diff options
Diffstat (limited to 'pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java')
-rw-r--r-- | pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 296 |
1 files changed, 139 insertions, 157 deletions
diff --git a/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java index c8b53142..f6dbc485 100644 --- a/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java +++ b/pki/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ocsp; - import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.MessageDigest; @@ -67,21 +66,22 @@ import com.netscape.cmsutil.ocsp.OCSPResponse; import com.netscape.cmsutil.ocsp.ResponderID; import com.netscape.cmsutil.ocsp.ResponseData; - /** - * A class represents a Certificate Authority that is - * responsible for certificate specific operations. + * A class represents a Certificate Authority that is responsible for + * certificate specific operations. * <P> - * + * * @author lhsiao * @version $Revision$, $Date$ */ -public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, IAuthority { +public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, + IAuthority { private long mServedRequests = 0; private long mServedTime = 0; - public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2"); + public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER( + "1.3.6.1.5.5.7.48.1.2"); private Hashtable mStores = new Hashtable(); private String mId = "ocsp"; @@ -91,7 +91,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, private X509CertImpl mCert = null; private String[] mSigningAlgorithms = null; private X500Name mName = null; - private String mNickname = null; + private String mNickname = null; private String[] mOCSPSigningAlgorithms = null; private IOCSPStore mDefStore = null; @@ -106,7 +106,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, /** * Retrieves the name of this subsystem. */ - public String getId() { + public String getId() { return mId; } @@ -118,16 +118,15 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, } /** - * Initializes this subsystem with the given configuration - * store. + * Initializes this subsystem with the given configuration store. * <P> - * + * * @param owner owner of this subsystem * @param config configuration store * @exception EBaseException failed to initialize */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { try { mConfig = config; @@ -146,8 +145,10 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, while (ids.hasMoreElements()) { String id = (String) ids.nextElement(); - String className = mConfig.getString(PROP_STORE + "." + id + ".class", null); - IOCSPStore store = (IOCSPStore) Class.forName(className).newInstance(); + String className = mConfig.getString(PROP_STORE + "." + id + + ".class", null); + IOCSPStore store = (IOCSPStore) Class.forName(className) + .newInstance(); store.init(this, mConfig.getSubStore(PROP_STORE + "." + id)); mStores.put(id, store); @@ -156,11 +157,17 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, } } } catch (ClassNotFoundException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", + e.toString())); } catch (InstantiationException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", + e.toString())); } catch (IllegalAccessException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_OCSP_SIGNING_UNIT", + e.toString())); } } catch (EBaseException ee) { if (CMS.isPreOpMode()) @@ -185,7 +192,9 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, try { return mConfig.getString(PROP_STORE + "." + id + ".class", null); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_CLASSPATH", id, e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_OCSP_CLASSPATH", id, + e.toString())); return null; } } @@ -195,8 +204,9 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, X500Name name = getName(); Name.Template nameTemplate = new Name.Template(); - return new NameID((Name) nameTemplate.decode( - new ByteArrayInputStream(name.getEncoded()))); + return new NameID( + (Name) nameTemplate.decode(new ByteArrayInputStream(name + .getEncoded()))); } catch (IOException e) { return null; } catch (InvalidBERException e) { @@ -207,18 +217,18 