diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-01-29 21:50:46 -0500 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-02-16 04:54:34 -0500 |
commit | 944372f857cd631c2cfc51ed7d090912fc2516ff (patch) | |
tree | 1a640c9ef017ca6d4fd58d7f9ae7a1df604669ca /base/util | |
parent | 98b2407eef642cd95296c972393b0c0db46230be (diff) | |
download | pki-944372f857cd631c2cfc51ed7d090912fc2516ff.tar.gz pki-944372f857cd631c2cfc51ed7d090912fc2516ff.tar.xz pki-944372f857cd631c2cfc51ed7d090912fc2516ff.zip |
Refactored OCSPClient.
The OCSPClient CLI has been refactored into an OCSPProcessor
utility class such that the functionality can be reused.
https://fedorahosted.org/pki/ticket/1202
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/CMakeLists.txt | 17 | ||||
-rw-r--r-- | base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java | 170 |
2 files changed, 186 insertions, 1 deletions
diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt index 35b8e0a5b..efef8af53 100644 --- a/base/util/src/CMakeLists.txt +++ b/base/util/src/CMakeLists.txt @@ -30,6 +30,20 @@ find_file(COMMONS_CODEC_JAR /usr/share/java ) +find_file(HTTPCLIENT_JAR + NAMES + httpclient.jar + PATHS + /usr/share/java/httpcomponents +) + +find_file(HTTPCORE_JAR + NAMES + httpcore.jar + PATHS + /usr/share/java/httpcomponents +) + find_file(XALAN_JAR NAMES xalan-j2.jar @@ -92,7 +106,8 @@ javac(pki-cmsutil-classes SOURCES com/netscape/cmsutil/*.java CLASSPATH - ${APACHE_COMMONS_LANG_JAR} ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR} + ${APACHE_COMMONS_LANG_JAR} ${HTTPCORE_JAR} ${HTTPCLIENT_JAR} + ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR} ${JSS_JAR} ${COMMONS_CODEC_JAR} OUTPUT_DIR ${CMAKE_BINARY_DIR}/classes diff --git a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java new file mode 100644 index 000000000..1b85be8b2 --- /dev/null +++ b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java @@ -0,0 +1,170 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmsutil.ocsp; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.InputStream; +import java.math.BigInteger; +import java.security.MessageDigest; + +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509Key; + +import org.apache.http.HttpEntity; +import org.apache.http.HttpResponse; +import org.apache.http.client.HttpClient; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.entity.ByteArrayEntity; +import org.apache.http.entity.ContentType; +import org.apache.http.impl.client.DefaultHttpClient; +import org.apache.http.util.EntityUtils; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.asn1.NULL; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.asn1.OCTET_STRING; +import org.mozilla.jss.asn1.SEQUENCE; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; + +import com.netscape.cmsutil.util.Utils; + +/** + * This class implements an OCSP utility. + * + * @version $Revision$, $Date$ + */ +public class OCSPProcessor { + + public boolean verbose; + + public OCSPProcessor() { + } + + public void setVerbose(boolean verbose) { + this.verbose = verbose; + } + + public boolean isVerbose() { + return verbose; + } + + /** + * Create OCSP request from binary data. + */ + public OCSPRequest createRequest(byte[] data) throws Exception { + OCSPRequest.Template template = new OCSPRequest.Template(); + return (OCSPRequest)template.decode(new ByteArrayInputStream(data)); + } + + /** + * Create OCSP request from nickname of CA certificate and serial number + * of certificate to be checked. + */ + public OCSPRequest createRequest(String caNickname, BigInteger serialNumber) + throws Exception { + + CryptoManager manager = CryptoManager.getInstance(); + X509Certificate caCert = manager.findCertByNickname(caNickname); + X509CertImpl cert = new X509CertImpl(caCert.getEncoded()); + + X500Name issuerName = (X500Name)cert.getSubjectDN(); + X509Key issuerKey = (X509Key)cert.getPublicKey(); + + return createRequest(issuerName, issuerKey, serialNumber); + } + + /** + * Create OCSP request from issuer name, issuer public key, and serial number + * of certificate to be checked. + */ + public OCSPRequest createRequest(X500Name issuerName, X509Key issuerKey, BigInteger serialNumber) + throws Exception { + + MessageDigest md = MessageDigest.getInstance("SHA"); + + // calculate hashes + byte issuerNameHash[] = md.digest(issuerName.getEncoded()); + byte issuerKeyHash[] = md.digest(issuerKey.getKey()); + + // constructing the OCSP request + CertID certID = new CertID( + new AlgorithmIdentifier( + new OBJECT_IDENTIFIER("1.3.14.3.2.26"), new NULL()), + new OCTET_STRING(issuerNameHash), + new OCTET_STRING(issuerKeyHash), + new INTEGER(serialNumber)); + + Request request = new Request(certID, null); + + SEQUENCE requestList = new SEQUENCE(); + requestList.addElement(request); + + TBSRequest tbsRequest = new TBSRequest(null, null, requestList, null); + + return new OCSPRequest(tbsRequest, null); + } + + public OCSPResponse submitRequest(String url, OCSPRequest request) throws Exception { + + if (verbose) System.out.println("URL: " + url); + + HttpClient httpClient = new DefaultHttpClient(); + + try { + ByteArrayOutputStream os = new ByteArrayOutputStream(); + request.encode(os); + byte[] requestData = os.toByteArray(); + + if (verbose) { + System.out.println("Data Length: " + requestData.length); + System.out.println("Data: " + Utils.base64encode(requestData)); + } + + ByteArrayEntity requestEntity = new ByteArrayEntity(requestData); + requestEntity.setContentType(ContentType.APPLICATION_OCTET_STREAM.getMimeType()); + + HttpPost httpPost = new HttpPost(url); + httpPost.setEntity(requestEntity); + + HttpResponse response = httpClient.execute(httpPost); + HttpEntity responseEntity = response.getEntity(); + + try (InputStream is = responseEntity.getContent()) { + ByteArrayOutputStream buffer = new ByteArrayOutputStream(); + + int b; + while ((b = is.read()) != -1) { + buffer.write(b); + } + + // construct OCSP response + return (OCSPResponse)OCSPResponse.getTemplate().decode( + new ByteArrayInputStream(buffer.toByteArray())); + + } finally { + EntityUtils.consume(responseEntity); + } + + } finally { + httpClient.getConnectionManager().shutdown(); + } + } +} |