List of usage examples for org.bouncycastle.cert.ocsp SingleResp getCertID
public CertificateID getCertID()
From source file:be.fedict.trust.ocsp.OcspTrustLinker.java
License:Open Source License
@Override public TrustLinkerResult hasTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, AlgorithmPolicy algorithmPolicy) throws TrustLinkerResultException, Exception { URI ocspUri = getOcspUri(childCertificate); if (null == ocspUri) { return TrustLinkerResult.UNDECIDED; }/*from ww w.j ava 2s .c o m*/ LOG.debug("OCSP URI: " + ocspUri); OCSPResp ocspResp = this.ocspRepository.findOcspResponse(ocspUri, childCertificate, certificate, validationDate); if (null == ocspResp) { LOG.debug("OCSP response not found"); return TrustLinkerResult.UNDECIDED; } int ocspRespStatus = ocspResp.getStatus(); if (OCSPResponseStatus.SUCCESSFUL != ocspRespStatus) { LOG.debug("OCSP response status: " + ocspRespStatus); return TrustLinkerResult.UNDECIDED; } Object responseObject = ocspResp.getResponseObject(); BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject; X509CertificateHolder[] responseCertificates = basicOCSPResp.getCerts(); for (X509CertificateHolder responseCertificate : responseCertificates) { LOG.debug("OCSP response cert: " + responseCertificate.getSubject()); LOG.debug("OCSP response cert issuer: " + responseCertificate.getIssuer()); } algorithmPolicy.checkSignatureAlgorithm(basicOCSPResp.getSignatureAlgOID().getId(), validationDate); if (0 == responseCertificates.length) { /* * This means that the OCSP response has been signed by the issuing * CA itself. */ ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certificate.getPublicKey()); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { LOG.debug("OCSP response signature invalid"); return TrustLinkerResult.UNDECIDED; } } else { /* * We're dealing with a dedicated authorized OCSP Responder * certificate, or of course with a CA that issues the OCSP * Responses itself. */ X509CertificateHolder ocspResponderCertificate = responseCertificates[0]; ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(ocspResponderCertificate); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { LOG.debug("OCSP Responser response signature invalid"); return TrustLinkerResult.UNDECIDED; } if (false == Arrays.equals(certificate.getEncoded(), ocspResponderCertificate.getEncoded())) { // check certificate signature algorithm algorithmPolicy.checkSignatureAlgorithm( ocspResponderCertificate.getSignatureAlgorithm().getAlgorithm().getId(), validationDate); X509Certificate issuingCaCertificate; if (responseCertificates.length < 2) { // so the OCSP certificate chain only contains a single // entry LOG.debug("OCSP responder complete certificate chain missing"); /* * Here we assume that the OCSP Responder is directly signed * by the CA. */ issuingCaCertificate = certificate; } else { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); issuingCaCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(responseCertificates[1].getEncoded())); /* * Is next check really required? */ if (false == certificate.equals(issuingCaCertificate)) { LOG.debug("OCSP responder certificate not issued by CA"); return TrustLinkerResult.UNDECIDED; } } // check certificate signature algorithmPolicy.checkSignatureAlgorithm(issuingCaCertificate.getSigAlgOID(), validationDate); PublicKeyTrustLinker publicKeyTrustLinker = new PublicKeyTrustLinker(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate x509OcspResponderCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(ocspResponderCertificate.getEncoded())); LOG.debug("OCSP Responder public key fingerprint: " + DigestUtils.sha1Hex(x509OcspResponderCertificate.getPublicKey().getEncoded())); publicKeyTrustLinker.hasTrustLink(x509OcspResponderCertificate, issuingCaCertificate, validationDate, revocationData, algorithmPolicy); if (null == x509OcspResponderCertificate .getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())) { LOG.debug("OCSP Responder certificate should have id-pkix-ocsp-nocheck"); /* * TODO: perform CRL validation on the OCSP Responder * certificate. On the other hand, do we really want to * check the checker? */ return TrustLinkerResult.UNDECIDED; } List<String> extendedKeyUsage = x509OcspResponderCertificate.getExtendedKeyUsage(); if (null == extendedKeyUsage) { LOG.debug("OCSP Responder certificate has no extended key usage extension"); return TrustLinkerResult.UNDECIDED; } if (false == extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) { LOG.debug("OCSP Responder certificate should have a OCSPSigning extended key usage"); return TrustLinkerResult.UNDECIDED; } } else { LOG.debug("OCSP Responder certificate equals the CA certificate"); // and the CA certificate is already trusted at this point } } DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certificateId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(certificate), childCertificate.getSerialNumber()); SingleResp[] singleResps = basicOCSPResp.getResponses(); for (SingleResp singleResp : singleResps) { CertificateID responseCertificateId = singleResp.getCertID(); if (false == certificateId.equals(responseCertificateId)) { continue; } DateTime thisUpdate = new DateTime(singleResp.getThisUpdate()); DateTime nextUpdate; if (null != singleResp.getNextUpdate()) { nextUpdate = new DateTime(singleResp.getNextUpdate()); } else { LOG.debug("no OCSP nextUpdate"); nextUpdate = thisUpdate; } LOG.debug("OCSP thisUpdate: " + thisUpdate); LOG.debug("(OCSP) nextUpdate: " + nextUpdate); DateTime beginValidity = thisUpdate.minus(this.freshnessInterval); DateTime endValidity = nextUpdate.plus(this.freshnessInterval); DateTime validationDateTime = new DateTime(validationDate); if (validationDateTime.isBefore(beginValidity)) { LOG.warn("OCSP response not yet valid"); continue; } if (validationDateTime.isAfter(endValidity)) { LOG.warn("OCSP response expired"); continue; } if (null == singleResp.getCertStatus()) { LOG.debug("OCSP OK for: " + childCertificate.getSubjectX500Principal()); addRevocationData(revocationData, ocspResp, ocspUri); return TrustLinkerResult.TRUSTED; } else { LOG.debug("OCSP certificate status: " + singleResp.getCertStatus().getClass().getName()); if (singleResp.getCertStatus() instanceof RevokedStatus) { LOG.debug("OCSP status revoked"); } addRevocationData(revocationData, ocspResp, ocspUri); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by OCSP"); } } LOG.debug("no matching OCSP response entry"); return TrustLinkerResult.UNDECIDED; }
From source file:be.fedict.trust.ocsp.OfflineOcspRepository.java
License:Open Source License
@Override public OCSPResp findOcspResponse(URI ocspUri, X509Certificate certificate, X509Certificate issuerCertificate, Date validationDate) {// w w w . j a v a 2 s .c o m LOG.debug("find OCSP response"); DigestCalculatorProvider digCalcProv; try { digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME) .build(); } catch (OperatorCreationException e) { throw new RuntimeException(e); } CertificateID certId; try { certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); } catch (Exception e) { throw new RuntimeException(e); } try { for (OCSPResp ocspResp : this.ocspResponses) { BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject(); for (SingleResp singleResp : basicOCSPResp.getResponses()) { if (singleResp.getCertID().equals(certId)) { LOG.debug("OCSP response found"); return ocspResp; } } } } catch (OCSPException e) { LOG.error("OCSPException: " + e.getMessage(), e); return null; } LOG.debug("OCSP response not found"); return null; }
From source file:com.itextpdf.signatures.PdfPKCS7.java
License:Open Source License
/** * Checks if OCSP revocation refers to the document signing certificate. * * @return true if it checks, false otherwise *//*from ww w.j a va2s . co m*/ public boolean isRevocationValid() { if (basicResp == null) return false; if (signCerts.size() < 2) return false; try { X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain(); SingleResp sr = basicResp.getResponses()[0]; CertificateID cid = sr.getCertID(); X509Certificate sigcer = getSigningCertificate(); X509Certificate isscer = cs[1]; CertificateID tis = SignUtils.generateCertificateId(isscer, sigcer.getSerialNumber(), cid.getHashAlgOID()); return tis.equals(cid); } catch (Exception ignored) { } return false; }
From source file:com.itextpdf.text.pdf.security.PdfPKCS7.java
License:Open Source License
/** * Checks if OCSP revocation refers to the document signing certificate. * @return true if it checks, false otherwise * @since 2.1.6//from ww w .j a va2s.co m */ public boolean isRevocationValid() { if (basicResp == null) return false; if (signCerts.size() < 2) return false; try { X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain(); SingleResp sr = basicResp.getResponses()[0]; CertificateID cid = sr.getCertID(); DigestCalculator digestalg = new JcaDigestCalculatorProviderBuilder().build() .get(new AlgorithmIdentifier(cid.getHashAlgOID(), DERNull.INSTANCE)); X509Certificate sigcer = getSigningCertificate(); X509Certificate isscer = cs[1]; CertificateID tis = new CertificateID(digestalg, new JcaX509CertificateHolder(isscer), sigcer.getSerialNumber()); return tis.equals(cid); } catch (Exception ex) { } return false; }
From source file:ee.ria.xroad.common.cert.CertHelper.java
License:Open Source License
/** * Finds the OCSP response from a list of OCSP responses * for a given certificate.//from w ww . j a v a 2s . c om * @param cert the certificate * @param issuer the issuer of the certificate * @param ocspResponses list of OCSP responses * @return the OCSP response or null if not found * @throws Exception if an error occurs */ public static OCSPResp getOcspResponseForCert(X509Certificate cert, X509Certificate issuer, List<OCSPResp> ocspResponses) throws Exception { CertificateID certId = CryptoUtils.createCertId(cert, issuer); for (OCSPResp resp : ocspResponses) { BasicOCSPResp basicResp = (BasicOCSPResp) resp.getResponseObject(); SingleResp singleResp = basicResp.getResponses()[0]; if (certId.equals(singleResp.getCertID())) { return resp; } } return null; }
From source file:ee.ria.xroad.common.ocsp.OcspVerifier.java
License:Open Source License
private SingleResp verifyResponseValidity(OCSPResp response, X509Certificate subject, X509Certificate issuer) throws Exception { BasicOCSPResp basicResp = (BasicOCSPResp) response.getResponseObject(); SingleResp singleResp = basicResp.getResponses()[0]; CertificateID requestCertId = createCertId(subject, issuer); // http://www.ietf.org/rfc/rfc2560.txt -- 3.2: // Prior to accepting a signed response as valid, OCSP clients // SHALL confirm that: // 1. The certificate identified in a received response corresponds to // that which was identified in the corresponding request; if (!singleResp.getCertID().equals(requestCertId)) { throw new CodedException(X_INCORRECT_VALIDATION_INFO, "OCSP response does not apply to certificate (sn = %s)", subject.getSerialNumber()); }//from w ww . j a v a2s . com X509Certificate ocspCert = getOcspCert(basicResp); if (ocspCert == null) { throw new CodedException(X_INCORRECT_VALIDATION_INFO, "Could not find OCSP certificate for responder ID"); } if (!verifySignature(basicResp, ocspCert)) { throw new CodedException(X_INCORRECT_VALIDATION_INFO, "Signature on OCSP response is not valid"); } // 3. The identity of the signer matches the intended // recipient of the request. // -- Not important here because the original request is not available. // 4. The signer is currently authorized to sign the response. if (!isAuthorizedOcspSigner(ocspCert, issuer)) { throw new CodedException(X_INCORRECT_VALIDATION_INFO, "OCSP responder is not authorized for given CA"); } return singleResp; }
From source file:eu.europa.ec.markt.dss.DSSRevocationUtils.java
License:Open Source License
/** * fix for certId.equals methods that doesn't work very well. * * @param certId {@code CertificateID} * @param singleResp {@code SingleResp}/*from w ww . java2 s . c om*/ * @return true if the certificate matches this included in {@code SingleResp} */ public static boolean matches(final CertificateID certId, final SingleResp singleResp) { final CertificateID singleRespCertID = singleResp.getCertID(); final ASN1ObjectIdentifier singleRespCertIDHashAlgOID = singleRespCertID.getHashAlgOID(); final byte[] singleRespCertIDIssuerKeyHash = singleRespCertID.getIssuerKeyHash(); final byte[] singleRespCertIDIssuerNameHash = singleRespCertID.getIssuerNameHash(); final BigInteger singleRespCertIDSerialNumber = singleRespCertID.getSerialNumber(); final ASN1ObjectIdentifier certIdHashAlgOID = certId.getHashAlgOID(); final byte[] certIdIssuerKeyHash = certId.getIssuerKeyHash(); final byte[] certIdIssuerNameHash = certId.getIssuerNameHash(); final BigInteger certIdSerialNumber = certId.getSerialNumber(); // certId.equals fails in comparing the algoIdentifier because AlgoIdentifier params in null in one case and DERNull in another case return singleRespCertIDHashAlgOID.equals(certIdHashAlgOID) && Arrays.areEqual(singleRespCertIDIssuerKeyHash, certIdIssuerKeyHash) && Arrays.areEqual(singleRespCertIDIssuerNameHash, certIdIssuerNameHash) && singleRespCertIDSerialNumber.equals(certIdSerialNumber); }
From source file:eu.europa.esig.dss.DSSRevocationUtils.java
License:Open Source License
