Example 1 with IssuerHash
use of org.xipki.security.IssuerHash in project xipki by xipki.
the class BaseOcspStatusAction method execute0.
@Override
protected final Object execute0() throws Exception {
if (StringUtil.isBlank(serialNumberList) && isEmpty(certFiles)) {
throw new IllegalCmdParamException("Neither serialNumbers nor certFiles is set");
}
X509Certificate issuerCert = X509Util.parseCert(issuerCertFile);
Map<BigInteger, byte[]> encodedCerts = null;
List<BigInteger> sns = new LinkedList<>();
if (isNotEmpty(certFiles)) {
encodedCerts = new HashMap<>(certFiles.size());
String ocspUrl = null;
X500Name issuerX500Name = null;
for (String certFile : certFiles) {
BigInteger sn;
List<String> ocspUrls;
if (isAttrCert) {
if (issuerX500Name == null) {
issuerX500Name = X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded());
}
X509AttributeCertificateHolder cert = new X509AttributeCertificateHolder(IoUtil.read(certFile));
// no signature validation
AttributeCertificateIssuer reqIssuer = cert.getIssuer();
if (reqIssuer != null && issuerX500Name != null) {
X500Name reqIssuerName = reqIssuer.getNames()[0];
if (!issuerX500Name.equals(reqIssuerName)) {
throw new IllegalCmdParamException("certificate " + certFile + " is not issued by the given issuer");
}
}
ocspUrls = extractOcspUrls(cert);
sn = cert.getSerialNumber();
} else {
X509Certificate cert = X509Util.parseCert(certFile);
if (!X509Util.issues(issuerCert, cert)) {
throw new IllegalCmdParamException("certificate " + certFile + " is not issued by the given issuer");
}
ocspUrls = extractOcspUrls(cert);
sn = cert.getSerialNumber();
}
if (isBlank(serverUrl)) {
if (CollectionUtil.isEmpty(ocspUrls)) {
throw new IllegalCmdParamException("could not extract OCSP responder URL");
} else {
String url = ocspUrls.get(0);
if (ocspUrl != null && !ocspUrl.equals(url)) {
throw new IllegalCmdParamException("given certificates have different" + " OCSP responder URL in certificate");
} else {
ocspUrl = url;
}
}
}
// end if
sns.add(sn);
byte[] encodedCert = IoUtil.read(certFile);
encodedCerts.put(sn, encodedCert);
}
if (isBlank(serverUrl)) {
serverUrl = ocspUrl;
}
} else {
StringTokenizer st = new StringTokenizer(serialNumberList, ", ");
while (st.hasMoreTokens()) {
String token = st.nextToken();
StringTokenizer st2 = new StringTokenizer(token, "-");
BigInteger from = toBigInt(st2.nextToken(), hex);
BigInteger to = st2.hasMoreTokens() ? toBigInt(st2.nextToken(), hex) : null;
if (to == null) {
sns.add(from);
} else {
BigIntegerRange range = new BigIntegerRange(from, to);
if (range.getDiff().compareTo(BigInteger.valueOf(10)) > 0) {
throw new IllegalCmdParamException("to many serial numbers");
}
BigInteger sn = range.getFrom();
while (range.isInRange(sn)) {
sns.add(sn);
sn = sn.add(BigInteger.ONE);
}
}
}
}
if (isBlank(serverUrl)) {
throw new IllegalCmdParamException("could not get URL for the OCSP responder");
}
X509Certificate respIssuer = null;
if (respIssuerFile != null) {
respIssuer = X509Util.parseCert(IoUtil.expandFilepath(respIssuerFile));
}
URL serverUrlObj = new URL(serverUrl);
RequestOptions options = getRequestOptions();
checkParameters(respIssuer, sns, encodedCerts);
boolean saveReq = isNotBlank(reqout);
boolean saveResp = isNotBlank(respout);
RequestResponseDebug debug = null;
if (saveReq || saveResp) {
debug = new RequestResponseDebug(saveReq, saveResp);
}
IssuerHash issuerHash = new IssuerHash(HashAlgo.getNonNullInstance(options.getHashAlgorithmId()), Certificate.getInstance(issuerCert.getEncoded()));
OCSPResp response;
try {
response = requestor.ask(issuerCert, sns.toArray(new BigInteger[0]), serverUrlObj, options, debug);
} finally {
if (debug != null && debug.size() > 0) {
RequestResponsePair reqResp = debug.get(0);
if (saveReq) {
byte[] bytes = reqResp.getRequest();
if (bytes != null) {
IoUtil.save(reqout, bytes);
}
}
if (saveResp) {
byte[] bytes = reqResp.getResponse();
if (bytes != null) {
IoUtil.save(respout, bytes);
}
}
}
// end if
}
return processResponse(response, respIssuer, issuerHash, sns, encodedCerts);
}
Also used :
RequestResponsePair(org.xipki.common.RequestResponsePair)
AttributeCertificateIssuer(org.bouncycastle.cert.AttributeCertificateIssuer)
BigIntegerRange(org.xipki.common.util.BigIntegerRange)
RequestResponseDebug(org.xipki.common.RequestResponseDebug)
RequestOptions(org.xipki.ocsp.client.api.RequestOptions)
X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder)
ASN1String(org.bouncycastle.asn1.ASN1String)
X500Name(org.bouncycastle.asn1.x500.X500Name)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
URL(java.net.URL)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
StringTokenizer(java.util.StringTokenizer)
IssuerHash(org.xipki.security.IssuerHash)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
BigInteger(java.math.BigInteger)
Example 2 with IssuerHash
use of org.xipki.security.IssuerHash in project xipki by xipki.
the class BatchOcspQaStatusCmd method execute0.
@Override
protected final Object execute0() throws Exception {
expectedCerthashOccurrence = Occurrence.forName(certhashOccurrenceText);
expectedNextUpdateOccurrence = Occurrence.forName(nextUpdateOccurrenceText);
expectedNonceOccurrence = Occurrence.forName(nonceOccurrenceText);
File outDir = new File(outDirStr);
File messageDir = new File(outDir, "messages");
messageDir.mkdirs();
File detailsDir = new File(outDir, "details");
detailsDir.mkdirs();
println("The result is saved in the folder " + outDir.getPath());
String linuxIssuer = (respIssuerFile != null) ? "-CAfile ../../responder_issuer.pem" : "-no_cert_verify";
String winIssuer = (respIssuerFile != null) ? "-CAfile ..\\..\\responder_issuer.pem" : "-no_cert_verify";
String linuxMsg = "openssl ocsp -text ";
String winMsg = "openssl ocsp -text ";
String shellFilePath = null;
if (saveReq && saveResp) {
linuxMsg += linuxIssuer + " -reqin request.der -respin response.der";
winMsg += winIssuer + " -reqin request.der -respin response.der";
shellFilePath = new File(outDir, "verify-req-resp").getPath();
} else if (saveReq) {
linuxMsg += "-reqin request.der\n";
winMsg += "-reqin request.der\n";
shellFilePath = new File(outDir, "verify-req").getPath();
} else if (saveResp) {
linuxMsg += linuxIssuer + " -respin response.der\n";
winMsg += winIssuer + " -respin response.der\n";
shellFilePath = new File(outDir, "verify-resp").getPath();
}
if (shellFilePath != null) {
File linuxShellFile = new File(shellFilePath + ".sh");
IoUtil.save(linuxShellFile, ("#!/bin/sh\n" + linuxMsg).getBytes());
IoUtil.save(shellFilePath + ".bat", ("@echo off\r\n" + winMsg).getBytes());
linuxShellFile.setExecutable(true);
}
X509Certificate issuerCert = X509Util.parseCert(issuerCertFile);
X509Certificate respIssuer = null;
if (respIssuerFile != null) {
respIssuer = X509Util.parseCert(IoUtil.expandFilepath(respIssuerFile));
IoUtil.save(new File(outDir, "responder-issuer.pem"), X509Util.toPemCert(respIssuer).getBytes());
}
RequestOptions requestOptions = getRequestOptions();
IssuerHash issuerHash = new IssuerHash(HashAlgo.getNonNullInstance(requestOptions.getHashAlgorithmId()), Certificate.getInstance(issuerCert.getEncoded()));
OutputStream resultOut = new FileOutputStream(new File(outDir, "overview.txt"));
