Example 1 with OcspQa
use of org.xipki.ocsp.qa.OcspQa in project xipki by xipki.
the class OcspQaStatusCmd method processResponse.
// method checkParameters
@Override
protected Object processResponse(OCSPResp response, X509Certificate respIssuer, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts) throws Exception {
OcspResponseOption responseOption = new OcspResponseOption();
responseOption.setNextUpdateOccurrence(expectedNextUpdateOccurrence);
responseOption.setCerthashOccurrence(expectedCerthashOccurrence);
responseOption.setNonceOccurrence(expectedNonceOccurrence);
responseOption.setRespIssuer(respIssuer);
responseOption.setSignatureAlgName(sigAlg);
if (isNotBlank(certhashAlg)) {
responseOption.setCerthashAlgId(AlgorithmUtil.getHashAlg(certhashAlg));
}
if (ocspQa == null) {
ocspQa = new OcspQa(securityFactory);
}
ValidationResult result = ocspQa.checkOcsp(response, issuerHash, serialNumbers, encodedCerts, expectedOcspError, expectedStatuses, expecteRevTimes, responseOption, noSigVerify);
StringBuilder sb = new StringBuilder(50);
sb.append("OCSP response is ");
String txt = result.isAllSuccessful() ? "valid" : "invalid";
sb.append(txt);
if (verbose.booleanValue()) {
for (ValidationIssue issue : result.getValidationIssues()) {
sb.append("\n");
format(issue, " ", sb);
}
}
println(sb.toString());
if (!result.isAllSuccessful()) {
throw new CmdFailure("OCSP response is invalid");
}
return null;
}
Also used :
OcspQa(org.xipki.ocsp.qa.OcspQa)
CmdFailure(org.xipki.console.karaf.CmdFailure)
OcspResponseOption(org.xipki.ocsp.qa.OcspResponseOption)
ValidationResult(org.xipki.common.qa.ValidationResult)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
Example 2 with OcspQa
use of org.xipki.ocsp.qa.OcspQa in project xipki by xipki.
the class BatchOcspQaStatusCmd method execute0.
@Override
protected final Object execute0() throws Exception {
expectedCerthashOccurrence = Occurrence.forName(certhashOccurrenceText);
expectedNextUpdateOccurrence = Occurrence.forName(nextUpdateOccurrenceText);
expectedNonceOccurrence = Occurrence.forName(nonceOccurrenceText);
File outDir = new File(outDirStr);
File messageDir = new File(outDir, "messages");
messageDir.mkdirs();
File detailsDir = new File(outDir, "details");
detailsDir.mkdirs();
println("The result is saved in the folder " + outDir.getPath());
String linuxIssuer = (respIssuerFile != null) ? "-CAfile ../../responder_issuer.pem" : "-no_cert_verify";
String winIssuer = (respIssuerFile != null) ? "-CAfile ..\\..\\responder_issuer.pem" : "-no_cert_verify";
String linuxMsg = "openssl ocsp -text ";
String winMsg = "openssl ocsp -text ";
String shellFilePath = null;
if (saveReq && saveResp) {
linuxMsg += linuxIssuer + " -reqin request.der -respin response.der";
winMsg += winIssuer + " -reqin request.der -respin response.der";
shellFilePath = new File(outDir, "verify-req-resp").getPath();
} else if (saveReq) {
linuxMsg += "-reqin request.der\n";
winMsg += "-reqin request.der\n";
shellFilePath = new File(outDir, "verify-req").getPath();
} else if (saveResp) {
linuxMsg += linuxIssuer + " -respin response.der\n";
winMsg += winIssuer + " -respin response.der\n";
shellFilePath = new File(outDir, "verify-resp").getPath();
}
if (shellFilePath != null) {
File linuxShellFile = new File(shellFilePath + ".sh");
IoUtil.save(linuxShellFile, ("#!/bin/sh\n" + linuxMsg).getBytes());
IoUtil.save(shellFilePath + ".bat", ("@echo off\r\n" + winMsg).getBytes());
linuxShellFile.setExecutable(true);
}
X509Certificate issuerCert = X509Util.parseCert(issuerCertFile);
X509Certificate respIssuer = null;
if (respIssuerFile != null) {
respIssuer = X509Util.parseCert(IoUtil.expandFilepath(respIssuerFile));
