// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.ocsp; import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.cert.CertificateException; import java.security.cert.CertificateParsingException; import java.util.Enumeration; import java.util.Hashtable; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.crypto.TokenException; import org.mozilla.jss.pkix.primitive.Name; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.IAuthority; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.ocsp.IDefStore; import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.ocsp.IOCSPService; import com.netscape.certsrv.ocsp.IOCSPStore; import com.netscape.certsrv.request.IRequestListener; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.ocsp.BasicOCSPResponse; import com.netscape.cmsutil.ocsp.KeyHashID; import com.netscape.cmsutil.ocsp.NameID; import com.netscape.cmsutil.ocsp.OCSPRequest; import com.netscape.cmsutil.ocsp.OCSPResponse; import com.netscape.cmsutil.ocsp.ResponderID; import com.netscape.cmsutil.ocsp.ResponseData; import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateChain; import netscape.security.x509.X500Name; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509Key; /** * A class represents a Certificate Authority that is * responsible for certificate specific operations. *
*
* @author lhsiao
* @version $Revision$, $Date$
*/
public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, IAuthority {
private long mServedTime = 0;
public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2");
private Hashtable
*
* @param owner owner of this subsystem
* @param config configuration store
* @exception EBaseException failed to initialize
*/
public void init(ISubsystem owner, IConfigStore config)
throws EBaseException {
try {
mConfig = config;
initSigUnit();
// create default OCSP Store
try {
String defStoreId = mConfig.getString(PROP_DEF_STORE_ID, null);
if (defStoreId == null) {
throw new EBaseException("default id not found");
}
IConfigStore storeConfig = mConfig.getSubStore(PROP_STORE);
Enumeration
*/
public void shutdown() {
}
/**
* Returns the root configuration storage of this system.
*
*
* @return configuration store of this subsystem
*/
public IConfigStore getConfigStore() {
return mConfig;
}
public String getDefaultAlgorithm() {
return mSigningUnit.getDefaultAlgorithm();
}
/**
* logs a message in the CA area.
*
* @param level the debug level.
* @param msg the message to debug.
*/
public void log(int event, int level, String msg) {
mLogger.log(event, ILogger.S_OCSP,
level, msg);
}
public void log(int level, String msg) {
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OCSP,
level, msg);
}
public void setDefaultAlgorithm(String algorithm)
throws EBaseException {
mSigningUnit.setDefaultAlgorithm(algorithm);
}
/**
* Signs the Response Data.
*/
public BasicOCSPResponse sign(ResponseData rd)
throws EBaseException {
try (DerOutputStream out = new DerOutputStream()) {
DerOutputStream tmp = new DerOutputStream();
String algname = mSigningUnit.getDefaultAlgorithm();
byte rd_data[] = ASN1Util.encode(rd);
if (rd_data != null) {
mTotalData += rd_data.length;
}
rd.encode(tmp);
AlgorithmId.get(algname).encode(tmp);
CMS.debug("OCSPAuthority: adding signature");
byte[] signature = mSigningUnit.sign(rd_data, algname);
tmp.putBitString(signature);
// XXX - optional, put the certificate chains in also
DerOutputStream tmpChain = new DerOutputStream();
DerOutputStream tmp1 = new DerOutputStream();
java.security.cert.X509Certificate chains[] =
mCertChain.getChain();
for (int i = 0; i < chains.length; i++) {
tmpChain.putDerValue(new DerValue(chains[i].getEncoded()));
}
tmp1.write(DerValue.tag_Sequence, tmpChain);
tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0),
tmp1);
out.write(DerValue.tag_Sequence, tmp);
BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray());
return response;
} catch (Exception e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString()));
throw new EBaseException(e);
}
}
/**
* Returns default signing unit used by this CA
*
*
* @return request identifier
*/
public ISigningUnit getSigningUnit() {
return mSigningUnit;
}
/**
* Retrieves the request queue for the Authority.
*
*
* @return the request queue.
*/
public IRequestQueue getRequestQueue() {
return null;
}
/**
* Registers request completed class.
*/
public void registerRequestListener(IRequestListener listener) {
}
/**
* Registers pending request class.
*/
public void registerPendingListener(IRequestListener listener) {
}
/**
* nickname of signing (id) cert
*/
public String getNickname() {
return mNickname;
}
public String getNewNickName() throws EBaseException {
return mConfig.getString(PROP_NEW_NICKNAME, "");
}
public void setNewNickName(String name) {
mConfig.putString(PROP_NEW_NICKNAME, name);
}
public void setNickname(String str) {
mConfig.putString(PROP_NICKNAME, str);
}
/**
* return official product name.
*/
public String getOfficialName() {
return "ocsp";
}
/**
* Utility functions for processing OCSP request.
*/
/**
* public OCSPResponse processOCSPRequest(OCSPRequest req, OCSPReqProcessor p)
* throws EBaseException
* {
* try {
* log(ILogger.LL_INFO, "start OCSP request");
* TBSRequest tbsReq = request.getTBSRequest();
*
* Vector singleResponses = new Vector();
* for (int i = 0; i < tbsReq.getRequestCount(); i++)
* {
* com.netscape.certsrv.ocsp.asn1.Request req =
* tbsReq.getRequestAt(i);
* CertID cid = req.getCertID();
* SingleResponse sr = p.process(cid);
* singleResponses.addElement(sr);
* }
*
*
* SingleResponse res[] = new SingleResponse[singleResponses.size()];
* singleResponses.copyInto(res);
*
* X500Name name = getName();
* Name.Template nameTemplate = new Name.Template();
* NameID rid = new NameID((Name)nameTemplate.decode(
* new ByteArrayInputStream(name.getEncoded())));
* ResponseData rd = new ResponseData(rid, new GeneralizedTime(
* CMS.getCurrentDate()), res);
*
* BasicOCSPResponse basicRes = sign(rd);
*
* OCSPResponse response = new OCSPResponse(
* OCSPResponseStatus.SUCCESSFUL,
* new ResponseBytes(ResponseBytes.OCSP_BASIC,
* new OCTET_STRING(ASN1Util.encode(basicRes))));
*
* log(ILogger.LL_INFO, "done OCSP request");
* return response;
* } catch (Exception e) {
* log(ILogger.LL_FAILURE, "request processing failure " + e);
* return null;
* }
* }
**/
/**
* Returns the in-memory count of the processed OCSP requests.
*
* @return number of processed OCSP requests in memory
*/
public long getNumOCSPRequest() {
return mNumOCSPRequest;
}
/**
* Returns the in-memory time (in mini-second) of
* the processed time for OCSP requests.
*
* @return processed times for OCSP requests
*/
public long getOCSPRequestTotalTime() {
return mTotalTime;
}
/**
* Returns the in-memory time (in mini-second) of
* the signing time for OCSP requests.
*
* @return processed times for OCSP requests
*/
public long getOCSPTotalSignTime() {
return mSignTime;
}
public long getOCSPTotalLookupTime() {
return mLookupTime;
}
/**
* Returns the total data signed
* for OCSP requests.
*
* @return processed times for OCSP requests
*/
public long getOCSPTotalData() {
return mTotalData;
}
public void incTotalTime(long inc) {
mTotalTime += inc;
}
public void incSignTime(long inc) {
mSignTime += inc;
}
public void incLookupTime(long inc) {
mLookupTime += inc;
}
public void incNumOCSPRequest(long inc) {
mNumOCSPRequest += inc;
}
}