Example 1 with RequestIssuer
use of org.xipki.ocsp.api.RequestIssuer in project xipki by xipki.
the class DbCertStatusStore method initIssuerStore.
private synchronized void initIssuerStore() {
if (storeUpdateInProcess.get()) {
return;
}
storeUpdateInProcess.set(true);
try {
if (initialized) {
final String sql = "SELECT ID,REV,RT,S1C FROM ISSUER";
PreparedStatement ps = preparedStatement(sql);
ResultSet rs = null;
try {
Map<Integer, SimpleIssuerEntry> newIssuers = new HashMap<>();
rs = ps.executeQuery();
while (rs.next()) {
String sha1Fp = rs.getString("S1C");
if (!issuerFilter.includeIssuerWithSha1Fp(sha1Fp)) {
continue;
}
int id = rs.getInt("ID");
boolean revoked = rs.getBoolean("REV");
Long revTimeMs = revoked ? rs.getLong("RT") * 1000 : null;
SimpleIssuerEntry issuerEntry = new SimpleIssuerEntry(id, revTimeMs);
newIssuers.put(id, issuerEntry);
}
// no change in the issuerStore
Set<Integer> newIds = newIssuers.keySet();
Set<Integer> ids = (issuerStore != null) ? issuerStore.getIds() : Collections.emptySet();
boolean issuersUnchanged = (ids.size() == newIds.size()) && ids.containsAll(newIds) && newIds.containsAll(ids);
if (issuersUnchanged) {
for (Integer id : newIds) {
IssuerEntry entry = issuerStore.getIssuerForId(id);
SimpleIssuerEntry newEntry = newIssuers.get(id);
if (newEntry.match(entry)) {
issuersUnchanged = false;
break;
}
}
}
if (issuersUnchanged) {
return;
}
} finally {
releaseDbResources(ps, rs);
}
}
// end if(initialized)
final String sql = "SELECT ID,NBEFORE,REV,RT,S1C,CERT,CRL_INFO FROM ISSUER";
PreparedStatement ps = preparedStatement(sql);
ResultSet rs = null;
try {
rs = ps.executeQuery();
List<IssuerEntry> caInfos = new LinkedList<>();
while (rs.next()) {
String sha1Fp = rs.getString("S1C");
if (!issuerFilter.includeIssuerWithSha1Fp(sha1Fp)) {
continue;
}
int id = rs.getInt("ID");
String b64Cert = rs.getString("CERT");
X509Certificate cert = X509Util.parseBase64EncodedCert(b64Cert);
IssuerEntry caInfoEntry = new IssuerEntry(id, cert);
String crlInfoStr = rs.getString("CRL_INFO");
if (StringUtil.isNotBlank(crlInfoStr)) {
CrlInfo crlInfo = new CrlInfo(crlInfoStr);
caInfoEntry.setCrlInfo(crlInfo);
}
RequestIssuer reqIssuer = new RequestIssuer(HashAlgo.SHA1, caInfoEntry.getEncodedHash(HashAlgo.SHA1));
for (IssuerEntry existingIssuer : caInfos) {
if (existingIssuer.matchHash(reqIssuer)) {
throw new Exception("found at least two issuers with the same subject and key");
}
}
boolean revoked = rs.getBoolean("REV");
if (revoked) {
long lo = rs.getLong("RT");
caInfoEntry.setRevocationInfo(new Date(lo * 1000));
}
caInfos.add(caInfoEntry);
}
// end while (rs.next())
initialized = false;
this.issuerStore = new IssuerStore(caInfos);
LOG.info("Updated issuers: {}", name);
initializationFailed = false;
initialized = true;
} finally {
releaseDbResources(ps, rs);
}
} catch (Throwable th) {
storeUpdateInProcess.set(false);
LogUtil.error(LOG, th, "could not executing initIssuerStore()");
initializationFailed = true;
initialized = true;
}
}
Also used :
RequestIssuer(org.xipki.ocsp.api.RequestIssuer)
IssuerEntry(org.xipki.ocsp.api.IssuerEntry)
HashMap(java.util.HashMap)
PreparedStatement(java.sql.PreparedStatement)
IssuerStore(org.xipki.ocsp.api.IssuerStore)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
OcspStoreException(org.xipki.ocsp.api.OcspStoreException)
SQLException(java.sql.SQLException)
DataAccessException(org.xipki.datasource.DataAccessException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
Date(java.util.Date)
BigInteger(java.math.BigInteger)
CrlInfo(org.xipki.ocsp.api.CrlInfo)
ResultSet(java.sql.ResultSet)
Example 2 with RequestIssuer
use of org.xipki.ocsp.api.RequestIssuer in project xipki by xipki.
the class OcspRequest method getInstance.
