Search in sources :

Example 1 with OcspRequest

use of org.xipki.ocsp.server.impl.type.OcspRequest in project xipki by xipki.

the class Foo method createRequest.

private static byte[] createRequest(Control control) throws Exception {
    GeneralName requestorName = control.withRequestName ? new GeneralName(new X500Name("CN=requestor1")) : null;
    AlgorithmIdentifier algId1 = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE);
    CertID certId1 = new CertID(algId1, new DEROctetString(newBytes(20, (byte) 0x11)), new DEROctetString(newBytes(20, (byte) 0x12)), new ASN1Integer(BigInteger.valueOf(0x1234)));
    Request request1 = new Request(certId1, null);
    AlgorithmIdentifier algId2 = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
    CertID certId2 = new CertID(algId2, new DEROctetString(newBytes(20, (byte) 0x21)), new DEROctetString(newBytes(20, (byte) 0x22)), new ASN1Integer(BigInteger.valueOf(0x1235)));
    Request request2 = new Request(certId2, new Extensions(new Extension(ObjectIdentifiers.id_ad_timeStamping, false, newBytes(30, (byte) 0x33))));
    // CHECKSTYLE:SKIP
    ASN1Sequence requestList = new DERSequence(new ASN1Encodable[] { request1, request2 });
    Extensions requestExtensions = null;
    if (control.withNonce || control.withPrefSigAlgs) {
        int size = 0;
        if (control.withNonce) {
            size++;
        }
        if (control.withPrefSigAlgs) {
            size++;
        }
        Extension[] arrays = new Extension[size];
        int offset = 0;
        if (control.withNonce) {
            arrays[offset++] = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, control.extensionCritical, newBytes(20, (byte) 0x44));
        }
        if (control.withPrefSigAlgs) {
            AlgorithmIdentifier sigAlg1 = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption, DERNull.INSTANCE);
            AlgorithmIdentifier sigAlg2 = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption, DERNull.INSTANCE);
            ASN1Sequence seq = new DERSequence(new ASN1Encodable[] { sigAlg1, sigAlg2 });
            arrays[offset++] = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_pref_sig_algs, control.extensionCritical, seq.getEncoded());
        }
        requestExtensions = new Extensions(arrays);
    }
    ASN1EncodableVector vec = new ASN1EncodableVector();
    if (control.version != 0) {
        vec.add(new DERTaggedObject(true, 0, new ASN1Integer(BigInteger.valueOf(control.version))));
    }
    if (requestorName != null) {
        vec.add(new DERTaggedObject(true, 1, requestorName));
    }
    vec.add(requestList);
    if (requestExtensions != null) {
        vec.add(new DERTaggedObject(true, 2, requestExtensions));
    }
    TBSRequest tbsRequest = TBSRequest.getInstance(new DERSequence(vec));
    Signature sig = null;
    if (control.withSignature) {
        sig = new Signature(new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption), new DERBitString(newBytes(256, (byte) 0xFF)));
    }
    return new OCSPRequest(tbsRequest, sig).getEncoded();
}
Also used : CertID(org.bouncycastle.asn1.ocsp.CertID) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) OCSPRequest(org.bouncycastle.asn1.ocsp.OCSPRequest) OcspRequest(org.xipki.ocsp.server.impl.type.OcspRequest) TBSRequest(org.bouncycastle.asn1.ocsp.TBSRequest) Request(org.bouncycastle.asn1.ocsp.Request) DERBitString(org.bouncycastle.asn1.DERBitString) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) Extensions(org.bouncycastle.asn1.x509.Extensions) TBSRequest(org.bouncycastle.asn1.ocsp.TBSRequest) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) Extension(org.bouncycastle.asn1.x509.Extension) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERSequence(org.bouncycastle.asn1.DERSequence) Signature(org.bouncycastle.asn1.ocsp.Signature) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) GeneralName(org.bouncycastle.asn1.x509.GeneralName) OCSPRequest(org.bouncycastle.asn1.ocsp.OCSPRequest)

Example 2 with OcspRequest

use of org.xipki.ocsp.server.impl.type.OcspRequest in project xipki by xipki.

the class OcspServerImpl method answer.