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, public ResponderID getResponderIDByHash() { /* - KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key - --(excluding the tag and length fields) + * KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + * --(excluding the tag and length fields) */ - PublicKey publicKey = getSigningUnit().getPublicKey(); + PublicKey publicKey = getSigningUnit().getPublicKey(); MessageDigest md = null; try { - md = MessageDigest.getInstance("SHA1"); + md = MessageDigest.getInstance("SHA1"); } catch (NoSuchAlgorithmException e) { return null; } - md.update(publicKey.getEncoded()); + md.update(publicKey.getEncoded()); byte digested[] = md.digest(); return new KeyHashID(new OCTET_STRING(digested)); @@ -239,47 +249,47 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, X509Key caPubKey = null; try { - caPubKey = (X509Key) mCert.get(X509CertImpl.PUBLIC_KEY); + caPubKey = (X509Key) mCert.get(X509CertImpl.PUBLIC_KEY); } catch (CertificateParsingException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_RETRIEVE_KEY", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_OCSP_RETRIEVE_KEY", e.toString())); } if (caPubKey == null) { - return null; // something seriously wrong. + return null; // something seriously wrong. } AlgorithmId alg = caPubKey.getAlgorithmId(); if (alg == null) { - return null; // something seriously wrong. + return null; // something seriously wrong. } mOCSPSigningAlgorithms = AlgorithmId.getSigningAlgorithms(alg); if (mOCSPSigningAlgorithms == null) { - CMS.debug( - "OCSP - no signing algorithms for " + alg.getName()); + CMS.debug("OCSP - no signing algorithms for " + alg.getName()); } else { CMS.debug("OCSP First signing algorithm "); } return mOCSPSigningAlgorithms; } - public static final OBJECT_IDENTIFIER MD2 = - new OBJECT_IDENTIFIER("1.2.840.113549.2.2"); - public static final OBJECT_IDENTIFIER MD5 = - new OBJECT_IDENTIFIER("1.2.840.113549.2.5"); - public static final OBJECT_IDENTIFIER SHA1 = - new OBJECT_IDENTIFIER("1.3.14.3.2.26"); + public static final OBJECT_IDENTIFIER MD2 = new OBJECT_IDENTIFIER( + "1.2.840.113549.2.2"); + public static final OBJECT_IDENTIFIER MD5 = new OBJECT_IDENTIFIER( + "1.2.840.113549.2.5"); + public static final OBJECT_IDENTIFIER SHA1 = new OBJECT_IDENTIFIER( + "1.3.14.3.2.26"); - public String getDigestName(AlgorithmIdentifier alg) { - if (alg == null) { - return null; - } else if (alg.getOID().equals(MD2)) { - return "MD2"; - } else if (alg.getOID().equals(MD5)) { - return "MD5"; - } else if (alg.getOID().equals(SHA1)) { - return "SHA1"; // 1.3.14.3.2.26 - } else { - return null; - } + public String getDigestName(AlgorithmIdentifier alg) { + if (alg == null) { + return null; + } else if (alg.getOID().equals(MD2)) { + return "MD2"; + } else if (alg.getOID().equals(MD5)) { + return "MD5"; + } else if (alg.getOID().equals(SHA1)) { + return "SHA1"; // 1.3.14.3.2.26 + } else { + return null; + } } /** @@ -302,12 +312,11 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, // init cert chain CryptoManager manager = CryptoManager.getInstance(); - org.mozilla.jss.crypto.X509Certificate[] chain = - manager.buildCertificateChain(mSigningUnit.getCert()); + org.mozilla.jss.crypto.X509Certificate[] chain = manager + .buildCertificateChain(mSigningUnit.getCert()); // XXX do this in case other subsyss expect a X509CertImpl // until JSS implements all methods of X509Certificate - java.security.cert.X509Certificate[] implchain = - new java.security.cert.X509Certificate[chain.length]; + java.security.cert.X509Certificate[] implchain = new java.security.cert.X509Certificate[chain.length]; for (int i = 0; i < chain.length; i++) { implchain[i] = new X509CertImpl(chain[i].getEncoded()); @@ -325,17 +334,17 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, } catch (CryptoManager.NotInitializedException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_OCSP_SIGNING", e.toString())); + CMS.getLogMessage("CMSCORE_OCSP_SIGNING", e.toString())); } catch (CertificateException e) { if (Debug.ON) e.printStackTrace(); log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString())); + CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString())); } catch (TokenException e) { if (Debug.ON) e.printStackTrace(); log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString())); + CMS.getLogMessage("CMSCORE_OCSP_CHAIN", e.toString())); } } @@ -358,8 +367,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, /** * Process OCSPRequest. */ - public OCSPResponse validate(OCSPRequest request) - throws EBaseException { + public OCSPResponse validate(OCSPRequest request) throws EBaseException { long startTime = (CMS.getCurrentDate()).getTime(); OCSPResponse response = mDefStore.validate(request); long endTime = (CMS.getCurrentDate()).getTime(); @@ -387,8 +395,8 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, } /** - * Stops this system. The owner may call shutdown - * anytime after initialization. + * Stops this system. The owner may call shutdown anytime after + * initialization. * <P> */ public void shutdown() { @@ -397,7 +405,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, /** * Returns the root configuration storage of this system. * <P> - * + * * @return configuration store of this subsystem */ public IConfigStore getConfigStore() { @@ -410,38 +418,35 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, /** * logs a message in the CA area. + * * @param level the debug level. * @param msg the message to debug. */ public void log(int event, int level, String msg) { - mLogger.log(event, ILogger.S_OCSP, - level, msg); + mLogger.log(event, ILogger.S_OCSP, level, msg); } public void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OCSP, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OCSP, level, msg); } - public void setDefaultAlgorithm(String algorithm) - throws EBaseException { + public void setDefaultAlgorithm(String algorithm) throws EBaseException { mSigningUnit.setDefaultAlgorithm(algorithm); } /** * Signs the Response Data. */ - public BasicOCSPResponse sign(ResponseData rd) - throws EBaseException { + public BasicOCSPResponse sign(ResponseData rd) throws EBaseException { try { DerOutputStream out = new DerOutputStream(); DerOutputStream tmp = new DerOutputStream(); - String algname = mSigningUnit.getDefaultAlgorithm(); + String algname = mSigningUnit.getDefaultAlgorithm(); byte rd_data[] = ASN1Util.encode(rd); if (rd_data != null) { - mTotalData += rd_data.length; + mTotalData += rd_data.length; } rd.encode(tmp); AlgorithmId.get(algname).encode(tmp); @@ -451,29 +456,30 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, tmp.putBitString(signature); // XXX - optional, put the certificate chains in also - DerOutputStream tmpChain = new DerOutputStream(); DerOutputStream tmp1 = new DerOutputStream(); DerOutputStream outChain = new DerOutputStream(); - java.security.cert.X509Certificate chains[] = - mCertChain.getChain(); + java.security.cert.X509Certificate chains[] = mCertChain.getChain(); for (int i = 0; i < chains.length; i++) { tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); } tmp1.write(DerValue.tag_Sequence, tmpChain); tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), - tmp1); + tmp1); out.write(DerValue.tag_Sequence, tmp); - - BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); + + BasicOCSPResponse response = new BasicOCSPResponse( + out.toByteArray()); return response; } catch (Exception e) { e.printStackTrace(); // error e - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", + e.toString())); return null; } @@ -482,7 +488,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, /** * Returns default signing unit used by this CA * <P> - * + * * @return request identifier */ public ISigningUnit getSigningUnit() { @@ -492,6 +498,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, /** * Retrieves the request queue for the Authority. * <P> + * * @return the request queue. */ public IRequestQueue getRequestQueue() { @@ -541,115 +548,90 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, */ /** - public OCSPResponse processOCSPRequest(OCSPRequest req, OCSPReqProcessor p) - throws EBaseException - { - try { - log(ILogger.LL_INFO, "start OCSP request"); - TBSRequest tbsReq = request.getTBSRequest(); - - Vector singleResponses = new Vector(); - for (int i = 0; i < tbsReq.getRequestCount(); i++) - { - com.netscape.certsrv.ocsp.asn1.Request req = - tbsReq.getRequestAt(i); - CertID cid = req.getCertID(); - SingleResponse sr = p.process(cid); - singleResponses.addElement(sr); - } - - - SingleResponse res[] = new SingleResponse[singleResponses.size()]; - singleResponses.copyInto(res); - - X500Name name = getName(); - Name.Template nameTemplate = new Name.Template(); - NameID rid = new NameID((Name)nameTemplate.decode( - new ByteArrayInputStream(name.getEncoded()))); - ResponseData rd = new ResponseData(rid, new GeneralizedTime( - CMS.getCurrentDate()), res); - - BasicOCSPResponse basicRes = sign(rd); - - OCSPResponse response = new OCSPResponse( - OCSPResponseStatus.SUCCESSFUL, - new ResponseBytes(ResponseBytes.OCSP_BASIC, - new OCTET_STRING(ASN1Util.encode(basicRes)))); - - log(ILogger.LL_INFO, "done OCSP request"); - return response; - } catch (Exception e) { - log(ILogger.LL_FAILURE, "request processing failure " + e); - return null; - } - } + * public OCSPResponse processOCSPRequest(OCSPRequest req, OCSPReqProcessor + * p) throws EBaseException { try { log(ILogger.LL_INFO, + * "start OCSP request"); TBSRequest tbsReq = request.getTBSRequest(); + * + * Vector singleResponses = new Vector(); for (int i = 0; i < + * tbsReq.getRequestCount(); i++) { com.netscape.certsrv.ocsp.asn1.Request + * req = tbsReq.getRequestAt(i); CertID cid = req.getCertID(); + * SingleResponse sr = p.process(cid); singleResponses.addElement(sr); } + * + * + * SingleResponse res[] = new SingleResponse[singleResponses.size()]; + * singleResponses.copyInto(res); + * + * X500Name name = getName(); Name.Template nameTemplate = new + * Name.Template(); NameID rid = new NameID((Name)nameTemplate.decode( new + * ByteArrayInputStream(name.getEncoded()))); ResponseData rd = new + * ResponseData(rid, new GeneralizedTime( CMS.getCurrentDate()), res); + * + * BasicOCSPResponse basicRes = sign(rd); + * + * OCSPResponse response = new OCSPResponse( OCSPResponseStatus.SUCCESSFUL, + * new ResponseBytes(ResponseBytes.OCSP_BASIC, new + * OCTET_STRING(ASN1Util.encode(basicRes)))); + * + * log(ILogger.LL_INFO, "done OCSP request"); return response; } catch + * (Exception e) { log(ILogger.LL_FAILURE, "request processing failure " + + * e); return null; } } **/ /** * Returns the in-memory count of the processed OCSP requests. - * + * * @return number of processed OCSP requests in memory */ - public long getNumOCSPRequest() - { + public long getNumOCSPRequest() { return mNumOCSPRequest; } /** - * Returns the in-memory time (in mini-second) of - * the processed time for OCSP requests. - * + * Returns the in-memory time (in mini-second) of the processed time for + * OCSP requests. + * * @return processed times for OCSP requests */ - public long getOCSPRequestTotalTime() - { - return mTotalTime; + public long getOCSPRequestTotalTime() { + return mTotalTime; } /** - * Returns the in-memory time (in mini-second) of - * the signing time for OCSP requests. - * + * Returns the in-memory time (in mini-second) of the signing time for OCSP + * requests. + * * @return processed times for OCSP requests */ - public long getOCSPTotalSignTime() - { - return mSignTime; + public long getOCSPTotalSignTime() { + return mSignTime; } - public long getOCSPTotalLookupTime() - { - return mLookupTime; + public long getOCSPTotalLookupTime() { + return mLookupTime; } /** - * Returns the total data signed - * for OCSP requests. - * + * Returns the total data signed for OCSP requests. + * * @return processed times for OCSP requests */ - public long getOCSPTotalData() - { - return mTotalData; + public long getOCSPTotalData() { + return mTotalData; } - public void incTotalTime(long inc) - { + public void incTotalTime(long inc) { mTotalTime += inc; } - public void incSignTime(long inc) - { + public void incSignTime(long inc) { mSignTime += inc; - } + } - public void incLookupTime(long inc) - { + public void incLookupTime(long inc) { mLookupTime += inc; - } + } - public void incNumOCSPRequest(long inc) - { + public void incNumOCSPRequest(long inc) { mNumOCSPRequest += inc; } } |