use of org.xipki.ocsp.qa.OcspQa in project xipki by xipki.
the class OcspQaStatusCmd method processResponse.
// method checkParameters
@Override
protected Object processResponse(OCSPResp response, X509Certificate respIssuer, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts) throws Exception {
OcspResponseOption responseOption = new OcspResponseOption();
responseOption.setNextUpdateOccurrence(expectedNextUpdateOccurrence);
responseOption.setCerthashOccurrence(expectedCerthashOccurrence);
responseOption.setNonceOccurrence(expectedNonceOccurrence);
responseOption.setRespIssuer(respIssuer);
responseOption.setSignatureAlgName(sigAlg);
if (isNotBlank(certhashAlg)) {
responseOption.setCerthashAlgId(AlgorithmUtil.getHashAlg(certhashAlg));
}
if (ocspQa == null) {
ocspQa = new OcspQa(securityFactory);
}
ValidationResult result = ocspQa.checkOcsp(response, issuerHash, serialNumbers, encodedCerts, expectedOcspError, expectedStatuses, expecteRevTimes, responseOption, noSigVerify);
StringBuilder sb = new StringBuilder(50);
sb.append("OCSP response is ");
String txt = result.isAllSuccessful() ? "valid" : "invalid";
sb.append(txt);
if (verbose.booleanValue()) {
for (ValidationIssue issue : result.getValidationIssues()) {
sb.append("\n");
format(issue, " ", sb);
}
}
println(sb.toString());
if (!result.isAllSuccessful()) {
throw new CmdFailure("OCSP response is invalid");
}
return null;
}
use of org.xipki.ocsp.qa.OcspQa in project xipki by xipki.
the class BatchOcspQaStatusCmd method execute0.
@Override
protected final Object execute0() throws Exception {
expectedCerthashOccurrence = Occurrence.forName(certhashOccurrenceText);
expectedNextUpdateOccurrence = Occurrence.forName(nextUpdateOccurrenceText);
expectedNonceOccurrence = Occurrence.forName(nonceOccurrenceText);
File outDir = new File(outDirStr);
File messageDir = new File(outDir, "messages");
messageDir.mkdirs();
File detailsDir = new File(outDir, "details");
detailsDir.mkdirs();
println("The result is saved in the folder " + outDir.getPath());
String linuxIssuer = (respIssuerFile != null) ? "-CAfile ../../responder_issuer.pem" : "-no_cert_verify";
String winIssuer = (respIssuerFile != null) ? "-CAfile ..\\..\\responder_issuer.pem" : "-no_cert_verify";
String linuxMsg = "openssl ocsp -text ";
String winMsg = "openssl ocsp -text ";
String shellFilePath = null;
if (saveReq && saveResp) {
linuxMsg += linuxIssuer + " -reqin request.der -respin response.der";
winMsg += winIssuer + " -reqin request.der -respin response.der";
shellFilePath = new File(outDir, "verify-req-resp").getPath();
} else if (saveReq) {
linuxMsg += "-reqin request.der\n";
winMsg += "-reqin request.der\n";
shellFilePath = new File(outDir, "verify-req").getPath();
} else if (saveResp) {
linuxMsg += linuxIssuer + " -respin response.der\n";
winMsg += winIssuer + " -respin response.der\n";
shellFilePath = new File(outDir, "verify-resp").getPath();
}
if (shellFilePath != null) {
File linuxShellFile = new File(shellFilePath + ".sh");
IoUtil.save(linuxShellFile, ("#!/bin/sh\n" + linuxMsg).getBytes());
IoUtil.save(shellFilePath + ".bat", ("@echo off\r\n" + winMsg).getBytes());
linuxShellFile.setExecutable(true);
}
X509Certificate issuerCert = X509Util.parseCert(issuerCertFile);
X509Certificate respIssuer = null;
if (respIssuerFile != null) {
respIssuer = X509Util.parseCert(IoUtil.expandFilepath(respIssuerFile));
IoUtil.save(new File(outDir, "responder-issuer.pem"), X509Util.toPemCert(respIssuer).getBytes());
}
RequestOptions requestOptions = getRequestOptions();
IssuerHash issuerHash = new IssuerHash(HashAlgo.getNonNullInstance(requestOptions.getHashAlgorithmId()), Certificate.getInstance(issuerCert.getEncoded()));
OutputStream resultOut = new FileOutputStream(new File(outDir, "overview.txt"));
BufferedReader snReader = new BufferedReader(new FileReader(snFile));
int numSucc = 0;
int numFail = 0;
try {
URL serverUrl = new URL(serverUrlStr);
OcspQa ocspQa = new OcspQa(securityFactory);
// Content of a line:
// <hex-encoded serial number>[,<reason code>,<revocation time in epoch seconds>]
int lineNo = 0;
String line;
while ((line = snReader.readLine()) != null) {
lineNo++;
line = line.trim();
if (line.startsWith("#") || line.isEmpty()) {
resultOut.write(line.getBytes());
resultOut.write('\n');
continue;
}
String resultText = lineNo + ": " + line + ": ";
try {
ValidationResult result = processOcspQuery(ocspQa, line, messageDir, detailsDir, serverUrl, respIssuer, issuerCert, issuerHash, requestOptions);
if (result.isAllSuccessful()) {
numSucc++;
resultText += "valid";
} else {
numFail++;
resultText += "invalid";
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
numFail++;
resultText += "error - " + th.getMessage();
}
if (!noout) {
println(resultText);
}
println(resultText, resultOut);
}
// unknown serial number
lineNo++;
SecureRandom random = new SecureRandom();
byte[] bytes = new byte[16];
random.nextBytes(bytes);
bytes[0] = (byte) (0x7F & bytes[0]);
BigInteger serialNumber = new BigInteger(bytes);
String resultText = lineNo + ": " + serialNumber.toString(16) + ",unknown: ";
try {
ValidationResult result = processOcspQuery(ocspQa, serialNumber, OcspCertStatus.unknown, null, messageDir, detailsDir, serverUrl, respIssuer, issuerCert, issuerHash, requestOptions);
if (result.isAllSuccessful()) {
numSucc++;
resultText += "valid";
} else {
numFail++;
resultText += "invalid";
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
numFail++;
resultText += "error - " + th.getMessage();
}
if (!noout) {
println(resultText);
}
println(resultText, resultOut);
String message = StringUtil.concatObjectsCap(200, "=====BEGIN SUMMARY=====", "\n url: ", serverUrlStr, "\n sum: ", numFail + numSucc, "\nsuccessful: ", numSucc, "\n failed: ", numFail, "\n=====END SUMMARY=====");
println(message);
println(message, resultOut);
} finally {
snReader.close();
resultOut.close();
}
return null;
}
Aggregations