public static OcspRequest getInstance(OCSPRequest req) throws EncodingException {
TBSRequest tbsReq0 = req.getTbsRequest();
org.bouncycastle.asn1.x509.Extensions extensions0 = tbsReq0.getRequestExtensions();
Set<String> criticalExtensionOids = new HashSet<>();
if (extensions0 != null) {
for (ASN1ObjectIdentifier oid : extensions0.getCriticalExtensionOIDs()) {
criticalExtensionOids.add(oid.getId());
}
}
ASN1Sequence requestList0 = tbsReq0.getRequestList();
final int n = requestList0.size();
List<CertID> requestList = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
Request singleReq0 = Request.getInstance(requestList0.getObjectAt(i));
org.bouncycastle.asn1.ocsp.CertID certId0 = singleReq0.getReqCert();
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
out.write(certId0.getHashAlgorithm().getEncoded());
out.write(certId0.getIssuerNameHash().getEncoded());
out.write(certId0.getIssuerKeyHash().getEncoded());
} catch (IOException ex) {
throw new EncodingException(ex.getMessage(), ex);
}
byte[] encodedIssuer = out.toByteArray();
RequestIssuer issuer = new RequestIssuer(encodedIssuer, 0, encodedIssuer.length);
CertID certId = new CertID(issuer, certId0.getSerialNumber().getValue());
requestList.add(certId);
}
List<ExtendedExtension> extensions = new LinkedList<>();
if (extensions0 != null) {
ASN1ObjectIdentifier[] extOids = extensions0.getExtensionOIDs();
for (ASN1ObjectIdentifier oid : extOids) {
org.bouncycastle.asn1.x509.Extension extension0 = extensions0.getExtension(oid);
byte[] encoded;
try {
encoded = extension0.getEncoded();
} catch (IOException ex) {
throw new EncodingException("error encoding Extension", ex);
}
extensions.add(ExtendedExtension.getInstance(encoded, 0, encoded.length));
}
}
return new OcspRequest(tbsReq0.getVersion().getValue().intValue(), requestList, extensions);
}
Also used :
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
RequestIssuer(org.xipki.ocsp.api.RequestIssuer)
Request(org.bouncycastle.asn1.ocsp.Request)
OCSPRequest(org.bouncycastle.asn1.ocsp.OCSPRequest)
TBSRequest(org.bouncycastle.asn1.ocsp.TBSRequest)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
IOException(java.io.IOException)
TBSRequest(org.bouncycastle.asn1.ocsp.TBSRequest)
LinkedList(java.util.LinkedList)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 3 with RequestIssuer
use of org.xipki.ocsp.api.RequestIssuer in project xipki by xipki.
the class OcspRequest method getInstance.
public static OcspRequest getInstance(byte[] request) throws EncodingException {
// OCSPRequest
Header hdr = readHeader(request, 0);
// tbsRequest
Header hdrTbs = readHeader(request, hdr.readerIndex);
int version = 0;
// First element of the tbsRequest
hdr = readHeader(request, hdrTbs.readerIndex);
boolean tagged = (hdr.tag & 0x80) != 0;
int tag = hdr.tag & 0x1F;
if (tagged) {
if (tag == 0) {
Header hdr0 = readHeader(request, hdr.readerIndex);
if (hdr0.len == 1) {
version = 0xFF & request[hdr0.readerIndex];
} else {
throw new EncodingException("version too large");
}
}
// read till requestList
while ((hdr.tag & 0x80) != 0) {
hdr = readHeader(request, hdr.readerIndex + hdr.len);
}
}
List<CertID> requestList = new LinkedList<>();
Header hdrRequestList = hdr;
Header hdrSingleReq = readHeader(request, hdr.readerIndex);
// requestList
while (true) {
Header hdrCertId = readHeader(request, hdrSingleReq.readerIndex);
Header hdrHashAlgo = readHeader(request, hdrCertId.readerIndex);
Header hdrNameHash = readHeader(request, hdrHashAlgo.readerIndex + hdrHashAlgo.len);
Header hdrKeyHash = readHeader(request, hdrNameHash.readerIndex + hdrNameHash.len);
Header hdrSerial = readHeader(request, hdrKeyHash.readerIndex + hdrKeyHash.len);
RequestIssuer issuer = new RequestIssuer(request, hdrCertId.readerIndex, hdrKeyHash.readerIndex + hdrKeyHash.len - hdrCertId.readerIndex);
BigInteger serialNumber = new BigInteger(readContent(request, hdrSerial));
CertID certId = new CertID(issuer, serialNumber);
requestList.add(certId);
