summaryrefslogtreecommitdiffstats
path: root/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java')
-rw-r--r--pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java296
1 files changed, 157 insertions, 139 deletions
diff --git a/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
index f6dbc4853..c8b531429 100644
--- a/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
+++ b/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
@@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.ocsp;
+
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
@@ -66,22 +67,21 @@ import com.netscape.cmsutil.ocsp.OCSPResponse;
import com.netscape.cmsutil.ocsp.ResponderID;
import com.netscape.cmsutil.ocsp.ResponseData;
+
/**
- * A class represents a Certificate Authority that is responsible for
- * certificate specific operations.
+ * A class represents a Certificate Authority that is
+ * responsible for certificate specific operations.
* <P>
- *
+ *
* @author lhsiao
* @version $Revision$, $Date$
*/
-public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
- IAuthority {
+public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, IAuthority {
private long mServedRequests = 0;
private long mServedTime = 0;
- public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER(
- "1.3.6.1.5.5.7.48.1.2");
+ public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2");
private Hashtable mStores = new Hashtable();
private String mId = "ocsp";
@@ -91,7 +91,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
private X509CertImpl mCert = null;
private String[] mSigningAlgorithms = null;
private X500Name mName = null;
- private String mNickname = null;
+ private String mNickname = null;
private String[] mOCSPSigningAlgorithms = null;
private IOCSPStore mDefStore = null;
@@ -106,7 +106,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
/**
* Retrieves the name of this subsystem.
*/
- public String getId() {
+ public String getId() {
return mId;
}
@@ -118,15 +118,16 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
}
/**
- * Initializes this subsystem with the given configuration store.
+ * Initializes this subsystem with the given configuration
+ * store.
* <P>
- *
+ *
* @param owner owner of this subsystem
* @param config configuration store
* @exception EBaseException failed to initialize
*/
- public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ public void init(ISubsystem owner, IConfigStore config)
+ throws EBaseException {
try {
mConfig = config;
@@ -145,10 +146,8 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
while (ids.hasMoreElements()) {
String id = (String) ids.nextElement();
- String className = mConfig.getString(PROP_STORE + "." + id
- + ".class", null);
- IOCSPStore store = (IOCSPStore) Class.forName(className)
- .newInstance();
+ String className = mConfig.getString(PROP_STORE + "." + id + ".class", null);
+ IOCSPStore store = (IOCSPStore) Class.forName(className).newInstance();
store.init(this, mConfig.getSubStore(PROP_STORE + "." + id));
mStores.put(id, store);
@@ -157,17 +156,11 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
}
}
} catch (ClassNotFoundException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT",
- e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", e.toString()));
} catch (InstantiationException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT",
- e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", e.toString()));
} catch (IllegalAccessException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT",
- e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", e.toString()));
}
} catch (EBaseException ee) {
if (CMS.isPreOpMode())
@@ -192,9 +185,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
try {
return mConfig.getString(PROP_STORE + "." + id + ".class", null);
} catch (EBaseException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_CLASSPATH", id,
- e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_CLASSPATH", id, e.toString()));
return null;
}
}
@@ -204,9 +195,8 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
X500Name name = getName();
Name.Template nameTemplate = new Name.Template();
- return new NameID(
- (Name) nameTemplate.decode(new ByteArrayInputStream(name
- .getEncoded())));
+ return new NameID((Name) nameTemplate.decode(
+ new ByteArrayInputStream(name.getEncoded())));
} catch (IOException e) {
return null;
} catch (InvalidBERException e) {
@@ -217,18 +207,18 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
public ResponderID getResponderIDByHash() {
/*
- * KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
- * --(excluding the tag and length fields)
+ KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+ --(excluding the tag and length fields)
*/
- PublicKey publicKey = getSigningUnit().getPublicKey();
+ PublicKey publicKey = getSigningUnit().getPublicKey();
MessageDigest md = null;
try {
- md = MessageDigest.getInstance("SHA1");
+ md = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException e) {
return null;
}
- md.update(publicKey.getEncoded());
+ md.update(publicKey.getEncoded());
byte digested[] = md.digest();
return new KeyHashID(new OCTET_STRING(digested));
@@ -249,47 +239,47 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
X509Key caPubKey = null;
try {
- caPubKey = (X509Key) mCert.get(X509CertImpl.PUBLIC_KEY);
+ caPubKey = (X509Key) mCert.get(X509CertImpl.PUBLIC_KEY);
} catch (CertificateParsingException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "CMSCORE_OCSP_RETRIEVE_KEY", e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_RETRIEVE_KEY", e.toString()));
}
if (caPubKey == null) {
- return null; // something seriously wrong.
