From d0f2e4efbd3eb0f1d7f5a28e7f97c1fb4ec027bb Mon Sep 17 00:00:00 2001 From: PKI Team Date: Tue, 18 Mar 2008 22:36:57 +0000 Subject: Initial open source version based upon proprietary Red Hat Certificate System (RHCS) 7.3. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../src/com/netscape/certsrv/ocsp/IDefStore.java | 170 ++++++++++++++++++ .../com/netscape/certsrv/ocsp/IOCSPAuthority.java | 197 +++++++++++++++++++++ .../com/netscape/certsrv/ocsp/IOCSPService.java | 100 +++++++++++ .../src/com/netscape/certsrv/ocsp/IOCSPStore.java | 76 ++++++++ 4 files changed, 543 insertions(+) create mode 100644 pki/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java create mode 100644 pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java create mode 100644 pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java create mode 100644 pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java (limited to 'pki/base/common/src/com/netscape/certsrv/ocsp') diff --git a/pki/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java b/pki/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java new file mode 100644 index 000000000..9fd556fb2 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/ocsp/IDefStore.java @@ -0,0 +1,170 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ocsp; + + +import java.util.*; +import java.math.*; +import java.security.cert.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.dbs.repository.*; +import com.netscape.cmsutil.ocsp.*; + + +/** + * This class defines an Online Certificate Status Protocol (OCSP) store which + * has been extended to provide information from the internal database. + *

+ * + * @version $Revision: 14561 $, $Date: 2007-05-01 10:28:56 -0700 (Tue, 01 May 2007) $ + */ +public interface IDefStore extends IOCSPStore +{ + /** + * This method retrieves the number of CRL updates since startup. + *

+ * + * @return count the number of OCSP default stores + */ + public int getStateCount(); + + /** + * This method retrieves the number of OCSP requests since startup. + *

+ * + * @param id a string associated with an OCSP request + * @return count the number of this type of OCSP requests + */ + public long getReqCount(String id); + + /** + * This method creates a an OCSP default store repository record. + *

+ * + * @return IRepositoryRecord an instance of the repository record object + */ + public IRepositoryRecord createRepositoryRecord(); + + /** + * This method adds a request to the default OCSP store repository. + *

+ * + * @param name a string representing the name of this request + * @param thisUpdate the current request + * @param rec an instance of the repository record object + * @exception EBaseException occurs when there is an error attempting to + * add this request to the repository + */ + public void addRepository(String name, String thisUpdate, + IRepositoryRecord rec) + throws EBaseException; + + /** + * This method specifies whether or not to wait for the Certificate + * Revocation List (CRL) to be updated. + *

+ * + * @return boolean true or false + */ + public boolean waitOnCRLUpdate(); + + /** + * This method updates the specified CRL. + *

+ * + * @param crl the CRL to be updated + * @exception EBaseException occurs when the CRL cannot be updated + */ + public void updateCRL(X509CRL crl) throws EBaseException; + + /** + * This method attempts to read the CRL issuing point. + *

+ * + * @param name the name of the CRL to be read + * @return ICRLIssuingPointRecord the CRL issuing point + * @exception EBaseException occurs when the specified CRL cannot be located + */ + public ICRLIssuingPointRecord readCRLIssuingPoint(String name) + throws EBaseException; + + /** + * This method searches all CRL issuing points. + *

+ * + * @param maxSize specifies the largest number of hits from the search + * @return Enumeration a list of the CRL issuing points + * @exception EBaseException occurs when no CRL issuing point exists + */ + public Enumeration searchAllCRLIssuingPointRecord( + int maxSize) + throws EBaseException; + + /** + * This method searches all CRL issuing points constrained by the specified + * filtering mechanism. + *

+ * + * @param filter a string which constrains the search + * @param maxSize specifies the largest number of hits from the search + * @return Enumeration a list of the CRL issuing points + * @exception EBaseException occurs when no CRL issuing point exists + */ + public Enumeration searchCRLIssuingPointRecord(String filter, + int maxSize) + throws EBaseException; + + /** + * This method creates a CRL issuing point record. + *