int nextIndex = hdrSingleReq.readerIndex + hdrSingleReq.len;
if (nextIndex < hdrRequestList.readerIndex + hdrRequestList.len) {
hdrSingleReq = readHeader(request, nextIndex);
} else {
break;
}
}
// extensions
List<ExtendedExtension> extensions = new LinkedList<>();
int extensionsOffset = hdrRequestList.readerIndex + hdrRequestList.len;
if (extensionsOffset < hdrTbs.readerIndex + hdrTbs.len) {
hdr = readHeader(request, extensionsOffset);
tag = hdr.tag;
if ((tag & 0x80) == 0 || (tag & 0x1F) != 2) {
throw new EncodingException("invalid element after requestList");
}
Header hdrExtensions = readHeader(request, hdr.readerIndex);
Header hdrExtension = readHeader(request, hdrExtensions.readerIndex);
while (true) {
int extensionLen = hdrExtension.readerIndex - hdrExtension.tagIndex + hdrExtension.len;
ExtendedExtension extn = ExtendedExtension.getInstance(request, hdrExtension.tagIndex, extensionLen);
if (extn != null) {
extensions.add(extn);
}
int nextIndex = hdrExtension.readerIndex + hdrExtension.len;
if (nextIndex < hdrExtensions.readerIndex + hdrExtensions.len) {
hdrExtension = readHeader(request, nextIndex);
} else {
break;
}
}
}
return new OcspRequest(version, requestList, extensions);
}
Also used :
RequestIssuer(org.xipki.ocsp.api.RequestIssuer)
BigInteger(java.math.BigInteger)
LinkedList(java.util.LinkedList)
Example 4 with RequestIssuer
use of org.xipki.ocsp.api.RequestIssuer in project xipki by xipki.
the class ResponseCacher method initIssuerStore.
// method updateCacheStore0
private boolean initIssuerStore() throws DataAccessException, CertificateException {
PreparedStatement ps = null;
ResultSet rs = null;
try {
ps = prepareStatement(SQL_SELECT_ISSUER);
rs = ps.executeQuery();
List<IssuerEntry> caInfos = new LinkedList<>();
PreparedStatement deleteIssuerStmt = null;
while (rs.next()) {
int id = rs.getInt("ID");
String b64Cert = rs.getString("CERT");
X509Certificate cert = X509Util.parseBase64EncodedCert(b64Cert);
IssuerEntry caInfoEntry = new IssuerEntry(id, cert);
RequestIssuer reqIssuer = new RequestIssuer(HashAlgo.SHA1, caInfoEntry.getEncodedHash(HashAlgo.SHA1));
boolean duplicated = false;
for (IssuerEntry existingIssuer : caInfos) {
if (existingIssuer.matchHash(reqIssuer)) {
duplicated = true;
break;
}
}
String subject = cert.getSubjectX500Principal().getName();
if (duplicated) {
if (deleteIssuerStmt == null) {
deleteIssuerStmt = prepareStatement(SQL_DELETE_ISSUER);
}
deleteIssuerStmt.setInt(1, id);
deleteIssuerStmt.executeUpdate();
LOG.warn("Delete duplicated issuer {}: {}", id, subject);
} else {
LOG.info("added issuer {}: {}", id, subject);
caInfos.add(caInfoEntry);
}
}
// end while (rs.next())
this.issuerStore = new IssuerStore(caInfos);
LOG.info("Updated issuers");
} catch (SQLException ex) {
throw datasource.translate(SQL_SELECT_ISSUER, ex);
} finally {
datasource.releaseResources(ps, rs, false);
}
return true;
}
Also used :
RequestIssuer(org.xipki.ocsp.api.RequestIssuer)
IssuerEntry(org.xipki.ocsp.api.IssuerEntry)
SQLException(java.sql.SQLException)
ResultSet(java.sql.ResultSet)
PreparedStatement(java.sql.PreparedStatement)
IssuerStore(org.xipki.ocsp.api.IssuerStore)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
LinkedList (java.util.LinkedList)4
RequestIssuer (org.xipki.ocsp.api.RequestIssuer)4
IOException (java.io.IOException)2
BigInteger (java.math.BigInteger)2
X509Certificate (java.security.cert.X509Certificate)2
PreparedStatement (java.sql.PreparedStatement)2
ResultSet (java.sql.ResultSet)2
SQLException (java.sql.SQLException)2
IssuerEntry (org.xipki.ocsp.api.IssuerEntry)2
IssuerStore (org.xipki.ocsp.api.IssuerStore)2
ByteArrayOutputStream (java.io.ByteArrayOutputStream)1
CertificateException (java.security.cert.CertificateException)1
ArrayList (java.util.ArrayList)1
Date (java.util.Date)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)1
OCSPRequest (org.bouncycastle.asn1.ocsp.OCSPRequest)1
Request (org.bouncycastle.asn1.ocsp.Request)1