+ return null; // something seriously wrong.
}
AlgorithmId alg = caPubKey.getAlgorithmId();
if (alg == null) {
- return null; // something seriously wrong.
+ return null; // something seriously wrong.
}
mOCSPSigningAlgorithms = AlgorithmId.getSigningAlgorithms(alg);
if (mOCSPSigningAlgorithms == null) {
- CMS.debug("OCSP - no signing algorithms for " + alg.getName());
+ CMS.debug(
+ "OCSP - no signing algorithms for " + alg.getName());
} else {
CMS.debug("OCSP First signing algorithm ");
}
return mOCSPSigningAlgorithms;
}
- public static final OBJECT_IDENTIFIER MD2 = new OBJECT_IDENTIFIER(
- "1.2.840.113549.2.2");
- public static final OBJECT_IDENTIFIER MD5 = new OBJECT_IDENTIFIER(
- "1.2.840.113549.2.5");
- public static final OBJECT_IDENTIFIER SHA1 = new OBJECT_IDENTIFIER(
- "1.3.14.3.2.26");
+ public static final OBJECT_IDENTIFIER MD2 =
+ new OBJECT_IDENTIFIER("1.2.840.113549.2.2");
+ public static final OBJECT_IDENTIFIER MD5 =
+ new OBJECT_IDENTIFIER("1.2.840.113549.2.5");
+ public static final OBJECT_IDENTIFIER SHA1 =
+ new OBJECT_IDENTIFIER("1.3.14.3.2.26");
- public String getDigestName(AlgorithmIdentifier alg) {
- if (alg == null) {
- return null;
- } else if (alg.getOID().equals(MD2)) {
- return "MD2";
- } else if (alg.getOID().equals(MD5)) {
- return "MD5";
- } else if (alg.getOID().equals(SHA1)) {
- return "SHA1"; // 1.3.14.3.2.26
- } else {
- return null;
- }
+ public String getDigestName(AlgorithmIdentifier alg) {
+ if (alg == null) {
+ return null;
+ } else if (alg.getOID().equals(MD2)) {
+ return "MD2";
+ } else if (alg.getOID().equals(MD5)) {
+ return "MD5";
+ } else if (alg.getOID().equals(SHA1)) {
+ return "SHA1"; // 1.3.14.3.2.26
+ } else {
+ return null;
+ }
}
/**
@@ -312,11 +302,12 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
// init cert chain
CryptoManager manager = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate[] chain = manager
- .buildCertificateChain(mSigningUnit.getCert());
+ org.mozilla.jss.crypto.X509Certificate[] chain =
+ manager.buildCertificateChain(mSigningUnit.getCert());
// XXX do this in case other subsyss expect a X509CertImpl
// until JSS implements all methods of X509Certificate
- java.security.cert.X509Certificate[] implchain = new java.security.cert.X509Certificate[chain.length];
+ java.security.cert.X509Certificate[] implchain =
+ new java.security.cert.X509Certificate[chain.length];
for (int i = 0; i < chain.length; i++) {
implchain[i] = new X509CertImpl(chain[i].getEncoded());
@@ -334,17 +325,17 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
} catch (CryptoManager.NotInitializedException e) {
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_SIGNING", e.toString()));
+ CMS.getLogMessage("CMSCORE_OCSP_SIGNING", e.toString()));
} catch (CertificateException e) {
if (Debug.ON)
e.printStackTrace();
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString()));
+ CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString()));
} catch (TokenException e) {
if (Debug.ON)
e.printStackTrace();
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString()));
+ CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString()));
}
}
@@ -367,7 +358,8 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
/**
* Process OCSPRequest.
*/
- public OCSPResponse validate(OCSPRequest request) throws EBaseException {
+ public OCSPResponse validate(OCSPRequest request)
+ throws EBaseException {
long startTime = (CMS.getCurrentDate()).getTime();
OCSPResponse response = mDefStore.validate(request);
long endTime = (CMS.getCurrentDate()).getTime();
@@ -395,8 +387,8 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
}
/**
- * Stops this system. The owner may call shutdown anytime after
- * initialization.