+ * + * @param name a string representation of this CRL issuing point record + * @param crlNumber the number of this CRL issuing point record + * @param crlSize the size of this CRL issuing point record + * @param thisUpdate the time for this CRL issuing point record + * @param nextUpdate the time for the next CRL issuing point record + * @return ICRLIssuingPointRecord this CRL issuing point record + */ + public ICRLIssuingPointRecord createCRLIssuingPointRecord( + String name, BigInteger crlNumber, + Long crlSize, Date thisUpdate, Date nextUpdate); + + /** + * This method adds a CRL issuing point + *

+ * + * @param name a string representation of this CRL issuing point record + * @param rec this CRL issuing point record + * @exception EBaseException occurs when the specified CRL issuing point + * record cannot be added + */ + public void addCRLIssuingPoint(String name, ICRLIssuingPointRecord rec) + throws EBaseException; + + /** + * This method checks to see if the OCSP response should return good + * when the certificate is not found. + *

+ * + * @return boolean true or false + */ + public boolean isNotFoundGood(); +} + diff --git a/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java b/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java new file mode 100644 index 000000000..e9f7b2367 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPAuthority.java @@ -0,0 +1,197 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ocsp; + + +import java.util.*; +import java.security.*; +import java.util.Vector; +import java.io.*; +import java.io.InputStream; +import java.io.IOException; + +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.pkix.cert.Certificate; +import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; +import org.mozilla.jss.asn1.BIT_STRING; + +import netscape.security.x509.*; + +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.logging.*; + +import com.netscape.cmsutil.ocsp.*; + + +/** + * This class represents the primary interface for the Online Certificate + * Status Protocol (OCSP) server. + *

+ * + * @version $Revision: 14561 $, $Date: 2007-05-01 10:28:56 -0700 (Tue, 01 May 2007) $ + */ +public interface IOCSPAuthority extends ISubsystem +{ + public static final String ID = "ocsp"; + + public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2"); + + public final static String PROP_DEF_STORE_ID = "storeId"; + public final static String PROP_STORE = "store"; + public final static String PROP_SIGNING_SUBSTORE = "signing"; + public static final String PROP_NICKNAME = "certNickname"; + public final static String PROP_NEW_NICKNAME = "newNickname"; + + /** + * This method retrieves the OCSP store given its name. + *

+ * + * @param id the string representation of an OCSP store + * @return IOCSPStore an instance of an OCSP store object + */ + public IOCSPStore getOCSPStore(String id); + + /** + * This method retrieves the signing unit. + *

+ * + * @return ISigningUnit an instance of a signing unit object + */ + public ISigningUnit getSigningUnit(); + + /** + * This method retrieves the responder ID by its name. + *

+ * + * @return ResponderID an instance of a responder ID + */ + public ResponderID getResponderIDByName(); + + /** + * This method retrieves the responder ID by its hash. + *

+ * + * @return ResponderID an instance of a responder ID + */ + public ResponderID getResponderIDByHash(); + + /** + * This method retrieves the default OCSP store + * (i. e. - information from the internal database). + *

+ * + * @return IDefStore an instance of the default OCSP store + */ + public IDefStore getDefaultStore(); + + /** + * This method sets the supplied algorithm as the default signing algorithm. + *

+ * + * @param algorithm a string representing the requested algorithm + * @exception EBaseException if the algorithm is unknown or disallowed + */ + public void setDefaultAlgorithm(String algorithm) + throws EBaseException; + + /** + * This method retrieves the default signing algorithm. + *

+ * + * @return String the name of the default signing algorithm + */ + public String getDefaultAlgorithm(); + + /** + * This method retrieves all potential OCSP signing algorithms. + *

+ * + * @return String[] the names of all potential OCSP signing algorithms + */ + public String[] getOCSPSigningAlgorithms(); + + /** + * This method logs the specified message at the specified level. + *

+ * + * @param level the log level + * @param msg the log message + */ + public void log(int level, String msg); + + /** + * This method logs the specified message at the specified level given + * the specified event. + *

+ * + * @param event the log event + * @param level the log message + * @param msg the log message + */ + public void log(int event, int level, String msg); + + /** + * This method retrieves the X500Name of an OCSP server instance. + *

+ * + * @return X500Name an instance of the X500 name object + */ + public X500Name getName(); + + /** + * This method retrieves an OCSP server instance digest name as a string. + *

+ * + * @param alg the signing algorithm + * @return String the digest name of the related OCSP server + */ + public String getDigestName(AlgorithmIdentifier alg); + + /** + * This method signs the basic OCSP response data provided as a parameter. + *

