exception {
    DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()
            .get(CertificateID.HASH_SHA1);
    X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());
    CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());

    // request//from w w w  .ja v  a2s .  c o  m
    //create a nonce to avoid replay attack
    BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);
    DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());
    Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);
    Extensions exts = new Extensions(ext);

    OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();
    ocspReqBuilder.addRequest(certId);
    ocspReqBuilder.setRequestExtensions(exts);
    OCSPReq ocspReq = ocspReqBuilder.build();

    SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo(CertificateID.HASH_SHA1,
            ocspResponderCertificate.getPublicKey().getEncoded());

    BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);
    basicOCSPRespBuilder.setResponseExtensions(exts);

    // request processing
    Req[] requestList = ocspReq.getRequestList();
    for (Req ocspRequest : requestList) {
        CertificateID certificateID = ocspRequest.getCertID();
        CertificateStatus certificateStatus = CertificateStatus.GOOD;
        if (revoked) {
            certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
        }
        basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);
    }

    // basic response generation
    X509CertificateHolder[] chain = null;
    if (!ocspResponderCertificate.equals(issuerCertificate)) {
        // TODO: HorribleProxy can't convert array input params yet
        chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()),
                issuerHolder };
    }

    ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC")
            .build(ocspResponderPrivateKey);
    BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));

    OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();
    OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

    return ocspResp;
}

From source file:org.cesecore.certificates.ocsp.integrated.IntegratedOcspResponseTest.java

License:Open Source License

/**
 * This test should use the default OCSP responder to sign the response as unknown.
 * //from  w  ww. ja  va  2  s.  c om
 * @throws OCSPException
 * @throws AuthorizationDeniedException
 * @throws IOException
 * @throws MalformedRequestException
 * @throws CADoesntExistsException
 * @throws IllegalCryptoTokenException
 * @throws NoSuchProviderException
 * @throws CertificateEncodingException 
 * @throws OperatorCreationException 
 */
@Test
public void testGetOcspResponseWithCertificateFromUnknownCa()
        throws OCSPException, AuthorizationDeniedException, IOException, MalformedRequestException,
        CADoesntExistsException, IllegalCryptoTokenException, NoSuchProviderException,
        CertificateEncodingException, OperatorCreationException {
    ocspResponseGeneratorTestSession.reloadOcspSigningCache();
    // An OCSP request
    OCSPReqBuilder gen = new OCSPReqBuilder();
    gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), ocspCertificate,
            ocspCertificate.getSerialNumber()));
    Extension[] extensions = new Extension[1];
    extensions[0] = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,
            new DEROctetString("123456789".getBytes()));
    gen.setRequestExtensions(new Extensions(extensions));
    OCSPReq req = gen.build();
    final int localTransactionId = TransactionCounter.INSTANCE.getTransactionNumber();
    // Create the transaction logger for this transaction.
    TransactionLogger transactionLogger = new TransactionLogger(localTransactionId,
            GuidHolder.INSTANCE.getGlobalUid(), "");
    // Create the audit logger for this transaction.
    AuditLogger auditLogger = new AuditLogger("", localTransactionId, GuidHolder.INSTANCE.getGlobalUid(), "");
    byte[] responseBytes = ocspResponseGeneratorSession
            .getOcspResponse(req.getEncoded(), null, "", "", null, auditLogger, transactionLogger)
            .getOcspResponse();
    assertNotNull("OCSP responder replied null", responseBytes);
    OCSPResp response = new OCSPResp(responseBytes);
    assertEquals("Response status not SUCCESSFUL.", OCSPRespBuilder.SUCCESSFUL, response.getStatus());
    BasicOCSPResp basicOcspResponse = (BasicOCSPResp) response.getResponseObject();
    assertTrue("OCSP response was not signed correctly.", basicOcspResponse
            .isSignatureValid(new JcaContentVerifierProviderBuilder().build(caCertificate.getPublicKey())));
    SingleResp[] singleResponses = basicOcspResponse.getResponses();
    assertEquals("Delivered some thing else than one and exactly one response.", 1, singleResponses.length);
    assertEquals("Response cert did not match up with request cert", ocspCertificate.getSerialNumber(),
            singleResponses[0].getCertID().getSerialNumber());
    assertTrue(singleResponses[0].getCertStatus() instanceof UnknownStatus);