+ * Stops this system. The owner may call shutdown
+ * anytime after initialization.
* <P>
*/
public void shutdown() {
@@ -405,7 +397,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
/**
* Returns the root configuration storage of this system.
* <P>
- *
+ *
* @return configuration store of this subsystem
*/
public IConfigStore getConfigStore() {
@@ -418,35 +410,38 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
/**
* logs a message in the CA area.
- *
* @param level the debug level.
* @param msg the message to debug.
*/
public void log(int event, int level, String msg) {
- mLogger.log(event, ILogger.S_OCSP, level, msg);
+ mLogger.log(event, ILogger.S_OCSP,
+ level, msg);
}
public void log(int level, String msg) {
- mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OCSP, level, msg);
+ mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OCSP,
+ level, msg);
}
- public void setDefaultAlgorithm(String algorithm) throws EBaseException {
+ public void setDefaultAlgorithm(String algorithm)
+ throws EBaseException {
mSigningUnit.setDefaultAlgorithm(algorithm);
}
/**
* Signs the Response Data.
*/
- public BasicOCSPResponse sign(ResponseData rd) throws EBaseException {
+ public BasicOCSPResponse sign(ResponseData rd)
+ throws EBaseException {
try {
DerOutputStream out = new DerOutputStream();
DerOutputStream tmp = new DerOutputStream();
- String algname = mSigningUnit.getDefaultAlgorithm();
+ String algname = mSigningUnit.getDefaultAlgorithm();
byte rd_data[] = ASN1Util.encode(rd);
if (rd_data != null) {
- mTotalData += rd_data.length;
+ mTotalData += rd_data.length;
}
rd.encode(tmp);
AlgorithmId.get(algname).encode(tmp);
@@ -456,30 +451,29 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
tmp.putBitString(signature);
// XXX - optional, put the certificate chains in also
+
DerOutputStream tmpChain = new DerOutputStream();
DerOutputStream tmp1 = new DerOutputStream();
DerOutputStream outChain = new DerOutputStream();
- java.security.cert.X509Certificate chains[] = mCertChain.getChain();
+ java.security.cert.X509Certificate chains[] =
+ mCertChain.getChain();
for (int i = 0; i < chains.length; i++) {
tmpChain.putDerValue(new DerValue(chains[i].getEncoded()));
}
tmp1.write(DerValue.tag_Sequence, tmpChain);
tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0),
- tmp1);
+ tmp1);
out.write(DerValue.tag_Sequence, tmp);
-
- BasicOCSPResponse response = new BasicOCSPResponse(
- out.toByteArray());
+
+ BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray());
return response;
} catch (Exception e) {
e.printStackTrace();
// error e
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE",
- e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString()));
return null;
}
@@ -488,7 +482,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
/**
* Returns default signing unit used by this CA
* <P>
- *
+ *
* @return request identifier
*/
public ISigningUnit getSigningUnit() {
@@ -498,7 +492,6 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
/**
* Retrieves the request queue for the Authority.
* <P>
- *
* @return the request queue.