+ * + * @param rd response data + * @return BasicOCSPResponse signed response data + * @exception EBaseException error associated with an inability to sign + * the specified response data + */ + public BasicOCSPResponse sign(ResponseData rd) + throws EBaseException; + + /** + * This method compares two byte arrays to see if they are equivalent. + *

+ * + * @param bytes the first byte array + * @param ints the second byte array + * @return boolean true or false + */ + public boolean arraysEqual(byte[] bytes, byte[] ints); + + public void incTotalTime(long inc); + public void incSignTime(long inc); + public void incLookupTime(long inc); + public void incNumOCSPRequest(long inc); +} + diff --git a/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java b/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java new file mode 100644 index 000000000..475c527e3 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPService.java @@ -0,0 +1,100 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ocsp; + + +import java.util.*; +import java.security.*; +import java.util.Vector; +import java.io.*; +import java.io.InputStream; +import java.io.IOException; + +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.pkix.cert.Certificate; +import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; +import org.mozilla.jss.asn1.BIT_STRING; + +import netscape.security.x509.*; + +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.logging.*; + +import com.netscape.cmsutil.ocsp.*; + + +/** + * This class represents the servlet that serves the Online Certificate + * Status Protocol (OCSP) requests. + * + * @version $Revision: 14561 $ $Date: 2007-05-01 10:28:56 -0700 (Tue, 01 May 2007) $ + */ +public interface IOCSPService +{ + /** + * This method validates the information associated with the specified + * OCSP request and returns an OCSP response. + *

+ * + * @param r an OCSP request + * @return OCSPResponse the OCSP response associated with the specified + * OCSP request + * @exception EBaseException an error associated with the inability to + * process the supplied OCSP request + */ + public OCSPResponse validate(OCSPRequest r) + throws EBaseException; + + /** + * Returns the in-memory count of the processed OCSP requests. + * + * @return number of processed OCSP requests in memory + */ + public long getNumOCSPRequest(); + + /** + * Returns the in-memory time (in mini-second) of + * the processed time for OCSP requests. + * + * @return processed times for OCSP requests + */ + public long getOCSPRequestTotalTime(); + + /** + * Returns the in-memory time (in mini-second) of + * the signing time for OCSP requests. + * + * @return processed times for OCSP requests + */ + public long getOCSPTotalSignTime(); + + public long getOCSPTotalLookupTime(); + + /** + * Returns the total data signed + * for OCSP requests. + * + * @return processed times for OCSP requests + */ + public long getOCSPTotalData(); +} + diff --git a/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java b/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java new file mode 100644 index 000000000..8480ed6a5 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/ocsp/IOCSPStore.java @@ -0,0 +1,76 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ocsp; + + +import java.util.*; +import java.math.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.cmsutil.ocsp.*; + + +/** + * This class represents the generic interface for an Online Certificate + * Status Protocol (OCSP) store. Users can plugin different OCSP stores + * by extending this class. For example, imagine that if a user wants to + * use the corporate LDAP server for revocation checking, then the user + * would merely create a new class that extends this class (e. g. - + * "public interface ICorporateLDAPStore extends IOCSPStore"). + *

+ * + * @version $Revision: 14561 $, $Date: 2007-05-01 10:28:56 -0700 (Tue, 01 May 2007) $ + */ +public interface IOCSPStore extends ISubsystem +{ + /** + * This method validates the information associated with the specified + * OCSP request and returns an OCSP response. + *

+ * + * @param req an OCSP request + * @return OCSPResponse the OCSP response associated with the specified + * OCSP request + * @exception EBaseException an error associated with the inability to + * process the supplied OCSP request + */ + public OCSPResponse validate(OCSPRequest req) + throws EBaseException; + + /** + * This method retrieves the configuration parameters associated with this + * OCSP store. + *

+ * + * @return NameValuePairs all configuration items + */ + public NameValuePairs getConfigParameters(); + + /** + * This method stores the configuration parameters specified by the + * passed-in Name Value pairs object. + *

+ * + * @param pairs a name-value pair object + * @exception EBaseException an illegal name-value pair + */ + public void setConfigParameters(NameValuePairs pairs) + throws EBaseException; +} + -- cgit