@Override
public OcspRespWithCacheInfo answer(Responder responder2, byte[] request, boolean viaGet) {
    ResponderImpl responder = (ResponderImpl) responder2;
    RequestOption reqOpt = responder.getRequestOption();
    int version;
    try {
        version = OcspRequest.readRequestVersion(request);
    } catch (EncodingException ex) {
        String message = "could not extract version from request";
        LOG.warn(message);
        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
    }
    if (!reqOpt.isVersionAllowed(version)) {
        String message = "invalid request version " + version;
        LOG.warn(message);
        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
    }
    ResponderSigner signer = responder.getSigner();
    ResponseOption repOpt = responder.getResponseOption();
    try {
        Object reqOrRrrorResp = checkSignature(request, reqOpt);
        if (reqOrRrrorResp instanceof OcspRespWithCacheInfo) {
            return (OcspRespWithCacheInfo) reqOrRrrorResp;
        }
        OcspRequest req = (OcspRequest) reqOrRrrorResp;
        List<CertID> requestList = req.getRequestList();
        int requestsSize = requestList.size();
        if (requestsSize > reqOpt.getMaxRequestListCount()) {
            String message = requestsSize + " entries in RequestList, but maximal " + reqOpt.getMaxRequestListCount() + " is allowed";
            LOG.warn(message);
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
        }
        OcspRespControl repControl = new OcspRespControl();
        repControl.canCacheInfo = true;
        List<ExtendedExtension> reqExtensions = req.getExtensions();
        List<Extension> respExtensions = new LinkedList<>();
        ExtendedExtension nonceExtn = removeExtension(reqExtensions, OID.ID_PKIX_OCSP_NONCE);
        if (nonceExtn != null) {
            if (reqOpt.getNonceOccurrence() == TripleState.FORBIDDEN) {
                LOG.warn("nonce forbidden, but is present in the request");
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
            }
            int len = nonceExtn.getExtnValueLength();
            int min = reqOpt.getNonceMinLen();
            int max = reqOpt.getNonceMaxLen();
            if (len < min || len > max) {
                LOG.warn("length of nonce {} not within [{},{}]", len, min, max);
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
            }
            repControl.canCacheInfo = false;
            respExtensions.add(nonceExtn);
        } else {
            if (reqOpt.getNonceOccurrence() == TripleState.REQUIRED) {
                LOG.warn("nonce required, but is not present in the request");
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
            }
        }
        ConcurrentContentSigner concurrentSigner = null;
        if (responder.getResponderOption().getMode() != OcspMode.RFC2560) {
            ExtendedExtension extn = removeExtension(reqExtensions, OID.ID_PKIX_OCSP_PREFSIGALGS);
            if (extn != null) {
                ASN1InputStream asn1Stream = new ASN1InputStream(extn.getExtnValueStream());
                List<AlgorithmIdentifier> prefSigAlgs;
                try {
                    ASN1Sequence seq = ASN1Sequence.getInstance(asn1Stream.readObject());
                    final int size = seq.size();
                    prefSigAlgs = new ArrayList<>(size);
                    for (int i = 0; i < size; i++) {
                        prefSigAlgs.add(AlgorithmIdentifier.getInstance(seq.getObjectAt(i)));
                    }
                } finally {
                    asn1Stream.close();
                }
                concurrentSigner = signer.getSignerForPreferredSigAlgs(prefSigAlgs);
            }
        }
        if (!reqExtensions.isEmpty()) {
            boolean flag = false;
            for (ExtendedExtension m : reqExtensions) {
                if (m.isCritical()) {
                    flag = true;
                    break;
                }
            }
            if (flag) {
                if (LOG.isWarnEnabled()) {
                    List<OID> oids = new LinkedList<>();
                    for (ExtendedExtension m : reqExtensions) {
                        if (m.isCritical()) {
                            oids.add(m.getExtnType());
                        }
                    }
                    LOG.warn("could not process critial request extensions: {}", oids);
                }
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
            }
        }
        if (concurrentSigner == null) {
            concurrentSigner = signer.getFirstSigner();
        }
        AlgorithmCode cacheDbSigAlgCode = null;
        BigInteger cacheDbSerialNumber = null;
        Integer cacheDbIssuerId = null;
        boolean canCacheDb = (requestsSize == 1) && (responseCacher != null) && (nonceExtn == null) && responseCacher.isOnService();
        if (canCacheDb) {
            // try to find the cached response
            CertID certId = requestList.get(0);
            HashAlgo reqHashAlgo = certId.getIssuer().hashAlgorithm();
            if (!reqOpt.allows(reqHashAlgo)) {
                LOG.warn("CertID.hashAlgorithm {} not allowed", reqHashAlgo != null ? reqHashAlgo : certId.getIssuer().hashAlgorithmOID());
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
            }
            cacheDbSigAlgCode = concurrentSigner.getAlgorithmCode();
            cacheDbIssuerId = responseCacher.getIssuerId(certId.getIssuer());
            cacheDbSerialNumber = certId.getSerialNumber();
            if (cacheDbIssuerId != null) {
                OcspRespWithCacheInfo cachedResp = responseCacher.getOcspResponse(cacheDbIssuerId.intValue(), cacheDbSerialNumber, cacheDbSigAlgCode);
                if (cachedResp != null) {
                    return cachedResp;
                }
            } else if (master) {
                // store the issuer certificate in cache database.
                X509Certificate issuerCert = null;
                for (OcspStore store : responder.getStores()) {
                    issuerCert = store.getIssuerCert(certId.getIssuer());
                    if (issuerCert != null) {
                        break;
                    }
                }
                if (issuerCert != null) {
                    cacheDbIssuerId = responseCacher.storeIssuer(issuerCert);
                }
            }
            if (cacheDbIssuerId == null) {
                canCacheDb = false;
            }
        }
        ResponderID responderId = signer.getResponderId(repOpt.isResponderIdByName());
        OCSPRespBuilder builder = new OCSPRespBuilder(responderId);
        for (int i = 0; i < requestsSize; i++) {
            OcspRespWithCacheInfo failureOcspResp = processCertReq(requestList.get(i), builder, responder, reqOpt, repOpt, repControl);
            if (failureOcspResp != null) {
                return failureOcspResp;
            }
        }
        if (repControl.includeExtendedRevokeExtension) {
            respExtensions.add(extension_pkix_ocsp_extendedRevoke);
        }
        if (!respExtensions.isEmpty()) {
            Extensions extns = new Extensions(respExtensions);
            builder.setResponseExtensions(extns);
        }
        TaggedCertSequence certsInResp;
        EmbedCertsMode certsMode = repOpt.getEmbedCertsMode();
        if (certsMode == EmbedCertsMode.SIGNER) {
            certsInResp = signer.getSequenceOfCert();
        } else if (certsMode == EmbedCertsMode.NONE) {
            certsInResp = null;
        } else {
            // certsMode == EmbedCertsMode.SIGNER_AND_CA
            certsInResp = signer.getSequenceOfCertChain();
        }
        byte[] encodeOcspResponse;
        try {
            encodeOcspResponse = builder.buildOCSPResponse(concurrentSigner, certsInResp, new Date());
        } catch (NoIdleSignerException ex) {
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.tryLater);
        } catch (OCSPException ex) {
            LogUtil.error(LOG, ex, "answer() basicOcspBuilder.build");
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.internalError);
        }
        // cache response in database
        if (canCacheDb && repControl.canCacheInfo) {
            // Don't cache the response with status UNKNOWN, since this may result in DDoS
            // of storage
            responseCacher.storeOcspResponse(cacheDbIssuerId.intValue(), cacheDbSerialNumber, repControl.cacheThisUpdate, repControl.cacheNextUpdate, cacheDbSigAlgCode, encodeOcspResponse);
        }
        if (viaGet && repControl.canCacheInfo) {
            ResponseCacheInfo cacheInfo = new ResponseCacheInfo(repControl.cacheThisUpdate);
            if (repControl.cacheNextUpdate != Long.MAX_VALUE) {
                cacheInfo.setNextUpdate(repControl.cacheNextUpdate);
            }
            return new OcspRespWithCacheInfo(encodeOcspResponse, cacheInfo);
        } else {
            return new OcspRespWithCacheInfo(encodeOcspResponse, null);
        }
    } catch (Throwable th) {
        LogUtil.error(LOG, th);
        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.internalError);
    }
}
Also used : EncodingException(org.xipki.ocsp.server.impl.type.EncodingException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) CertID(org.xipki.ocsp.server.impl.type.CertID) ExtendedExtension(org.xipki.ocsp.server.impl.type.ExtendedExtension) HashAlgo(org.xipki.security.HashAlgo) ResponderID(org.xipki.ocsp.server.impl.type.ResponderID) Extensions(org.xipki.ocsp.server.impl.type.Extensions) AlgorithmCode(org.xipki.security.AlgorithmCode) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) OcspStore(org.xipki.ocsp.api.OcspStore) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) OcspRespWithCacheInfo(org.xipki.ocsp.api.OcspRespWithCacheInfo) NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException) ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) OID(org.xipki.ocsp.server.impl.type.OID) TaggedCertSequence(org.xipki.ocsp.server.impl.type.TaggedCertSequence) LinkedList(java.util.LinkedList) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) Extension(org.xipki.ocsp.server.impl.type.Extension) WritableOnlyExtension(org.xipki.ocsp.server.impl.type.WritableOnlyExtension) ExtendedExtension(org.xipki.ocsp.server.impl.type.ExtendedExtension) BigInteger(java.math.BigInteger) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) EmbedCertsMode(org.xipki.ocsp.server.impl.jaxb.EmbedCertsMode) ResponseCacheInfo(org.xipki.ocsp.api.OcspRespWithCacheInfo.ResponseCacheInfo) BigInteger(java.math.BigInteger) OcspRequest(org.xipki.ocsp.server.impl.type.OcspRequest)

Aggregations

ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)2 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)2 OcspRequest (org.xipki.ocsp.server.impl.type.OcspRequest)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 BigInteger (java.math.BigInteger)1 X509Certificate (java.security.cert.X509Certificate)1 Date (java.util.Date)1 LinkedList (java.util.LinkedList)1 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)1 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)1 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)1 DERBitString (org.bouncycastle.asn1.DERBitString)1 DEROctetString (org.bouncycastle.asn1.DEROctetString)1 DERSequence (org.bouncycastle.asn1.DERSequence)1 DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)1 CertID (org.bouncycastle.asn1.ocsp.CertID)1 OCSPRequest (org.bouncycastle.asn1.ocsp.OCSPRequest)1 Request (org.bouncycastle.asn1.ocsp.Request)1 Signature (org.bouncycastle.asn1.ocsp.Signature)1 TBSRequest (org.bouncycastle.asn1.ocsp.TBSRequest)1