List of usage examples for org.bouncycastle.cert.ocsp OCSPRespBuilder TRY_LATER
int TRY_LATER
To view the source code for org.bouncycastle.cert.ocsp OCSPRespBuilder TRY_LATER.
Click Source Link
From source file:org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator.java
License:Apache License
/** * Gets the OCSP status for the specified subject and issuer certificates. * * @param ocspStatusKey status key/*from www . j a va 2 s . c om*/ * @return ocsp status */ private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) { final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate(); final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate(); // initialize the default status final OcspStatus ocspStatus = new OcspStatus(); ocspStatus.setVerificationStatus(VerificationStatus.Unknown); ocspStatus.setValidationStatus(ValidationStatus.Unknown); try { // prepare the request final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber(); final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder() .setProvider("BC").build(); final CertificateID certificateId = new CertificateID( calculatorProviderBuilder.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber); // generate the request final OCSPReqBuilder requestGenerator = new OCSPReqBuilder(); requestGenerator.addRequest(certificateId); // Create a nonce to avoid replay attack BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis()); Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray())); requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext })); final OCSPReq ocspRequest = requestGenerator.build(); // perform the request final Response response = getClientResponse(ocspRequest); // ensure the request was completed successfully if (Response.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) { logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus())); return ocspStatus; } // interpret the response OCSPResp ocspResponse = new OCSPResp(response.readEntity(InputStream.class)); // verify the response status switch (ocspResponse.getStatus()) { case OCSPRespBuilder.SUCCESSFUL: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful); break; case OCSPRespBuilder.INTERNAL_ERROR: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError); break; case OCSPRespBuilder.MALFORMED_REQUEST: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest); break; case OCSPRespBuilder.SIG_REQUIRED: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired); break; case OCSPRespBuilder.TRY_LATER: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater); break; case OCSPRespBuilder.UNAUTHORIZED: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized); break; default: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown); break; } // only proceed if the response was successful if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) { logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString())); return ocspStatus; } // ensure the appropriate response object final Object ocspResponseObject = ocspResponse.getResponseObject(); if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) { logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject)); return ocspStatus; } // get the response object final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject(); // attempt to locate the responder certificate final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts(); if (responderCertificates.length != 1) { logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", responderCertificates.length)); return ocspStatus; } // get the responder certificate final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate( responderCertificates[0], issuerCertificate); if (trustedResponderCertificate != null) { // verify the response if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC") .build(trustedResponderCertificate.getPublicKey()))) { ocspStatus.setVerificationStatus(VerificationStatus.Verified); } else { ocspStatus.setVerificationStatus(VerificationStatus.Unverified); } } else { ocspStatus.setVerificationStatus(VerificationStatus.Unverified); } // validate the response final SingleResp[] responses = basicOcspResponse.getResponses(); for (SingleResp singleResponse : responses) { final CertificateID responseCertificateId = singleResponse.getCertID(); final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber(); if (responseSerialNumber.equals(subjectSerialNumber)) { Object certStatus = singleResponse.getCertStatus(); // interpret the certificate status if (CertificateStatus.GOOD == certStatus) { ocspStatus.setValidationStatus(ValidationStatus.Good); } else if (certStatus instanceof RevokedStatus) { ocspStatus.setValidationStatus(ValidationStatus.Revoked); } else { ocspStatus.setValidationStatus(ValidationStatus.Unknown); } } } } catch (final OCSPException | IOException | ProcessingException | OperatorCreationException e) { logger.error(e.getMessage(), e); } catch (CertificateException e) { e.printStackTrace(); } return ocspStatus; }
From source file:org.ejbca.ui.cli.Ocsp.java