IoUtil.save(new File(outDir, "responder-issuer.pem"), X509Util.toPemCert(respIssuer).getBytes());
}
RequestOptions requestOptions = getRequestOptions();
IssuerHash issuerHash = new IssuerHash(HashAlgo.getNonNullInstance(requestOptions.getHashAlgorithmId()), Certificate.getInstance(issuerCert.getEncoded()));
OutputStream resultOut = new FileOutputStream(new File(outDir, "overview.txt"));
BufferedReader snReader = new BufferedReader(new FileReader(snFile));
int numSucc = 0;
int numFail = 0;
try {
URL serverUrl = new URL(serverUrlStr);
OcspQa ocspQa = new OcspQa(securityFactory);
// Content of a line:
// <hex-encoded serial number>[,<reason code>,<revocation time in epoch seconds>]
int lineNo = 0;
String line;
while ((line = snReader.readLine()) != null) {
lineNo++;
line = line.trim();
if (line.startsWith("#") || line.isEmpty()) {
resultOut.write(line.getBytes());
resultOut.write('\n');
continue;
}
String resultText = lineNo + ": " + line + ": ";
try {
ValidationResult result = processOcspQuery(ocspQa, line, messageDir, detailsDir, serverUrl, respIssuer, issuerCert, issuerHash, requestOptions);
if (result.isAllSuccessful()) {
numSucc++;
resultText += "valid";
} else {
numFail++;
resultText += "invalid";
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
numFail++;
resultText += "error - " + th.getMessage();
}
if (!noout) {
println(resultText);
}
println(resultText, resultOut);
}
// unknown serial number
lineNo++;
SecureRandom random = new SecureRandom();
byte[] bytes = new byte[16];
random.nextBytes(bytes);
bytes[0] = (byte) (0x7F & bytes[0]);
BigInteger serialNumber = new BigInteger(bytes);
String resultText = lineNo + ": " + serialNumber.toString(16) + ",unknown: ";
try {
ValidationResult result = processOcspQuery(ocspQa, serialNumber, OcspCertStatus.unknown, null, messageDir, detailsDir, serverUrl, respIssuer, issuerCert, issuerHash, requestOptions);
if (result.isAllSuccessful()) {
numSucc++;
resultText += "valid";
} else {
numFail++;
resultText += "invalid";
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
numFail++;
resultText += "error - " + th.getMessage();
}
if (!noout) {
println(resultText);
}
println(resultText, resultOut);
String message = StringUtil.concatObjectsCap(200, "=====BEGIN SUMMARY=====", "\n url: ", serverUrlStr, "\n sum: ", numFail + numSucc, "\nsuccessful: ", numSucc, "\n failed: ", numFail, "\n=====END SUMMARY=====");
println(message);
println(message, resultOut);
} finally {
snReader.close();
resultOut.close();
}
return null;
}
Also used :
RequestOptions(org.xipki.ocsp.client.api.RequestOptions)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
SecureRandom(java.security.SecureRandom)
ValidationResult(org.xipki.common.qa.ValidationResult)
X509Certificate(java.security.cert.X509Certificate)
URL(java.net.URL)
IssuerHash(org.xipki.security.IssuerHash)
OcspQa(org.xipki.ocsp.qa.OcspQa)
FileOutputStream(java.io.FileOutputStream)
BufferedReader(java.io.BufferedReader)
BigInteger(java.math.BigInteger)
FileReader(java.io.FileReader)
File(java.io.File)
Aggregations
ValidationResult (org.xipki.common.qa.ValidationResult)2
OcspQa (org.xipki.ocsp.qa.OcspQa)2
BufferedReader (java.io.BufferedReader)1
File (java.io.File)1
FileOutputStream (java.io.FileOutputStream)1
FileReader (java.io.FileReader)1
OutputStream (java.io.OutputStream)1
BigInteger (java.math.BigInteger)1
URL (java.net.URL)1
SecureRandom (java.security.SecureRandom)1
X509Certificate (java.security.cert.X509Certificate)1
ValidationIssue (org.xipki.common.qa.ValidationIssue)1
CmdFailure (org.xipki.console.karaf.CmdFailure)1
RequestOptions (org.xipki.ocsp.client.api.RequestOptions)1
OcspResponseOption (org.xipki.ocsp.qa.OcspResponseOption)1
IssuerHash (org.xipki.security.IssuerHash)1