*/
public IRequestQueue getRequestQueue() {
@@ -548,90 +541,115 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
*/
/**
- * public OCSPResponse processOCSPRequest(OCSPRequest req, OCSPReqProcessor
- * p) throws EBaseException { try { log(ILogger.LL_INFO,
- * "start OCSP request"); TBSRequest tbsReq = request.getTBSRequest();
- *
- * Vector singleResponses = new Vector(); for (int i = 0; i <
- * tbsReq.getRequestCount(); i++) { com.netscape.certsrv.ocsp.asn1.Request
- * req = tbsReq.getRequestAt(i); CertID cid = req.getCertID();
- * SingleResponse sr = p.process(cid); singleResponses.addElement(sr); }
- *
- *
- * SingleResponse res[] = new SingleResponse[singleResponses.size()];
- * singleResponses.copyInto(res);
- *
- * X500Name name = getName(); Name.Template nameTemplate = new
- * Name.Template(); NameID rid = new NameID((Name)nameTemplate.decode( new
- * ByteArrayInputStream(name.getEncoded()))); ResponseData rd = new
- * ResponseData(rid, new GeneralizedTime( CMS.getCurrentDate()), res);
- *
- * BasicOCSPResponse basicRes = sign(rd);
- *
- * OCSPResponse response = new OCSPResponse( OCSPResponseStatus.SUCCESSFUL,
- * new ResponseBytes(ResponseBytes.OCSP_BASIC, new
- * OCTET_STRING(ASN1Util.encode(basicRes))));
- *
- * log(ILogger.LL_INFO, "done OCSP request"); return response; } catch
- * (Exception e) { log(ILogger.LL_FAILURE, "request processing failure " +
- * e); return null; } }
+ public OCSPResponse processOCSPRequest(OCSPRequest req, OCSPReqProcessor p)
+ throws EBaseException
+ {
+ try {
+ log(ILogger.LL_INFO, "start OCSP request");
+ TBSRequest tbsReq = request.getTBSRequest();
+
+ Vector singleResponses = new Vector();
+ for (int i = 0; i < tbsReq.getRequestCount(); i++)
+ {
+ com.netscape.certsrv.ocsp.asn1.Request req =
+ tbsReq.getRequestAt(i);
+ CertID cid = req.getCertID();
+ SingleResponse sr = p.process(cid);
+ singleResponses.addElement(sr);
+ }
+
+
+ SingleResponse res[] = new SingleResponse[singleResponses.size()];
+ singleResponses.copyInto(res);
+
+ X500Name name = getName();
+ Name.Template nameTemplate = new Name.Template();
+ NameID rid = new NameID((Name)nameTemplate.decode(
+ new ByteArrayInputStream(name.getEncoded())));
+ ResponseData rd = new ResponseData(rid, new GeneralizedTime(
+ CMS.getCurrentDate()), res);
+
+ BasicOCSPResponse basicRes = sign(rd);
+
+ OCSPResponse response = new OCSPResponse(
+ OCSPResponseStatus.SUCCESSFUL,
+ new ResponseBytes(ResponseBytes.OCSP_BASIC,
+ new OCTET_STRING(ASN1Util.encode(basicRes))));
+
+ log(ILogger.LL_INFO, "done OCSP request");
+ return response;
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, "request processing failure " + e);
+ return null;
+ }
+ }
**/
/**
* Returns the in-memory count of the processed OCSP requests.
- *
+ *
* @return number of processed OCSP requests in memory
*/
- public long getNumOCSPRequest() {
+ public long getNumOCSPRequest()
+ {
return mNumOCSPRequest;
}
/**
- * Returns the in-memory time (in mini-second) of the processed time for
- * OCSP requests.
- *
+ * Returns the in-memory time (in mini-second) of
+ * the processed time for OCSP requests.
+ *
* @return processed times for OCSP requests
*/
- public long getOCSPRequestTotalTime() {
- return mTotalTime;
+ public long getOCSPRequestTotalTime()
+ {
+ return mTotalTime;
}
/**
- * Returns the in-memory time (in mini-second) of the signing time for OCSP
- * requests.
- *
+ * Returns the in-memory time (in mini-second) of
+ * the signing time for OCSP requests.
+ *
* @return processed times for OCSP requests
*/
- public long getOCSPTotalSignTime() {
- return mSignTime;
+ public long getOCSPTotalSignTime()
+ {
+ return mSignTime;
}
- public long getOCSPTotalLookupTime() {
- return mLookupTime;
+ public long getOCSPTotalLookupTime()
+ {
+ return mLookupTime;
}
/**
- * Returns the total data signed for OCSP requests.
- *
+ * Returns the total data signed
+ * for OCSP requests.
+ *
* @return processed times for OCSP requests
*/
- public long getOCSPTotalData() {
- return mTotalData;
+ public long getOCSPTotalData()
+ {
+ return mTotalData;
}
- public void incTotalTime(long inc) {
+ public void incTotalTime(long inc)
+ {
mTotalTime += inc;
}
- public void incSignTime(long inc) {
+ public void incSignTime(long inc)
+ {
mSignTime += inc;
- }
+ }
- public void incLookupTime(long inc) {
+ public void incLookupTime(long inc)
+ {
mLookupTime += inc;
- }
+ }
- public void incNumOCSPRequest(long inc) {
+ public void incNumOCSPRequest(long inc)
+ {
mNumOCSPRequest += inc;
}
}
generated by cgit (git 2.34.1) at 2024-07-04 08:02:04 +0000