/** * fix for certId.equals methods that doesn't work very well. * * @param certId// w w w .ja v a 2 s . co m * {@code CertificateID} * @param singleResp * {@code SingleResp} * @return true if the certificate matches this included in * {@code SingleResp} */ public static boolean matches(final CertificateID certId, final SingleResp singleResp) { final CertificateID singleRespCertID = singleResp.getCertID(); final ASN1ObjectIdentifier singleRespCertIDHashAlgOID = singleRespCertID.getHashAlgOID(); final byte[] singleRespCertIDIssuerKeyHash = singleRespCertID.getIssuerKeyHash(); final byte[] singleRespCertIDIssuerNameHash = singleRespCertID.getIssuerNameHash(); final BigInteger singleRespCertIDSerialNumber = singleRespCertID.getSerialNumber(); final ASN1ObjectIdentifier certIdHashAlgOID = certId.getHashAlgOID(); final byte[] certIdIssuerKeyHash = certId.getIssuerKeyHash(); final byte[] certIdIssuerNameHash = certId.getIssuerNameHash(); final BigInteger certIdSerialNumber = certId.getSerialNumber(); // certId.equals fails in comparing the algoIdentifier because // AlgoIdentifier params in null in one case and DERNull in another case return singleRespCertIDHashAlgOID.equals(certIdHashAlgOID) && Arrays.areEqual(singleRespCertIDIssuerKeyHash, certIdIssuerKeyHash) && Arrays.areEqual(singleRespCertIDIssuerNameHash, certIdIssuerNameHash) && singleRespCertIDSerialNumber.equals(certIdSerialNumber); }
From source file:io.netty.example.ocsp.OcspServerExample.java
License:Apache License
public static void main(String[] args) throws Exception { // We assume there's a private key. PrivateKey privateKey = null; // Step 1: Load the certificate chain for netty.io. We'll need the certificate // and the issuer's certificate and we don't need any of the intermediate certs. // The array is assumed to be a certain order to keep things simple. X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem"); X509Certificate certificate = keyCertChain[0]; X509Certificate issuer = keyCertChain[keyCertChain.length - 1]; // Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded // into the certificate! Notice that it's a HTTP URL. URI uri = OcspUtils.ocspUri(certificate); System.out.println("OCSP Responder URI: " + uri); if (uri == null) { throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder"); }// w ww . j av a2 s . c om // Step 3: Construct the OCSP request OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build(); // Step 4: Do the request to the CA's OCSP responder OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS); if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) { throw new IllegalStateException("response-status=" + response.getStatus()); } // Step 5: Is my certificate any good or has the CA revoked it? BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject(); SingleResp first = basicResponse.getResponses()[0]; CertificateStatus status = first.getCertStatus(); System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status)); System.out.println("This Update: " + first.getThisUpdate()); System.out.println("Next Update: " + first.getNextUpdate()); if (status != null) { throw new IllegalStateException("certificate-status=" + status); } BigInteger certSerial = certificate.getSerialNumber(); BigInteger ocspSerial = first.getCertID().getSerialNumber(); if (!certSerial.equals(ocspSerial)) { throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial); } // Step 6: Cache the OCSP response and use it as long as it's not // expired. The exact semantics are beyond the scope of this example. if (!OpenSsl.isAvailable()) { throw new IllegalStateException("OpenSSL is not available!"); } if (!OpenSsl.isOcspSupported()) { throw new IllegalStateException("OCSP is not supported!"); } if (privateKey == null) { throw new IllegalStateException( "Because we don't have a PrivateKey we can't continue past this point."); } ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder .forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build(); try { ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response)); // so on and so forth... } finally { context.release(); } }
From source file:org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator.java
License:Apache License
/** * Gets the OCSP status for the specified subject and issuer certificates. * * @param ocspStatusKey status key/*from w w w .j a v a2 s . com*/ * @return ocsp status */ private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) { final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate(); final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate(); // initialize the default status final OcspStatus ocspStatus = new OcspStatus(); ocspStatus.setVerificationStatus(VerificationStatus.Unknown); ocspStatus.setValidationStatus(ValidationStatus.Unknown); try { // prepare the request final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber(); final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder() .setProvider("BC").build(); final CertificateID certificateId = new CertificateID( calculatorProviderBuilder.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber); // generate the request final OCSPReqBuilder requestGenerator = new OCSPReqBuilder(); requestGenerator.addRequest(certificateId); // Create a nonce to avoid replay attack BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis()); Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray())); requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext })); final OCSPReq ocspRequest = requestGenerator.build(); // perform the request final Response response = getClientResponse(ocspRequest); // ensure the request was completed successfully if (Response.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) { logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus())); return ocspStatus; } // interpret the response OCSPResp ocspResponse = new OCSPResp(response.readEntity(InputStream.class)); // verify the response status switch (ocspResponse.getStatus()) { case OCSPRespBuilder.SUCCESSFUL: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful); break; case OCSPRespBuilder.INTERNAL_ERROR: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError); break; case OCSPRespBuilder.MALFORMED_REQUEST: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest); break; case OCSPRespBuilder.SIG_REQUIRED: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired); break; case OCSPRespBuilder.TRY_LATER: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater); break; case OCSPRespBuilder.UNAUTHORIZED: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized); break; default: ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown); break; } // only proceed if the response was successful if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) { logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString())); return ocspStatus; } // ensure the appropriate response object final Object ocspResponseObject = ocspResponse.getResponseObject(); if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) { logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject)); return ocspStatus; } // get the response object final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject(); // attempt to locate the responder certificate final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts(); if (responderCertificates.length != 1) { logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", responderCertificates.length)); return ocspStatus; } // get the responder certificate final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate( responderCertificates[0], issuerCertificate); if (trustedResponderCertificate != null) { // verify the response if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC") .build(trustedResponderCertificate.getPublicKey()))) { ocspStatus.setVerificationStatus(VerificationStatus.Verified); } else { ocspStatus.setVerificationStatus(VerificationStatus.Unverified); } } else { ocspStatus.setVerificationStatus(VerificationStatus.Unverified); } // validate the response final SingleResp[] responses = basicOcspResponse.getResponses(); for (SingleResp singleResponse : responses) { final CertificateID responseCertificateId = singleResponse.getCertID(); final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber(); if (responseSerialNumber.equals(subjectSerialNumber)) { Object certStatus = singleResponse.getCertStatus(); // interpret the certificate status if (CertificateStatus.GOOD == certStatus) { ocspStatus.setValidationStatus(ValidationStatus.Good); } else if (certStatus instanceof RevokedStatus) { ocspStatus.setValidationStatus(ValidationStatus.Revoked); } else { ocspStatus.setValidationStatus(ValidationStatus.Unknown); } } } } catch (final OCSPException | IOException | ProcessingException | OperatorCreationException e) { logger.error(e.getMessage(), e); } catch (CertificateException e) { e.printStackTrace(); } return ocspStatus; }