}

From source file:org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.java

License:Open Source License

@Override
public OcspResponseInformation getOcspResponse(final byte[] request,
        final X509Certificate[] requestCertificates, String remoteAddress, String remoteHost,
        StringBuffer requestUrl, final AuditLogger auditLogger, final TransactionLogger transactionLogger)
        throws MalformedRequestException, OCSPException {
    //Check parameters
    if (auditLogger == null) {
        throw new InvalidParameterException(
                "Illegal to pass a null audit logger to OcspResponseSession.getOcspResponse");
    }/*from  w w w  .  j  a  v a2 s  .c  o  m*/
    if (transactionLogger == null) {
        throw new InvalidParameterException(
                "Illegal to pass a null transaction logger to OcspResponseSession.getOcspResponse");
    }
    // Validate byte array.
    if (request.length > MAX_REQUEST_SIZE) {
        final String msg = intres.getLocalizedMessage("request.toolarge", MAX_REQUEST_SIZE, request.length);
        throw new MalformedRequestException(msg);
    }
    byte[] respBytes = null;
    final Date startTime = new Date();
    OCSPResp ocspResponse = null;
    // Start logging process time after we have received the request
    if (transactionLogger.isEnabled()) {
        transactionLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
    }
    if (auditLogger.isEnabled()) {
        auditLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        auditLogger.paramPut(AuditLogger.OCSPREQUEST, new String(Hex.encode(request)));
    }
    OCSPReq req;
    long maxAge = OcspConfiguration.getMaxAge(CertificateProfileConstants.CERTPROFILE_NO_PROFILE);
    OCSPRespBuilder responseGenerator = new OCSPRespBuilder();
    try {
        req = translateRequestFromByteArray(request, remoteAddress, transactionLogger);
        // Get the certificate status requests that are inside this OCSP req
        Req[] ocspRequests = req.getRequestList();
        if (ocspRequests.length <= 0) {
            String infoMsg = intres.getLocalizedMessage("ocsp.errornoreqentities");
            log.info(infoMsg);
            throw new MalformedRequestException(infoMsg);
        }
        final int maxRequests = 100;
        if (ocspRequests.length > maxRequests) {
            String infoMsg = intres.getLocalizedMessage("ocsp.errortoomanyreqentities", maxRequests);
            log.info(infoMsg);
            throw new MalformedRequestException(infoMsg);
        }
        if (log.isDebugEnabled()) {
            log.debug("The OCSP request contains " + ocspRequests.length + " simpleRequests.");
        }
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(TransactionLogger.NUM_CERT_ID, ocspRequests.length);
            transactionLogger.paramPut(TransactionLogger.STATUS, OCSPRespBuilder.SUCCESSFUL);
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(AuditLogger.STATUS, OCSPRespBuilder.SUCCESSFUL);
        }
        OcspSigningCacheEntry ocspSigningCacheEntry = null;
        long nextUpdate = OcspConfiguration
                .getUntilNextUpdate(CertificateProfileConstants.CERTPROFILE_NO_PROFILE);
        // Add standard response extensions
        Map<ASN1ObjectIdentifier, Extension> responseExtensions = getStandardResponseExtensions(req);
        // Look for extension OIDs
        final Collection<String> extensionOids = OcspConfiguration.getExtensionOids();
        // Look over the status requests
        List<OCSPResponseItem> responseList = new ArrayList<OCSPResponseItem>();
        boolean addExtendedRevokedExtension = false;
        Date producedAt = null;
        for (Req ocspRequest : ocspRequests) {
            CertificateID certId = ocspRequest.getCertID();
            ASN1ObjectIdentifier certIdhash = certId.getHashAlgOID();
            if (!OIWObjectIdentifiers.idSHA1.equals(certIdhash)
                    && !NISTObjectIdentifiers.id_sha256.equals(certIdhash)) {
                throw new InvalidAlgorithmException(
                        "CertID with SHA1 and SHA256 are supported, not: " + certIdhash.getId());
            }
            if (transactionLogger.isEnabled()) {
                transactionLogger.paramPut(TransactionLogger.SERIAL_NOHEX,
                        certId.getSerialNumber().toByteArray());
                transactionLogger.paramPut(TransactionLogger.DIGEST_ALGOR, certId.getHashAlgOID().toString());
                transactionLogger.paramPut(TransactionLogger.ISSUER_NAME_HASH, certId.getIssuerNameHash());