License:Open Source License
@Override protected void execute(String[] args) { try {/* w ww .j a v a 2 s .c o m*/ CryptoProviderTools.installBCProvider(); final String ksfilename; final String kspwd; final String ocspUrlFromCLI; final String certfilename; final String cacertfilename; boolean useGet = false; boolean signRequest = false; if (args.length > 1 && args[1].equals("stress")) { new StressTest(args); return; } else if (args.length >= 6) { ksfilename = args[1]; kspwd = args[2]; ocspUrlFromCLI = args[3].equals("null") ? null : args[3]; certfilename = args[4]; cacertfilename = args[5]; signRequest = true; if (args.length == 7) { useGet = "GET".equalsIgnoreCase(args[6]); } } else if (args.length >= 4) { ksfilename = null; kspwd = null; ocspUrlFromCLI = args[1].equals("null") ? null : args[1]; certfilename = args[2]; cacertfilename = args[3]; if (args.length == 5) { useGet = "GET".equalsIgnoreCase(args[4]); } } else { System.out.println( "Usage 1: OCSP <KeyStoreFilename> <KeyStorePassword> <OCSPUrl | null> <CertificateFileName | HexEncodedCertificateSerialNumber> <CA-CertificateFileName> [<POST | GET>]"); System.out.println( "Usage 2: OCSP <OCSPUrl | null> <CertificateFileName | HexEncodedCertificateSerialNumber> <CA-CertificateFileName> [<POST | GET>]"); System.out.println("Usage 3: OCSP stress ..."); System.out.println("Keystore should be a PKCS12. GET requests will not use a nonce."); System.out.println( "OCSPUrl is like: http://127.0.0.1:8080/ejbca/publicweb/status/ocsp or https://127.0.0.1:8443/ejbca/publicweb/status/ocsp"); System.out.println("OCSP response status is: GOOD=" + OCSPUnidResponse.OCSP_GOOD + ", REVOKED=" + OCSPUnidResponse.OCSP_REVOKED + ", UNKNOWN=" + OCSPUnidResponse.OCSP_UNKNOWN); System.out.println( "OcspUrl can be set to 'null', in that case the program looks for an AIA extension containing the OCSP URI."); System.out.println("Just the stress argument gives further info about the stress test."); return; } OCSPUnidResponse response = null; BigInteger serial = null; final Matcher matcher = Pattern.compile("[0-9a-fA-F]+").matcher(certfilename); if (matcher.matches()) { // It is a certificate serial number instead if a certificate filename try { serial = new BigInteger(certfilename, 16); if (ocspUrlFromCLI == null) { System.out.println("OCSP URL is reqired if a serial number is used."); System.exit(-1); // NOPMD, it's not a JEE app } final OCSPUnidClient client = OCSPUnidClient.getOCSPUnidClient(ksfilename, kspwd, ocspUrlFromCLI, signRequest, ksfilename != null); response = client.lookup(new BigInteger(certfilename, 16), getCertFromPemFile(cacertfilename), useGet); } catch (NumberFormatException e) { // Not a hex serial number System.out.println( "The input that looked like a serial number was not one, try to read it as a file."); } } if (serial == null) { // It's not a certificate serial number, so treat it as a filename final Certificate userCert = getCertFromPemFile(certfilename); String ocspUrl = ocspUrlFromCLI; if (ocspUrl == null) { ocspUrl = CertTools.getAuthorityInformationAccessOcspUrl(userCert); if (ocspUrl == null) { System.out.println("OCSP URL is required since none was found in the certificate."); System.exit(-1); // NOPMD, it's not a JEE app } } final OCSPUnidClient client = OCSPUnidClient.getOCSPUnidClient(ksfilename, kspwd, ocspUrl, signRequest, true); response = client.lookup(userCert, getCertFromPemFile(cacertfilename), useGet); } if (response.getErrorCode() != OCSPUnidResponse.ERROR_NO_ERROR) { System.out.println("Error querying OCSP server."); System.out.println("Error code is: " + response.getErrorCode()); } if (response.getHttpReturnCode() != 200) { System.out.println("Http return code is: " + response.getHttpReturnCode()); } if (response.getResponseStatus() == 0) { System.out.print("OCSP return value is: " + response.getStatus() + " ("); switch (response.getStatus()) { case OCSPUnidResponse.OCSP_GOOD: System.out.println("good)"); break; case OCSPUnidResponse.OCSP_REVOKED: System.out.println("revoked)"); break; case OCSPUnidResponse.OCSP_UNKNOWN: System.out.println("unknown)"); break; } System.out.println("producedAt: " + response.getProducedAt() + " thisUpdate: " + response.getThisUpdate() + " nextUpdate: " + response.getNextUpdate()); if (response.getFnr() != null) { System.out.println("Returned Fnr is: " + response.getFnr()); } } else { System.out.print("OCSP response status is: " + response.getResponseStatus() + " ("); switch (response.getResponseStatus()) { case OCSPRespBuilder.MALFORMED_REQUEST: System.out.println("malformed request)"); break; case OCSPRespBuilder.INTERNAL_ERROR: System.out.println("internal error"); break; case OCSPRespBuilder.TRY_LATER: System.out.println("try later)"); break; case OCSPRespBuilder.SIG_REQUIRED: System.out.println("signature required)"); break; case OCSPRespBuilder.UNAUTHORIZED: System.out.println("unauthorized)"); break; } } } catch (Exception e) { System.out.println(e.getMessage()); e.printStackTrace(); System.exit(-1); // NOPMD, it's not a JEE app } }