📄 ocspservlet.java
字号:
} /** * check the signature if contained in request. * if the request does not contain a signature * and the servlet is configured in the way * the a signature is required we send back * 'sigRequired' response. */ if (m_log.isDebugEnabled()) { m_log.debug("Incoming OCSP request is signed : " + req.isSigned()); } if (m_reqMustBeSigned) { if (!req.isSigned()) { m_log.info("OCSP request unsigned. Servlet enforces signing."); throw new SignRequestException("OCSP request unsigned. Servlet enforces signing."); } GeneralName requestor = req.getRequestorName(); X509Certificate[] certs = req.getCerts("BC"); PublicKey pk = null; // We must find a cert to verify the signature with... boolean verifyOK = false; for (int i=0;i<certs.length;i++) { if (req.verify(certs[i].getPublicKey(), "BC") == true) { verifyOK = true; break; } } if (!verifyOK) { m_log.info("Signature of incoming OCSPRequest is invalid."); throw new SignRequestSignatureException("Signature invalid."); } } Req[] requests = req.getRequestList(); if (requests.length <= 0) { String msg = "The OCSP request does not contain any simpleRequest entities."; m_log.error(msg); { // All this just so we can create an error response cacert = findCertificateBySubject(m_defaultResponderId, m_cacerts); // Create a basicRes, just to create an error response basicRes = createOCSPResponse(req, cacert); } throw new MalformedRequestException(msg); } else { m_log.debug("The OCSP request contains "+requests.length+" simpleRequests."); for (int i=0;i<requests.length;i++) { CertificateID certId = requests[i].getCertID(); boolean unknownCA = false; // if the certId was issued by an unknown CA // The algorithm here: // We will sign the response with the CA that issued the first // certificate(certId) in the request. If the issuing CA is not available // on this server, we sign the response with the default responderId (from params in web.xml). // We have to look up the ca-certificate for each certId in the request though, as we will check // for revocation on the ca-cert as well when checking for revocation on the certId. try { cacert = findCAByHash(certId, m_cacerts); if (cacert == null) { // We could not find certificate for this request so get certificate for default responder cacert = findCertificateBySubject(m_defaultResponderId, m_cacerts); unknownCA = true; } } catch (OCSPException e) { m_log.error("Unable to generate CA certificate hash.", e); cacert = null; continue; } // Create a basic response (if we haven't done it already) using the first issuer we find, or the default one if ( (cacert != null) && (basicRes == null) ) { basicRes = createOCSPResponse(req, cacert); if (m_log.isDebugEnabled()) { if (m_useCASigningCert) { m_log.debug("Signing OCSP response directly with CA: "+cacert.getSubjectDN().getName()); } else { m_log.debug("Signing OCSP response with OCSP signer of CA: "+cacert.getSubjectDN().getName()); } } } else if (cacert == null) { final String msg = "Unable to find CA certificate by issuer name hash: "+Hex.encode(certId.getIssuerNameHash())+", or even the default responder: "+m_defaultResponderId; m_log.error(msg); continue; } if (unknownCA == true) { final String msg = "Unable to find CA certificate by issuer name hash: "+Hex.encode(certId.getIssuerNameHash())+", using the default reponder to send 'UnknownStatus'"; m_log.info(msg); // If we can not find the CA, answer UnknowStatus basicRes.addResponse(certId, new UnknownStatus()); continue; } /* * Implement logic according to * chapter 2.7 in RFC2560 * * 2.7 CA Key Compromise * If an OCSP responder knows that a particular CA's private key has * been compromised, it MAY return the revoked state for all * certificates issued by that CA. */ RevokedCertInfo rci; rci = m_certStore.isRevoked(m_adm , cacert.getIssuerDN().getName() , cacert.getSerialNumber()); if (null != rci && rci.getReason() == RevokedCertInfo.NOT_REVOKED) { rci = null; } if (null == rci) { rci = m_certStore.isRevoked(m_adm , cacert.getSubjectDN().getName() , certId.getSerialNumber()); if (null == rci) { m_log.debug("Unable to find revocation information for certificate with serial '" + certId.getSerialNumber() + "'" + " from issuer '" + cacert.getSubjectDN().getName() + "'"); basicRes.addResponse(certId, new UnknownStatus()); } else { CertificateStatus certStatus = null; // null mean good if (rci.getReason() != RevokedCertInfo.NOT_REVOKED) { certStatus = new RevokedStatus(new RevokedInfo( new DERGeneralizedTime(rci.getRevocationDate()), new CRLReason(rci.getReason()))); } else { certStatus = null; } if (m_log.isDebugEnabled()) { m_log.debug("Adding status information for certificate with serial '" + certId.getSerialNumber() + "'" + " from issuer '" + cacert.getSubjectDN().getName() + "'"); } basicRes.addResponse(certId, certStatus); } } else { CertificateStatus certStatus = new RevokedStatus(new RevokedInfo( new DERGeneralizedTime(rci.getRevocationDate()), new CRLReason(rci.getReason()))); basicRes.addResponse(certId, certStatus); } } if ( (basicRes != null) && (cacert != null) ) { // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert); ocspresp = res.generate(OCSPRespGenerator.SUCCESSFUL, basicresp); } else { final String msg = "Unable to find CA certificate and key to generate OCSP response!"; m_log.error(msg); throw new ServletException(msg); } } } catch (MalformedRequestException e) { m_log.info("MalformedRequestException caught : ", e); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert); ocspresp = res.generate(OCSPRespGenerator.MALFORMED_REQUEST, basicRes); } catch (SignRequestException e) { m_log.info("SignRequestException caught : ", e); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert); ocspresp = res.generate(OCSPRespGenerator.SIG_REQUIRED, basicRes); } catch (Exception e) { if (e instanceof ServletException) throw (ServletException)e; m_log.error("Unable to handle OCSP request.", e); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert); ocspresp = res.generate(OCSPRespGenerator.INTERNAL_ERROR, basicRes); } byte[] respBytes = ocspresp.getEncoded(); response.setContentType("application/ocsp-response"); //response.setHeader("Content-transfer-encoding", "binary"); response.setContentLength(respBytes.length); response.getOutputStream().write(respBytes); response.getOutputStream().flush(); } catch (OCSPException e) { m_log.error("OCSPException caught, fatal error : ", e); throw new ServletException(e); } catch (IllegalExtendedCAServiceRequestException e) { m_log.error("Can't generate any type of OCSP response: ", e); throw new ServletException(e); } catch (CADoesntExistsException e) { m_log.error("CA used to sign OCSP response does not exist: ", e); throw new ServletException(e); } catch (ExtendedCAServiceNotActiveException e) { m_log.error("Error in CAs extended service: ", e); throw new ServletException(e); } catch (ExtendedCAServiceRequestException e) { m_log.error("Error in CAs extended service: ", e); throw new ServletException(e); } m_log.debug("<service()"); }} // OCSPServlet⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -