Example 1 with CertStatus
use of org.xipki.ocsp.api.CertStatus in project xipki by xipki.
the class DbCertStatusStore method getCertStatus.
// method initIssuerStore
@Override
public CertStatusInfo getCertStatus(Date time, RequestIssuer reqIssuer, BigInteger serialNumber, boolean includeCertHash, boolean includeRit, boolean inheritCaRevocation) throws OcspStoreException {
if (serialNumber.signum() != 1) {
// non-positive serial number
return CertStatusInfo.getUnknownCertStatusInfo(new Date(), null);
}
if (!initialized) {
throw new OcspStoreException("initialization of CertStore is still in process");
}
if (initializationFailed) {
throw new OcspStoreException("initialization of CertStore failed");
}
String sql;
try {
IssuerEntry issuer = issuerStore.getIssuerForFp(reqIssuer);
if (issuer == null) {
return null;
}
if (includeCertHash) {
sql = includeRit ? sqlCsWithCertHash : sqlCsNoRitWithCertHash;
} else {
sql = includeRit ? sqlCs : sqlCsNoRit;
}
CrlInfo crlInfo = issuer.getCrlInfo();
Date thisUpdate;
Date nextUpdate = null;
if (crlInfo != null && crlInfo.isUseCrlUpdates()) {
thisUpdate = crlInfo.getThisUpdate();
// this.nextUpdate is still in the future (10 seconds buffer)
if (crlInfo.getNextUpdate().getTime() - System.currentTimeMillis() > 10 * 1000) {
nextUpdate = crlInfo.getNextUpdate();
}
} else {
thisUpdate = new Date();
}
ResultSet rs = null;
CertStatusInfo certStatusInfo = null;
boolean unknown = true;
boolean ignore = false;
String certprofile = null;
String b64CertHash = null;
boolean revoked = false;
int reason = 0;
long revTime = 0;
long invalTime = 0;
PreparedStatement ps = datasource.prepareStatement(datasource.getConnection(), sql);
try {
ps.setInt(1, issuer.getId());
ps.setString(2, serialNumber.toString(16));
rs = ps.executeQuery();
if (rs.next()) {
unknown = false;
long timeInSec = time.getTime() / 1000;
if (!ignore && ignoreNotYetValidCert) {
long notBeforeInSec = rs.getLong("NBEFORE");
if (notBeforeInSec != 0 && timeInSec < notBeforeInSec) {
ignore = true;
}
}
if (!ignore && ignoreExpiredCert) {
long notAfterInSec = rs.getLong("NAFTER");
if (notAfterInSec != 0 && timeInSec > notAfterInSec) {
ignore = true;
}
}
if (!ignore) {
if (includeCertHash) {
b64CertHash = rs.getString("HASH");
}
revoked = rs.getBoolean("REV");
if (revoked) {
reason = rs.getInt("RR");
revTime = rs.getLong("RT");
if (includeRit) {
invalTime = rs.getLong("RIT");
}
}
}
}
// end if (rs.next())
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, rs);
}
if (unknown) {
if (unknownSerialAsGood) {
certStatusInfo = CertStatusInfo.getGoodCertStatusInfo(certHashAlgo, null, thisUpdate, nextUpdate, null);
} else {
certStatusInfo = CertStatusInfo.getUnknownCertStatusInfo(thisUpdate, nextUpdate);
}
} else {
if (ignore) {
certStatusInfo = CertStatusInfo.getIgnoreCertStatusInfo(thisUpdate, nextUpdate);
} else {
byte[] certHash = (b64CertHash == null) ? null : Base64.decodeFast(b64CertHash);
if (revoked) {
Date invTime = (invalTime == 0 || invalTime == revTime) ? null : new Date(invalTime * 1000);
CertRevocationInfo revInfo = new CertRevocationInfo(reason, new Date(revTime * 1000), invTime);
certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(revInfo, certHashAlgo, certHash, thisUpdate, nextUpdate, certprofile);
} else {
certStatusInfo = CertStatusInfo.getGoodCertStatusInfo(certHashAlgo, certHash, thisUpdate, nextUpdate, certprofile);
}
}
}
if (includeCrlId && crlInfo != null) {
certStatusInfo.setCrlId(crlInfo.getCrlId());
}
if (includeArchiveCutoff) {
if (retentionInterval != 0) {
Date date;
// expired certificate remains in status store for ever
if (retentionInterval < 0) {
date = issuer.getNotBefore();
} else {
long nowInMs = System.currentTimeMillis();
long dateInMs = Math.max(issuer.getNotBefore().getTime(), nowInMs - DAY * retentionInterval);
date = new Date(dateInMs);
}
certStatusInfo.setArchiveCutOff(date);
}
}
if ((!inheritCaRevocation) || issuer.getRevocationInfo() == null) {
return certStatusInfo;
}
CertRevocationInfo caRevInfo = issuer.getRevocationInfo();
CertStatus certStatus = certStatusInfo.getCertStatus();
boolean replaced = false;
if (certStatus == CertStatus.GOOD || certStatus == CertStatus.UNKNOWN) {
replaced = true;
} else if (certStatus == CertStatus.REVOKED) {
if (certStatusInfo.getRevocationInfo().getRevocationTime().after(caRevInfo.getRevocationTime())) {
replaced = true;
}
}
if (replaced) {
CertRevocationInfo newRevInfo;
if (caRevInfo.getReason() == CrlReason.CA_COMPROMISE) {
newRevInfo = caRevInfo;
} else {
newRevInfo = new CertRevocationInfo(CrlReason.CA_COMPROMISE, caRevInfo.getRevocationTime(), caRevInfo.getInvalidityTime());
}
certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(newRevInfo, certStatusInfo.getCertHashAlgo(), certStatusInfo.getCertHash(), certStatusInfo.getThisUpdate(), certStatusInfo.getNextUpdate(), certStatusInfo.getCertprofile());
}
return certStatusInfo;
} catch (DataAccessException ex) {
throw new OcspStoreException(ex.getMessage(), ex);
}
}
Also used :
IssuerEntry(org.xipki.ocsp.api.IssuerEntry)
OcspStoreException(org.xipki.ocsp.api.OcspStoreException)
SQLException(java.sql.SQLException)
PreparedStatement(java.sql.PreparedStatement)
CertStatusInfo(org.xipki.ocsp.api.CertStatusInfo)
Date(java.util.Date)
CertRevocationInfo(org.xipki.security.CertRevocationInfo)
CrlInfo(org.xipki.ocsp.api.CrlInfo)
CertStatus(org.xipki.ocsp.api.CertStatus)
ResultSet(java.sql.ResultSet)
DataAccessException(org.xipki.datasource.DataAccessException)
Aggregations
PreparedStatement (java.sql.PreparedStatement)1
ResultSet (java.sql.ResultSet)1
SQLException (java.sql.SQLException)1
Date (java.util.Date)1
DataAccessException (org.xipki.datasource.DataAccessException)1
CertStatus (org.xipki.ocsp.api.CertStatus)1
CertStatusInfo (org.xipki.ocsp.api.CertStatusInfo)1
CrlInfo (org.xipki.ocsp.api.CrlInfo)1
IssuerEntry (org.xipki.ocsp.api.IssuerEntry)1
OcspStoreException (org.xipki.ocsp.api.OcspStoreException)1
CertRevocationInfo (org.xipki.security.CertRevocationInfo)1