                transactionLogger.paramPut(TransactionLogger.ISSUER_KEY, certId.getIssuerKeyHash());
            }
            if (auditLogger.isEnabled()) {
                auditLogger.paramPut(AuditLogger.ISSUER_KEY, certId.getIssuerKeyHash());
                auditLogger.paramPut(AuditLogger.SERIAL_NOHEX, certId.getSerialNumber().toByteArray());
                auditLogger.paramPut(AuditLogger.ISSUER_NAME_HASH, certId.getIssuerNameHash());
            }
            byte[] hashbytes = certId.getIssuerNameHash();
            String hash = null;
            if (hashbytes != null) {
                hash = new String(Hex.encode(hashbytes));
            }
            String infoMsg = intres.getLocalizedMessage("ocsp.inforeceivedrequest",
                    certId.getSerialNumber().toString(16), hash, remoteAddress);
            log.info(infoMsg);
            // Locate the CA which gave out the certificate
            ocspSigningCacheEntry = OcspSigningCache.INSTANCE.getEntry(certId);
            if (ocspSigningCacheEntry == null) {
                //Could it be that we haven't updated the OCSP Signing Cache?
                ocspSigningCacheEntry = findAndAddMissingCacheEntry(certId);
            }
            if (ocspSigningCacheEntry != null) {
                if (transactionLogger.isEnabled()) {
                    // This will be the issuer DN of the signing certificate, whether an OCSP responder or an internal CA  
                    String issuerNameDn = CertTools
                            .getIssuerDN(ocspSigningCacheEntry.getFullCertificateChain().get(0));
                    transactionLogger.paramPut(TransactionLogger.ISSUER_NAME_DN, issuerNameDn);
                }
            } else {
                /*
                 * if the certId was issued by an unknown CA 
                 * 
                 * The algorithm here: 
                 * We will sign the response with the CA that issued the last certificate(certId) in the request. If the issuing CA is not available on 
                 * this server, we sign the response with the default responderId (from params in web.xml). We have to look up the ca-certificate for 
                 * each certId in the request though, as we will check for revocation on the ca-cert as well when checking for revocation on the certId.
                 */
                // We could not find certificate for this request so get certificate for default responder
                ocspSigningCacheEntry = OcspSigningCache.INSTANCE.getDefaultEntry();
                if (ocspSigningCacheEntry != null) {
                    String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacertusedefault",
                            new String(Hex.encode(certId.getIssuerNameHash())));
                    log.info(errMsg);
                    // If we can not find the CA, answer UnknowStatus
                    responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), nextUpdate));
                    if (transactionLogger.isEnabled()) {
                        transactionLogger.paramPut(TransactionLogger.CERT_STATUS,
                                OCSPResponseItem.OCSP_UNKNOWN);
                        transactionLogger.writeln();
                    }
                    continue;
                } else {
                    GlobalOcspConfiguration ocspConfiguration = (GlobalOcspConfiguration) globalConfigurationSession
                            .getCachedConfiguration(GlobalOcspConfiguration.OCSP_CONFIGURATION_ID);
                    String defaultResponder = ocspConfiguration.getOcspDefaultResponderReference();
                    String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacert",
                            new String(Hex.encode(certId.getIssuerNameHash())), defaultResponder);
                    log.error(errMsg);
                    // If we are responding to multiple requests, the last found ocspSigningCacheEntry will be used in the end
                    // so even if there are not any one now, it might be later when it is time to sign the responses.
                    // Since we only will sign the entire response once if there is at least one valid ocspSigningCacheEntry
                    // we might as well include the unknown requests.
                    responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), nextUpdate));
                    continue;
                }
            }

