Added pki ca-cert-status.

A new pki ca-cert-status CLI has been added to check certificate
validity using OCSP. By default the CLI will use the CA's
internal OCSP service.

https://pagure.io/dogtagpki/issue/2652

Change-Id: I0fe3b2f1ca8c7979f9e5fa6d048be2c9883a875d

2 files changed, 166 insertions, 0 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
index d082c0b32..e4e78e9b2 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
@@ -51,6 +51,7 @@ public class CertCLI extends CLI {
         addModule(new CertRevokeCLI(this));
         addModule(new CertHoldCLI(this));
         addModule(new CertReleaseHoldCLI(this));
+        addModule(new CertStatusCLI(this));
 
         addModule(new CertRequestFindCLI(this));
         addModule(new CertRequestShowCLI(this));
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertStatusCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertStatusCLI.java
new file mode 100644
index 000000000..09c508784
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertStatusCLI.java
@@ -0,0 +1,165 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmstools.cert;
+
+import java.io.ByteArrayInputStream;
+import java.math.BigInteger;
+import java.util.List;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+
+import com.netscape.certsrv.authority.AuthorityClient;
+import com.netscape.certsrv.authority.AuthorityData;
+import com.netscape.certsrv.cert.CertClient;
+import com.netscape.certsrv.cert.CertData;
+import com.netscape.certsrv.client.ClientConfig;
+import com.netscape.certsrv.client.PKIClient;
+import com.netscape.certsrv.dbs.certdb.CertId;
+import com.netscape.cmstools.cli.CLI;
+import com.netscape.cmstools.cli.CLIException;
+import com.netscape.cmsutil.ocsp.BasicOCSPResponse;
+import com.netscape.cmsutil.ocsp.CertStatus;
+import com.netscape.cmsutil.ocsp.GoodInfo;
+import com.netscape.cmsutil.ocsp.OCSPProcessor;
+import com.netscape.cmsutil.ocsp.OCSPRequest;
+import com.netscape.cmsutil.ocsp.OCSPResponse;
+import com.netscape.cmsutil.ocsp.ResponseData;
+import com.netscape.cmsutil.ocsp.RevokedInfo;
+import com.netscape.cmsutil.ocsp.SingleResponse;
+import com.netscape.cmsutil.ocsp.UnknownInfo;
+import com.netscape.cmsutil.util.Cert;
+import com.netscape.cmsutil.util.Utils;
+
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class CertStatusCLI extends CLI {
+
+    public CertCLI certCLI;
+
+    public CertStatusCLI(CertCLI certCLI) {
+        super("status", "Check certificate status", certCLI);
+        this.certCLI = certCLI;
+
+        createOptions();
+    }
+
+    public void printHelp() {
+        formatter.printHelp(getFullName() + " <serial number> [OPTIONS...]", options);
+    }
+
+    public void createOptions() {
+        Option option = new Option(null, "ocsp", true, "OCSP URL");
+        option.setArgName("URL");
+        options.addOption(option);
+
+        options.addOption("v", "verbose", false, "Run in verbose mode.");
+        options.addOption(null, "help", false, "Show help message.");
+    }
+
+    public void execute(String[] args) throws Exception {
+
+        CommandLine cmd = parser.parse(options, args);
+
+        String[] cmdArgs = cmd.getArgs();
+
+        if (cmd.hasOption("help")) {
+            printHelp();
+            return;
+        }
+
+        if (cmdArgs.length < 1) {
+            throw new Exception("Missing certificate serial number.");
+        }
+
+        CertId certID = new CertId(cmdArgs[0]);
+
+        PKIClient client = getClient();
+        CertClient certClient = new CertClient(client, "ca");
+        AuthorityClient authorityClient = new AuthorityClient(client, "ca");
+
+        ClientConfig config = getConfig();
+        String ocspURL = cmd.getOptionValue("ocsp", config.getServerURL() + "/ca/ocsp");
+
+        OCSPProcessor processor = new OCSPProcessor();
+        processor.setVerbose(verbose);
+        processor.setURL(ocspURL);
+
+        // get certificate data
+        CertData certData = certClient.getCert(certID);
+        String subjectDN = certData.getSubjectDN();
+        String issuerDN = certData.getIssuerDN();
+
+        // find CA that issued the cert
+        List<AuthorityData> authorities = authorityClient.findCAs(null, null, issuerDN, null);
+
+        if (authorities.size() == 0) {
+            throw new CLIException("Unknown certificate issuer: " + issuerDN, 1);
+        }
+
+        // retrieve CA certificate
+        AuthorityData authorityData = authorities.iterator().next();
+        BigInteger issuerSerialNumber = authorityData.getSerial();
+        CertData caCertData = certClient.getCert(new CertId(issuerSerialNumber));
+
+        // parse CA certificate
+        String pemCert = caCertData.getEncoded();
+        String oneLineCert = Cert.normalizeCertStrAndReq(pemCert);
+        String b64Cert = Cert.stripBrackets(oneLineCert);
+        byte[] binCert = Utils.base64decode(b64Cert);
+
+        X509CertImpl caCert = new X509CertImpl(binCert);
+        X500Name caDN = (X500Name)caCert.getSubjectDN();
+        X509Key caKey = (X509Key)caCert.getPublicKey();
+
+        // submit OCSP request
+        OCSPRequest request = processor.createRequest(caDN, caKey, certID.toBigInteger());
+        OCSPResponse response = processor.submitRequest(request);
+
+        // parse OCSP response
+        byte[] binResponse = response.getResponseBytes().getResponse().toByteArray();
+        BasicOCSPResponse basic = (BasicOCSPResponse)BasicOCSPResponse.getTemplate().decode(
+                new ByteArrayInputStream(binResponse));
+
+        ResponseData rd = basic.getResponseData();
+        SingleResponse sr = rd.getResponseAt(0);
+        CertStatus status = sr.getCertStatus();
+
+        System.out.println("  Serial Number: " + certID.toHexString());
+        System.out.println("  Subject DN: " + subjectDN);
+        System.out.println("  Issuer DN: " + issuerDN);
+
+        if (status instanceof GoodInfo) {
+            System.out.println("  Status: Good");
+
+        } else if (status instanceof UnknownInfo) {
+            System.out.println("  Status: Unknown");
+
+        } else if (status instanceof RevokedInfo) {
+            System.out.println("  Status: Revoked");
+            RevokedInfo info = (RevokedInfo) status;
+            System.out.println("  Revoked On: " + info.getRevocationTime().toDate());
+        }
+    }
+}