BufferedReader snReader = new BufferedReader(new FileReader(snFile));
int numSucc = 0;
int numFail = 0;
try {
URL serverUrl = new URL(serverUrlStr);
OcspQa ocspQa = new OcspQa(securityFactory);
// Content of a line:
// <hex-encoded serial number>[,<reason code>,<revocation time in epoch seconds>]
int lineNo = 0;
String line;
while ((line = snReader.readLine()) != null) {
lineNo++;
line = line.trim();
if (line.startsWith("#") || line.isEmpty()) {
resultOut.write(line.getBytes());
resultOut.write('\n');
continue;
}
String resultText = lineNo + ": " + line + ": ";
try {
ValidationResult result = processOcspQuery(ocspQa, line, messageDir, detailsDir, serverUrl, respIssuer, issuerCert, issuerHash, requestOptions);
if (result.isAllSuccessful()) {
numSucc++;
resultText += "valid";
} else {
numFail++;
resultText += "invalid";
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
numFail++;
resultText += "error - " + th.getMessage();
}
if (!noout) {
println(resultText);
}
println(resultText, resultOut);
}
// unknown serial number
lineNo++;
SecureRandom random = new SecureRandom();
byte[] bytes = new byte[16];
random.nextBytes(bytes);
bytes[0] = (byte) (0x7F & bytes[0]);
BigInteger serialNumber = new BigInteger(bytes);
String resultText = lineNo + ": " + serialNumber.toString(16) + ",unknown: ";
try {
ValidationResult result = processOcspQuery(ocspQa, serialNumber, OcspCertStatus.unknown, null, messageDir, detailsDir, serverUrl, respIssuer, issuerCert, issuerHash, requestOptions);
if (result.isAllSuccessful()) {
numSucc++;
resultText += "valid";
} else {
numFail++;
resultText += "invalid";
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
numFail++;
resultText += "error - " + th.getMessage();
}
if (!noout) {
println(resultText);
}
println(resultText, resultOut);
String message = StringUtil.concatObjectsCap(200, "=====BEGIN SUMMARY=====", "\n url: ", serverUrlStr, "\n sum: ", numFail + numSucc, "\nsuccessful: ", numSucc, "\n failed: ", numFail, "\n=====END SUMMARY=====");
println(message);
println(message, resultOut);
} finally {
snReader.close();
resultOut.close();
}
return null;
}
Also used :
RequestOptions(org.xipki.ocsp.client.api.RequestOptions)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
SecureRandom(java.security.SecureRandom)
ValidationResult(org.xipki.common.qa.ValidationResult)
X509Certificate(java.security.cert.X509Certificate)
URL(java.net.URL)
IssuerHash(org.xipki.security.IssuerHash)
OcspQa(org.xipki.ocsp.qa.OcspQa)
FileOutputStream(java.io.FileOutputStream)
BufferedReader(java.io.BufferedReader)
BigInteger(java.math.BigInteger)
FileReader(java.io.FileReader)
File(java.io.File)
Aggregations
BigInteger (java.math.BigInteger)2
URL (java.net.URL)2
X509Certificate (java.security.cert.X509Certificate)2
RequestOptions (org.xipki.ocsp.client.api.RequestOptions)2
IssuerHash (org.xipki.security.IssuerHash)2
BufferedReader (java.io.BufferedReader)1
File (java.io.File)1
FileOutputStream (java.io.FileOutputStream)1
FileReader (java.io.FileReader)1
OutputStream (java.io.OutputStream)1
SecureRandom (java.security.SecureRandom)1
LinkedList (java.util.LinkedList)1
StringTokenizer (java.util.StringTokenizer)1
ASN1String (org.bouncycastle.asn1.ASN1String)1
X500Name (org.bouncycastle.asn1.x500.X500Name)1
AttributeCertificateIssuer (org.bouncycastle.cert.AttributeCertificateIssuer)1
X509AttributeCertificateHolder (org.bouncycastle.cert.X509AttributeCertificateHolder)1
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)1
RequestResponseDebug (org.xipki.common.RequestResponseDebug)1
RequestResponsePair (org.xipki.common.RequestResponsePair)1