            final org.bouncycastle.cert.ocsp.CertificateStatus certStatus;
            // Check if the cacert (or the default responderid) is revoked
            X509Certificate caCertificate = ocspSigningCacheEntry.getIssuerCaCertificate();
            final CertificateStatus signerIssuerCertStatus = ocspSigningCacheEntry
                    .getIssuerCaCertificateStatus();
            final String caCertificateSubjectDn = CertTools.getSubjectDN(caCertificate);
            CertificateStatusHolder certificateStatusHolder = null;
            if (signerIssuerCertStatus.equals(CertificateStatus.REVOKED)) {
                /*
                 * According to chapter 2.7 in RFC2560:
                 * 
                 * 2.7 CA Key Compromise If an OCSP responder knows that a particular CA's private key has been compromised, it MAY return the revoked
                 * state for all certificates issued by that CA.
                 */
                // If we've ended up here it's because the signer issuer certificate was revoked. 
                certStatus = new RevokedStatus(
                        new RevokedInfo(new ASN1GeneralizedTime(signerIssuerCertStatus.revocationDate),
                                CRLReason.lookup(signerIssuerCertStatus.revocationReason)));
                infoMsg = intres.getLocalizedMessage("ocsp.signcertissuerrevoked",
                        CertTools.getSerialNumberAsString(caCertificate),
                        CertTools.getSubjectDN(caCertificate));
                log.info(infoMsg);
                responseList.add(new OCSPResponseItem(certId, certStatus, nextUpdate));
                if (transactionLogger.isEnabled()) {
                    transactionLogger.paramPut(TransactionLogger.CERT_STATUS, OCSPResponseItem.OCSP_REVOKED);
                    transactionLogger.writeln();
                }
            } else {
                /**
                 * Here is the actual check for the status of the sought certificate (easy to miss). Here we grab just the status if there aren't
                 * any OIDs defined (default case), but if there are we'll probably need the certificate as well. If that's the case, we'll grab
                 * the certificate in the same transaction.
                 */
                final CertificateStatus status;
                if (extensionOids.isEmpty()) {
                    status = certificateStoreSession.getStatus(caCertificateSubjectDn,
                            certId.getSerialNumber());
                } else {
                    certificateStatusHolder = certificateStoreSession
                            .getCertificateAndStatus(caCertificateSubjectDn, certId.getSerialNumber());
                    status = certificateStatusHolder.getCertificateStatus();
                }
                // If we have an OcspKeyBinding configured for this request, we override the default value
                if (ocspSigningCacheEntry.isUsingSeparateOcspSigningCertificate()) {
                    nextUpdate = ocspSigningCacheEntry.getOcspKeyBinding().getUntilNextUpdate() * 1000L;
                }
                // If we have an explicit value configured for this certificate profile, we override the the current value with this value
                if (status.certificateProfileId != CertificateProfileConstants.CERTPROFILE_NO_PROFILE
                        && OcspConfiguration.isUntilNextUpdateConfigured(status.certificateProfileId)) {
                    nextUpdate = OcspConfiguration.getUntilNextUpdate(status.certificateProfileId);
                }
                // If we have an OcspKeyBinding configured for this request, we override the default value
                if (ocspSigningCacheEntry.isUsingSeparateOcspSigningCertificate()) {
                    maxAge = ocspSigningCacheEntry.getOcspKeyBinding().getMaxAge() * 1000L;
                }
                // If we have an explicit value configured for this certificate profile, we override the the current value with this value
                if (status.certificateProfileId != CertificateProfileConstants.CERTPROFILE_NO_PROFILE
                        && OcspConfiguration.isMaxAgeConfigured(status.certificateProfileId)) {
                    maxAge = OcspConfiguration.getMaxAge(status.certificateProfileId);
                }

