📄 ocspservlet.java
字号:
/************************************************************************* * * * EJBCA: The OpenSource Certificate Authority * * * * This software is free software; you can redistribute it and/or * * modify it under the terms of the GNU Lesser General Public * * License as published by the Free Software Foundation; either * * version 2.1 of the License, or any later version. * * * * See terms of license at gnu.org. * * * *************************************************************************/ package se.anatom.ejbca.protocol;import java.io.*;import java.security.PublicKey;import java.security.cert.X509Certificate;import java.util.Collection;import java.util.Date;import java.util.Enumeration;import java.util.Hashtable;import java.util.Iterator;import javax.naming.InitialContext;import javax.servlet.ServletConfig;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.bouncycastle.asn1.ASN1OctetString;import org.bouncycastle.asn1.ASN1Sequence;import org.bouncycastle.asn1.DERGeneralizedTime;import org.bouncycastle.asn1.DERInputStream;import org.bouncycastle.asn1.DERObjectIdentifier;import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;import org.bouncycastle.asn1.ocsp.RevokedInfo;import org.bouncycastle.asn1.x509.CRLReason;import org.bouncycastle.asn1.x509.GeneralName;import org.bouncycastle.asn1.x509.X509Extension;import org.bouncycastle.asn1.x509.X509Extensions;import org.bouncycastle.ocsp.*;import org.apache.log4j.Logger;import org.apache.commons.lang.StringUtils;import se.anatom.ejbca.SecConst;import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal;import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocalHome;import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceNotActiveException;import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceRequestException;import se.anatom.ejbca.ca.caadmin.extendedcaservices.IllegalExtendedCAServiceRequestException;import se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAServiceRequest;import se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAServiceResponse;import se.anatom.ejbca.ca.crl.RevokedCertInfo;import se.anatom.ejbca.ca.exception.CADoesntExistsException;import se.anatom.ejbca.ca.exception.SignRequestException;import se.anatom.ejbca.ca.exception.SignRequestSignatureException;import se.anatom.ejbca.ca.sign.ISignSessionLocal;import se.anatom.ejbca.ca.sign.ISignSessionLocalHome;import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;import se.anatom.ejbca.log.Admin;import se.anatom.ejbca.protocol.exception.MalformedRequestException;import se.anatom.ejbca.protocol.exception.NotSupportedException;import se.anatom.ejbca.util.Hex;import se.anatom.ejbca.util.CertTools;/** * Servlet implementing server side of the Online Certificate Status Protocol (OCSP) * For a detailed description of OCSP refer to RFC2560. * * @author Thomas Meckel (Ophios GmbH) * @version $Id: OCSPServlet.java,v 1.31 2004/05/19 13:30:49 anatom Exp $ */public class OCSPServlet extends HttpServlet { private static Logger m_log = Logger.getLogger(OCSPServlet.class); private ICertificateStoreSessionLocal m_certStore; private ICAAdminSessionLocal m_caadminsession; private ISignSessionLocal m_signsession = null; private Admin m_adm; private String m_sigAlg; private boolean m_reqMustBeSigned; private Collection m_cacerts = null; /** Cache time counter */ private long m_certValidTo = 0; /** Cached list of cacerts is valid 5 minutes */ private static final long VALID_TIME = 5 * 60 * 1000; /** String used to identify default responder id, used to generatwe responses when a request * for a certificate not signed by a CA on this server is received. */ private String m_defaultResponderId; /** Marks if the CAs certificate or the CAs OCSP responder certificate should be used for * signing the OCSP response. Defined in web.xml */ private boolean m_useCASigningCert; /** Marks if the CAs certificate chain shoudl be included in the OCSP response or not * Defined in web.xml */ private boolean m_includeChain; /** Loads cacertificates but holds a cache so it's reloaded only every five minutes is needed. */ protected synchronized void loadCertificates() throws IOException { // Kolla om vi har en cachad collection och om den inte 鋜 f鰎 gammal if ( m_cacerts != null && m_certValidTo > new Date().getTime() ) { return; } try { m_cacerts = m_certStore.findCertificatesByType(m_adm, SecConst.CERTTYPE_SUBCA + SecConst.CERTTYPE_ROOTCA, null); m_certValidTo = new Date().getTime() + VALID_TIME; } catch (Exception e) { m_log.error("Unable to load CA certificates from CA store.", e); throw new IOException(e.toString()); } } protected X509Certificate findCAByHash(CertificateID certId, Collection certs) throws OCSPException { if (null == certId) { throw new IllegalArgumentException(); } if (null == certs || certs.isEmpty()) { m_log.info("The passed certificate collection is empty."); return null; } Iterator iter = certs.iterator(); while (iter.hasNext()) { X509Certificate cacert = (X509Certificate)iter.next(); CertificateID issuerId = new CertificateID(certId.getHashAlgOID(), cacert, cacert.getSerialNumber()); if (m_log.isDebugEnabled()) { m_log.debug("Comparing the following certificate hashes:\n" + " Hash algorithm : '" + certId.getHashAlgOID() + "'\n" + " CA certificate hashes\n" + " Name hash : '" + Hex.encode(issuerId.getIssuerNameHash()) + "'\n" + " Key hash : '" + Hex.encode(issuerId.getIssuerKeyHash()) + "'\n" + " OCSP certificate hashes\n" + " Name hash : '" + Hex.encode(certId.getIssuerNameHash()) + "'\n" + " Key hash : '" + Hex.encode(certId.getIssuerKeyHash()) + "'\n"); } if ( (issuerId.toASN1Object().getIssuerNameHash().equals(certId.toASN1Object().getIssuerNameHash())) && (issuerId.toASN1Object().getIssuerKeyHash().equals(certId.toASN1Object().getIssuerKeyHash())) ) { m_log.debug("Found matching CA-cert with:\n" + " Name hash : '" + Hex.encode(issuerId.getIssuerNameHash()) + "'\n" + " Key hash : '" + Hex.encode(issuerId.getIssuerKeyHash()) + "'\n"); return cacert; } } m_log.debug("Did not find matching CA-cert for:\n" + " Name hash : '" + Hex.encode(certId.getIssuerNameHash()) + "'\n" + " Key hash : '" + Hex.encode(certId.getIssuerKeyHash()) + "'\n"); return null; } protected X509Certificate findCertificateBySubject(String subjectDN, Collection certs) { if (certs == null || null == subjectDN) { throw new IllegalArgumentException(); } if (null == certs || certs.isEmpty()) { m_log.info("The passed certificate collection is empty."); return null; } String dn = CertTools.stringToBCDNString(subjectDN); Iterator iter = certs.iterator(); while (iter.hasNext()) { X509Certificate cacert = (X509Certificate)iter.next(); if (m_log.isDebugEnabled()) { m_log.debug("Comparing the following certificates:\n" + " CA certificate DN: " + cacert.getSubjectDN() + "\n Subject DN: " + dn); } if (dn.equalsIgnoreCase(CertTools.stringToBCDNString(cacert.getSubjectDN().getName()))) { return cacert; } } m_log.info("Did not find matching CA-cert for DN: "+subjectDN); return null; } protected BasicOCSPRespGenerator createOCSPResponse(OCSPReq req, X509Certificate cacert) throws OCSPException, NotSupportedException { if (null == req) { throw new IllegalArgumentException(); } BasicOCSPRespGenerator res = new BasicOCSPRespGenerator(cacert.getPublicKey()); DERObjectIdentifier id_pkix_ocsp_nonce = new DERObjectIdentifier(OCSPObjectIdentifiers.pkix_ocsp + ".2"); DERObjectIdentifier id_pkix_ocsp_response = new DERObjectIdentifier(OCSPObjectIdentifiers.pkix_ocsp + ".4"); DERObjectIdentifier id_pkix_ocsp_basic = new DERObjectIdentifier(OCSPObjectIdentifiers.pkix_ocsp + ".1"); X509Extensions reqexts = req.getRequestExtensions();⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -