Search in sources :

Example 1 with OcspResponseOption

use of org.xipki.ocsp.qa.OcspResponseOption in project xipki by xipki.

the class BatchOcspQaStatusCmd method processOcspQuery.

private ValidationResult processOcspQuery(OcspQa ocspQa, BigInteger serialNumber, OcspCertStatus status, Date revTime, File messageDir, File detailsDir, URL serverUrl, X509Certificate respIssuer, X509Certificate issuerCert, IssuerHash issuerHash, RequestOptions requestOptions) throws Exception {
    if (unknownAsGood && status == OcspCertStatus.unknown) {
        status = OcspCertStatus.good;
    }
    RequestResponseDebug debug = null;
    if (saveReq || saveResp) {
        debug = new RequestResponseDebug(saveReq, saveResp);
    }
    OCSPResp response;
    try {
        response = requestor.ask(issuerCert, serialNumber, serverUrl, requestOptions, debug);
    } finally {
        if (debug != null && debug.size() > 0) {
            RequestResponsePair reqResp = debug.get(0);
            String filename = serialNumber.toString(16);
            if (saveReq) {
                byte[] bytes = reqResp.getRequest();
                if (bytes != null) {
                    IoUtil.save(new File(messageDir, filename + FILE_SEP + "request.der"), bytes);
                }
            }
            if (saveResp) {
                byte[] bytes = reqResp.getResponse();
                if (bytes != null) {
                    IoUtil.save(new File(messageDir, filename + FILE_SEP + "response.der"), bytes);
                }
            }
        }
    // end if
    }
    // end finally
    // analyze the result
    OcspResponseOption responseOption = new OcspResponseOption();
    responseOption.setNextUpdateOccurrence(expectedNextUpdateOccurrence);
    responseOption.setCerthashOccurrence(expectedCerthashOccurrence);
    responseOption.setNonceOccurrence(expectedNonceOccurrence);
    responseOption.setRespIssuer(respIssuer);
    responseOption.setSignatureAlgName(sigAlg);
    if (isNotBlank(certhashAlg)) {
        responseOption.setCerthashAlgId(AlgorithmUtil.getHashAlg(certhashAlg));
    }
    ValidationResult ret = ocspQa.checkOcsp(response, issuerHash, serialNumber, null, null, status, responseOption, revTime, noSigVerify.booleanValue());
    String validity = ret.isAllSuccessful() ? "valid" : "invalid";
    String hexSerial = serialNumber.toString(16);
    StringBuilder sb = new StringBuilder(50);
    sb.append("OCSP response for ").append(serialNumber).append(" (0x").append(hexSerial).append(") is ").append(validity);
    for (ValidationIssue issue : ret.getValidationIssues()) {
        sb.append("\n");
        OcspQaStatusCmd.format(issue, "    ", sb);
    }
    IoUtil.save(new File(detailsDir, hexSerial + "." + validity), sb.toString().getBytes());
    return ret;
}
Also used : RequestResponsePair(org.xipki.common.RequestResponsePair) RequestResponseDebug(org.xipki.common.RequestResponseDebug) OcspResponseOption(org.xipki.ocsp.qa.OcspResponseOption) ValidationResult(org.xipki.common.qa.ValidationResult) File(java.io.File) ValidationIssue(org.xipki.common.qa.ValidationIssue) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)

Example 2 with OcspResponseOption

use of org.xipki.ocsp.qa.OcspResponseOption in project xipki by xipki.

the class OcspQaStatusCmd method processResponse.

// method checkParameters
@Override
protected Object processResponse(OCSPResp response, X509Certificate respIssuer, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts) throws Exception {
    OcspResponseOption responseOption = new OcspResponseOption();
    responseOption.setNextUpdateOccurrence(expectedNextUpdateOccurrence);
    responseOption.setCerthashOccurrence(expectedCerthashOccurrence);
    responseOption.setNonceOccurrence(expectedNonceOccurrence);
    responseOption.setRespIssuer(respIssuer);
    responseOption.setSignatureAlgName(sigAlg);
    if (isNotBlank(certhashAlg)) {
        responseOption.setCerthashAlgId(AlgorithmUtil.getHashAlg(certhashAlg));
    }
    if (ocspQa == null) {
        ocspQa = new OcspQa(securityFactory);
    }
    ValidationResult result = ocspQa.checkOcsp(response, issuerHash, serialNumbers, encodedCerts, expectedOcspError, expectedStatuses, expecteRevTimes, responseOption, noSigVerify);
    StringBuilder sb = new StringBuilder(50);
    sb.append("OCSP response is ");
    String txt = result.isAllSuccessful() ? "valid" : "invalid";
    sb.append(txt);
    if (verbose.booleanValue()) {
        for (ValidationIssue issue : result.getValidationIssues()) {
            sb.append("\n");
            format(issue, "    ", sb);
        }
    }
    println(sb.toString());
    if (!result.isAllSuccessful()) {
        throw new CmdFailure("OCSP response is invalid");
    }
    return null;
}
Also used : OcspQa(org.xipki.ocsp.qa.OcspQa) CmdFailure(org.xipki.console.karaf.CmdFailure) OcspResponseOption(org.xipki.ocsp.qa.OcspResponseOption) ValidationResult(org.xipki.common.qa.ValidationResult) ValidationIssue(org.xipki.common.qa.ValidationIssue)

Aggregations

ValidationIssue (org.xipki.common.qa.ValidationIssue)2 ValidationResult (org.xipki.common.qa.ValidationResult)2 OcspResponseOption (org.xipki.ocsp.qa.OcspResponseOption)2 File (java.io.File)1 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)1 RequestResponseDebug (org.xipki.common.RequestResponseDebug)1 RequestResponsePair (org.xipki.common.RequestResponsePair)1 CmdFailure (org.xipki.console.karaf.CmdFailure)1 OcspQa (org.xipki.ocsp.qa.OcspQa)1