                final String sStatus;
                boolean addArchiveCutoff = false;
                if (status.equals(CertificateStatus.NOT_AVAILABLE)) {
                    // No revocation info available for this cert, handle it
                    if (log.isDebugEnabled()) {
                        log.debug("Unable to find revocation information for certificate with serial '"
                                + certId.getSerialNumber().toString(16) + "'" + " from issuer '"
                                + caCertificateSubjectDn + "'");
                    }
                    /* 
                     * If we do not treat non existing certificates as good or revoked
                     * OR
                     * we don't actually handle requests for the CA issuing the certificate asked about
                     * then we return unknown 
                     * */
                    if (OcspConfigurationCache.INSTANCE.isNonExistingGood(requestUrl,
                            ocspSigningCacheEntry.getOcspKeyBinding())
                            && OcspSigningCache.INSTANCE.getEntry(certId) != null) {
                        sStatus = "good";
                        certStatus = null; // null means "good" in OCSP
                        if (transactionLogger.isEnabled()) {
                            transactionLogger.paramPut(TransactionLogger.CERT_STATUS,
                                    OCSPResponseItem.OCSP_GOOD);
                        }
                    } else if (OcspConfigurationCache.INSTANCE.isNonExistingRevoked(requestUrl,
                            ocspSigningCacheEntry.getOcspKeyBinding())
                            && OcspSigningCache.INSTANCE.getEntry(certId) != null) {
                        sStatus = "revoked";
                        certStatus = new RevokedStatus(new RevokedInfo(new ASN1GeneralizedTime(new Date(0)),
                                CRLReason.lookup(CRLReason.certificateHold)));
                        if (transactionLogger.isEnabled()) {
                            transactionLogger.paramPut(TransactionLogger.CERT_STATUS,
                                    OCSPResponseItem.OCSP_REVOKED);
                        }
                        addExtendedRevokedExtension = true;
                    } else {
                        sStatus = "unknown";
                        certStatus = new UnknownStatus();
                        if (transactionLogger.isEnabled()) {
                            transactionLogger.paramPut(TransactionLogger.CERT_STATUS,
                                    OCSPResponseItem.OCSP_UNKNOWN);
                        }
                    }
                } else if (status.equals(CertificateStatus.REVOKED)) {
                    // Revocation info available for this cert, handle it
                    sStatus = "revoked";
                    certStatus = new RevokedStatus(
                            new RevokedInfo(new ASN1GeneralizedTime(status.revocationDate),
                                    CRLReason.lookup(status.revocationReason)));
                    if (transactionLogger.isEnabled()) {
                        transactionLogger.paramPut(TransactionLogger.CERT_STATUS,
                                OCSPResponseItem.OCSP_REVOKED);
                    }
                    // If we have an explicit value configured for this certificate profile, we override the the current value with this value
                    if (status.certificateProfileId != CertificateProfileConstants.CERTPROFILE_NO_PROFILE
                            && OcspConfiguration
                                    .isRevokedUntilNextUpdateConfigured(status.certificateProfileId)) {
                        nextUpdate = OcspConfiguration.getRevokedUntilNextUpdate(status.certificateProfileId);
                    }
                    // If we have an explicit value configured for this certificate profile, we override the the current value with this value
                    if (status.certificateProfileId != CertificateProfileConstants.CERTPROFILE_NO_PROFILE
                            && OcspConfiguration.isRevokedMaxAgeConfigured(status.certificateProfileId)) {
                        maxAge = OcspConfiguration.getRevokedMaxAge(status.certificateProfileId);
                    }
                } else {
                    sStatus = "good";
                    certStatus = null;
                    if (transactionLogger.isEnabled()) {
                        transactionLogger.paramPut(TransactionLogger.CERT_STATUS, OCSPResponseItem.OCSP_GOOD);
                    }
                    addArchiveCutoff = checkAddArchiveCuttoff(caCertificateSubjectDn, certId);
                }

                if (log.isDebugEnabled()) {
                    log.debug("Set nextUpdate=" + nextUpdate + ", and maxAge=" + maxAge
                            + " for certificateProfileId=" + status.certificateProfileId);
                }

                infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", sStatus,
                        certId.getSerialNumber().toString(16), caCertificateSubjectDn);
                log.info(infoMsg);
                OCSPResponseItem respItem = new OCSPResponseItem(certId, certStatus, nextUpdate);
                if (addArchiveCutoff) {
                    addArchiveCutoff(respItem);
                    producedAt = new Date();
                }
                responseList.add(respItem);
                if (transactionLogger.isEnabled()) {
                    transactionLogger.writeln();
                }
            }
            for (String oidstr : extensionOids) {
                boolean useAlways = false;
                if (oidstr.startsWith("*")) {
                    oidstr = oidstr.substring(1, oidstr.length());
                    useAlways = true;
                }
                ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(oidstr);
                Extension extension = null;
                if (!useAlways) {
                    // Only check if extension exists if we are not already bound to use it
                    if (req.hasExtensions()) {
                        extension = req.getExtension(oid);
                    }
                }
                //If found, or if it should be used anyway
                if (useAlways || extension != null) {
                    // We found an extension, call the extension class
                    if (log.isDebugEnabled()) {
                        log.debug("Found OCSP extension oid: " + oidstr);
                    }
                    OCSPExtension extObj = OcspExtensionsCache.INSTANCE.getExtensions().get(oidstr);
                    if (extObj != null) {
                        // Find the certificate from the certId
                        if (certificateStatusHolder != null
                                && certificateStatusHolder.getCertificate() != null) {
                            X509Certificate cert = (X509Certificate) certificateStatusHolder.getCertificate();
                            // Call the OCSP extension
                            Map<ASN1ObjectIdentifier, Extension> retext = extObj.process(requestCertificates,
                                    remoteAddress, remoteHost, cert, certStatus);
                            if (retext != null) {
                                // Add the returned X509Extensions to the responseExtension we will add to the basic OCSP response
                                responseExtensions.putAll(retext);
                            } else {
                                String errMsg = intres.getLocalizedMessage("ocsp.errorprocessextension",
                                        extObj.getClass().getName(),
                                        Integer.valueOf(extObj.getLastErrorCode()));
                                log.error(errMsg);
                            }
                        }
                    }
                }
            }
        }
        if (addExtendedRevokedExtension) {
            // id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= {id-pkix-ocsp 9}
            final ASN1ObjectIdentifier extendedRevokedOID = new ASN1ObjectIdentifier(
                    OCSPObjectIdentifiers.id_pkix_ocsp + ".9");
            try {
                responseExtensions.put(extendedRevokedOID,
                        new Extension(extendedRevokedOID, false, DERNull.INSTANCE.getEncoded()));
            } catch (IOException e) {
                throw new IllegalStateException("Could not get encodig from DERNull.", e);
            }
        }
        if (ocspSigningCacheEntry != null) {
            // Add responseExtensions
            Extensions exts = new Extensions(responseExtensions.values().toArray(new Extension[0]));
            // generate the signed response object
            BasicOCSPResp basicresp = signOcspResponse(req, responseList, exts, ocspSigningCacheEntry,
                    producedAt);
            ocspResponse = responseGenerator.build(OCSPRespBuilder.SUCCESSFUL, basicresp);
            if (auditLogger.isEnabled()) {
                auditLogger.paramPut(AuditLogger.STATUS, OCSPRespBuilder.SUCCESSFUL);
            }
            if (transactionLogger.isEnabled()) {
                transactionLogger.paramPut(TransactionLogger.STATUS, OCSPRespBuilder.SUCCESSFUL);
            }
        } else {
            // Only unknown CAs in requests and no default responder's cert, return an unsigned response
            if (log.isDebugEnabled()) {
                log.debug(intres.getLocalizedMessage("ocsp.errornocacreateresp"));
            }
            ocspResponse = responseGenerator.build(OCSPRespBuilder.UNAUTHORIZED, null);
            if (auditLogger.isEnabled()) {
                auditLogger.paramPut(AuditLogger.STATUS, OCSPRespBuilder.UNAUTHORIZED);
            }
            if (transactionLogger.isEnabled()) {
                transactionLogger.paramPut(TransactionLogger.STATUS, OCSPRespBuilder.UNAUTHORIZED);
            }
        }
    } catch (SignRequestException e) {
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        }
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        log.info(errMsg); // No need to log the full exception here
        // RFC 2560: responseBytes are not set on error.
        ocspResponse = responseGenerator.build(OCSPRespBuilder.SIG_REQUIRED, null);
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(TransactionLogger.STATUS, OCSPRespBuilder.SIG_REQUIRED);
            transactionLogger.writeln();
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(AuditLogger.STATUS, OCSPRespBuilder.SIG_REQUIRED);
        }
    } catch (SignRequestSignatureException e) {
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        }
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        log.info(errMsg); // No need to log the full exception here
        // RFC 2560: responseBytes are not set on error.
        ocspResponse = responseGenerator.build(OCSPRespBuilder.UNAUTHORIZED, null);
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(TransactionLogger.STATUS, OCSPRespBuilder.UNAUTHORIZED);
            transactionLogger.writeln();
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(AuditLogger.STATUS, OCSPRespBuilder.UNAUTHORIZED);
        }
    } catch (InvalidAlgorithmException e) {
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(PatternLogger.PROCESS_TIME, PatternLogger.PROCESS_TIME);
        }
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        log.info(errMsg); // No need to log the full exception here
        // RFC 2560: responseBytes are not set on error.
        ocspResponse = responseGenerator.build(OCSPRespBuilder.MALFORMED_REQUEST, null);
        if (transactionLogger.isEnabled()) {
            transactionLogger.paramPut(TransactionLogger.STATUS, OCSPRespBuilder.MALFORMED_REQUEST);
            transactionLogger.writeln();
        }
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(AuditLogger.STATUS, OCSPRespBuilder.MALFORMED_REQUEST);
        }
    } catch (NoSuchAlgorithmException e) {
        ocspResponse = processDefaultError(responseGenerator, transactionLogger, auditLogger, e);
    } catch (CertificateException e) {
        ocspResponse = processDefaultError(responseGenerator, transactionLogger, auditLogger, e);
    } catch (CryptoTokenOfflineException e) {
        ocspResponse = processDefaultError(responseGenerator, transactionLogger, auditLogger, e);
    }
    try {
        respBytes = ocspResponse.getEncoded();
        if (auditLogger.isEnabled()) {
            auditLogger.paramPut(AuditLogger.OCSPRESPONSE, new String(Hex.encode(respBytes)));
            auditLogger.writeln();
            auditLogger.flush();
        }
        if (transactionLogger.isEnabled()) {
            transactionLogger.flush();
        }
        if (OcspConfiguration.getLogSafer()) {
            // See if the Errorhandler has found any problems
            if (hasErrorHandlerFailedSince(startTime)) {
                log.info("ProbableErrorhandler reported error, cannot answer request");
                // RFC 2560: responseBytes are not set on error.
                ocspResponse = responseGenerator.build(OCSPRespBuilder.INTERNAL_ERROR, null);

            }
            // See if the Appender has reported any problems
            if (!CanLogCache.INSTANCE.canLog()) {
                log.info("SaferDailyRollingFileAppender reported error, cannot answer request");
                // RFC 2560: responseBytes are not set on error.
                ocspResponse = responseGenerator.build(OCSPRespBuilder.INTERNAL_ERROR, null);
            }
        }
    } catch (IOException e) {
        log.error("Unexpected IOException caught.", e);
        if (transactionLogger.isEnabled()) {
            transactionLogger.flush();
        }
        if (auditLogger.isEnabled()) {
            auditLogger.flush();
        }
    }
    return new OcspResponseInformation(ocspResponse, maxAge);
}