📄 ocspservlet.java
字号:
return null; } protected X509Certificate findCertificateBySubject(String subjectDN, Collection certs) { if (certs == null || null == subjectDN) { throw new IllegalArgumentException(); } if (null == certs || certs.isEmpty()) { m_log.info("The passed certificate collection is empty."); return null; } String dn = CertTools.stringToBCDNString(subjectDN); Iterator iter = certs.iterator(); while (iter.hasNext()) { X509Certificate cacert = (X509Certificate) iter.next(); if (m_log.isDebugEnabled()) { m_log.debug("Comparing the following certificates:\n" + " CA certificate DN: " + cacert.getSubjectDN() + "\n Subject DN: " + dn); } if (dn.equalsIgnoreCase(CertTools.stringToBCDNString(cacert.getSubjectDN().getName()))) { return cacert; } } m_log.info("Did not find matching CA-cert for DN: " + subjectDN); return null; } protected BasicOCSPRespGenerator createOCSPResponse(OCSPReq req, X509Certificate cacert) throws OCSPException, NotSupportedException { if (null == req) { throw new IllegalArgumentException(); } BasicOCSPRespGenerator res = new BasicOCSPRespGenerator(cacert.getPublicKey()); DERObjectIdentifier id_pkix_ocsp_nonce = new DERObjectIdentifier(OCSPObjectIdentifiers.pkix_ocsp + ".2"); DERObjectIdentifier id_pkix_ocsp_response = new DERObjectIdentifier(OCSPObjectIdentifiers.pkix_ocsp + ".4"); DERObjectIdentifier id_pkix_ocsp_basic = new DERObjectIdentifier(OCSPObjectIdentifiers.pkix_ocsp + ".1"); X509Extensions reqexts = req.getRequestExtensions(); if (reqexts != null) { X509Extension ext = reqexts.getExtension(id_pkix_ocsp_nonce); if (null != ext) { //m_log.debug("Found extension Nonce"); Hashtable table = new Hashtable(); table.put(id_pkix_ocsp_nonce, ext); X509Extensions exts = new X509Extensions(table); res.setResponseExtensions(exts); } ext = reqexts.getExtension(id_pkix_ocsp_response); if (null != ext) { //m_log.debug("Found extension AcceptableResponses"); ASN1OctetString oct = ext.getValue(); try { ASN1Sequence seq = ASN1Sequence.getInstance(new ASN1InputStream(new ByteArrayInputStream(oct.getOctets())).readObject()); Enumeration en = seq.getObjects(); boolean supportsResponseType = false; while (en.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement(); //m_log.debug("Found oid: "+oid.getId()); if (oid.equals(id_pkix_ocsp_basic)) { // This is the response type we support, so we are happy! Break the loop. supportsResponseType = true; m_log.debug("Response type supported: " + oid.getId()); continue; } } if (!supportsResponseType) { throw new NotSupportedException("Required response type not supported, this responder only supports id-pkix-ocsp-basic."); } } catch (IOException e) { } } } return res; } protected BasicOCSPResp signOCSPResponse(BasicOCSPRespGenerator basicRes, X509Certificate cacert) throws CADoesntExistsException, ExtendedCAServiceRequestException, ExtendedCAServiceNotActiveException, IllegalExtendedCAServiceRequestException { // Find the OCSP signing key and cert for the issuer String issuerdn = CertTools.stringToBCDNString(cacert.getSubjectDN().toString()); int caid = issuerdn.hashCode(); BasicOCSPResp retval = null; { // Call extended CA services to get our OCSP stuff OCSPCAServiceResponse caserviceresp = (OCSPCAServiceResponse) m_signsession.extendedService(m_adm, caid, new OCSPCAServiceRequest(basicRes, m_sigAlg, m_useCASigningCert, m_includeChain)); // Now we can use the returned OCSPServiceResponse to get private key and cetificate chain to sign the ocsp response Collection coll = caserviceresp.getOCSPSigningCertificateChain(); m_log.debug("Cert chain for OCSP signing is of size " + coll.size()); retval = caserviceresp.getBasicOCSPResp(); } return retval; } public void init(ServletConfig config) throws ServletException { super.init(config); try { ServiceLocator locator = ServiceLocator.getInstance(); ICertificateStoreSessionLocalHome castorehome = (ICertificateStoreSessionLocalHome) locator.getLocalHome(ICertificateStoreSessionLocalHome.COMP_NAME); m_certStore = castorehome.create(); m_adm = new Admin(Admin.TYPE_INTERNALUSER); ISignSessionLocalHome signhome = (ISignSessionLocalHome) locator.getLocalHome(ISignSessionLocalHome.COMP_NAME); m_signsession = signhome.create(); // Parameters for OCSP signing (private) key m_sigAlg = config.getInitParameter("SignatureAlgorithm"); if (StringUtils.isEmpty(m_sigAlg)) { m_log.error("Signature algorithm not defined in initialization parameters."); throw new ServletException("Missing signature algorithm in initialization parameters."); } m_defaultResponderId = config.getInitParameter("defaultResponderID"); if (StringUtils.isEmpty(m_defaultResponderId)) { m_log.error("Default responder id not defined in initialization parameters."); throw new ServletException("Missing default responder id in initialization parameters."); } String initparam = config.getInitParameter("enforceRequestSigning"); if (m_log.isDebugEnabled()) { m_log.debug("Enforce request signing : '" + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam) + "'"); } m_reqMustBeSigned = true; if (!StringUtils.isEmpty(initparam)) { if (initparam.equalsIgnoreCase("false") || initparam.equalsIgnoreCase("no")) { m_reqMustBeSigned = false; } } initparam = config.getInitParameter("useCASigningCert"); if (m_log.isDebugEnabled()) { m_log.debug("Use CA signing cert : '" + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam) + "'"); } m_useCASigningCert = false; if (!StringUtils.isEmpty(initparam)) { if (initparam.equalsIgnoreCase("true") || initparam.equalsIgnoreCase("yes")) { m_useCASigningCert = true; } } initparam = config.getInitParameter("includeCertChain"); if (m_log.isDebugEnabled()) { m_log.debug("Include certificate chain: '" + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam) + "'"); } m_includeChain = true; if (!StringUtils.isEmpty(initparam)) { if (initparam.equalsIgnoreCase("false") || initparam.equalsIgnoreCase("no")) { m_includeChain = false; } } } catch (Exception e) { m_log.error("Unable to initialize OCSPServlet.", e); throw new ServletException(e); } } public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { m_log.debug(">doPost()"); String contentType = request.getHeader("Content-Type"); if (!contentType.equalsIgnoreCase("application/ocsp-request")) { m_log.debug("Content type is not application/ocsp-request"); response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Content type is not application/ocsp-request"); return; } // Get the request data BufferedReader in = request.getReader(); ByteArrayOutputStream baos = new ByteArrayOutputStream(); // This works for small requests, and OCSP requests are small int b = in.read(); while (b != -1) { baos.write(b); b = in.read(); } baos.flush(); in.close(); byte[] reqBytes = baos.toByteArray(); // Do it... service(request, response, reqBytes); m_log.debug("<doPost()"); } //doPost public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { m_log.debug(">doGet()"); /** * We only support POST operation, so return * an appropriate HTTP error code to caller. */ response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "OCSP only supports POST"); m_log.debug("<doGet()"); } // doGet public void service(HttpServletRequest request, HttpServletResponse response, byte[] reqBytes) throws IOException, ServletException { m_log.debug(">service()"); if ((reqBytes == null) || (reqBytes.length == 0)) { m_log.debug("No request bytes"); response.sendError(HttpServletResponse.SC_BAD_REQUEST, "No request bytes."); return; } try { OCSPResp ocspresp = null; BasicOCSPRespGenerator basicRes = null; OCSPRespGenerator res = new OCSPRespGenerator();⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -