⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 ocspservlet.java

📁 JAVA做的J2EE下CA认证系统 基于EJB开发
💻 JAVA
📖 第 1 页 / 共 3 页
字号:
🔍
123 
            X509Certificate cacert = null; // CA-certificate used to sign response            try {                OCSPReq req = new OCSPReq(reqBytes);                //m_log.debug("OCSPReq: "+new String(Base64.encode(req.getEncoded())));                loadCertificates();                if (m_log.isDebugEnabled()) {                    StringBuffer certInfo = new StringBuffer();                    Iterator iter = m_cacerts.iterator();                    while (iter.hasNext()) {                        X509Certificate cert = (X509Certificate) iter.next();                        certInfo.append(cert.getSubjectDN().getName());                        certInfo.append(',');                        certInfo.append(cert.getSerialNumber().toString());                        certInfo.append('\n');                    }                    m_log.debug("Found the following CA certificates : \n"                            + certInfo.toString());                }                            /**                 * check the signature if contained in request.                 * if the request does not contain a signature                 * and the servlet is configured in the way                  * the a signature is required we send back                 * 'sigRequired' response.                 */                if (m_log.isDebugEnabled()) {                    m_log.debug("Incoming OCSP request is signed : " + req.isSigned());                }                if (m_reqMustBeSigned) {                    if (!req.isSigned()) {                        m_log.info("OCSP request unsigned. Servlet enforces signing.");                        throw new SignRequestException("OCSP request unsigned. Servlet enforces signing.");                    }                    //GeneralName requestor = req.getRequestorName();                    X509Certificate[] certs = req.getCerts("BC");                    // We must find a cert to verify the signature with...                    boolean verifyOK = false;                    for (int i = 0; i < certs.length; i++) {                        if (req.verify(certs[i].getPublicKey(), "BC") == true) {                            verifyOK = true;                            break;                        }                    }                    if (!verifyOK) {                        m_log.info("Signature of incoming OCSPRequest is invalid.");                        throw new SignRequestSignatureException("Signature invalid.");                    }                }                Req[] requests = req.getRequestList();                if (requests.length <= 0) {                    String msg = "The OCSP request does not contain any simpleRequest entities.";                    m_log.error(msg);                    {                        // All this just so we can create an error response                        cacert = findCertificateBySubject(m_defaultResponderId, m_cacerts);                        // Create a basicRes, just to create an error response                         basicRes = createOCSPResponse(req, cacert);                    }                    throw new MalformedRequestException(msg);                }                m_log.debug("The OCSP request contains " + requests.length + " simpleRequests.");                for (int i = 0; i < requests.length; i++) {                    CertificateID certId = requests[i].getCertID();                    boolean unknownCA = false; // if the certId was issued by an unknown CA                    // The algorithm here:                    // We will sign the response with the CA that issued the first                     // certificate(certId) in the request. If the issuing CA is not available                    // on this server, we sign the response with the default responderId (from params in web.xml).                    // We have to look up the ca-certificate for each certId in the request though, as we will check                    // for revocation on the ca-cert as well when checking for revocation on the certId.                     try {                        cacert = findCAByHash(certId, m_cacerts);                        if (cacert == null) {                            // We could not find certificate for this request so get certificate for default responder                            cacert = findCertificateBySubject(m_defaultResponderId, m_cacerts);                            unknownCA = true;                        }                    } catch (OCSPException e) {                        m_log.error("Unable to generate CA certificate hash.", e);                        cacert = null;                        continue;                    }                    // Create a basic response (if we haven't done it already) using the first issuer we find, or the default one                    if ((cacert != null) && (basicRes == null)) {                        basicRes = createOCSPResponse(req, cacert);                        if (m_log.isDebugEnabled()) {                            if (m_useCASigningCert) {                                m_log.debug("Signing OCSP response directly with CA: " + cacert.getSubjectDN().getName());                            } else {                                m_log.debug("Signing OCSP response with OCSP signer of CA: " + cacert.getSubjectDN().getName());                            }                        }                    } else if (cacert == null) {                        final String msg = "Unable to find CA certificate by issuer name hash: " + Hex.encode(certId.getIssuerNameHash()) + ", or even the default responder: " + m_defaultResponderId;                        m_log.error(msg);                        continue;                    }                    if (unknownCA == true) {                        final String msg = "Unable to find CA certificate by issuer name hash: " + Hex.encode(certId.getIssuerNameHash()) + ", using the default reponder to send 'UnknownStatus'";                        m_log.info(msg);                        // If we can not find the CA, answer UnknowStatus                        basicRes.addResponse(certId, new UnknownStatus());                        continue;                    }                    /*                     * Implement logic according to                     * chapter 2.7 in RFC2560                     *                      * 2.7  CA Key Compromise                     *    If an OCSP responder knows that a particular CA's private key has                     *    been compromised, it MAY return the revoked state for all                     *    certificates issued by that CA.                     */                    RevokedCertInfo rci;                    rci = m_certStore.isRevoked(m_adm                            , cacert.getIssuerDN().getName()                            , cacert.getSerialNumber());                    if (null != rci && rci.getReason() == RevokedCertInfo.NOT_REVOKED) {                        rci = null;                    }                    if (null == rci) {                        rci = m_certStore.isRevoked(m_adm                                , cacert.getSubjectDN().getName()                                , certId.getSerialNumber());                        if (null == rci) {                            m_log.debug("Unable to find revocation information for certificate with serial '"                                    + certId.getSerialNumber() + "'"                                    + " from issuer '" + cacert.getSubjectDN().getName() + "'");                            basicRes.addResponse(certId, new UnknownStatus());                        } else {                            CertificateStatus certStatus = null; // null mean good                            if (rci.getReason() != RevokedCertInfo.NOT_REVOKED) {                                certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(rci.getRevocationDate()),                                        new CRLReason(rci.getReason())));                            } else {                                certStatus = null;                            }                            if (m_log.isDebugEnabled()) {                                m_log.debug("Adding status information for certificate with serial '"                                        + certId.getSerialNumber() + "'"                                        + " from issuer '" + cacert.getSubjectDN().getName() + "'");                            }                            basicRes.addResponse(certId, certStatus);                        }                    } else {                        CertificateStatus certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(rci.getRevocationDate()),                                new CRLReason(rci.getReason())));                        basicRes.addResponse(certId, certStatus);                    }                }                if ((basicRes != null) && (cacert != null)) {                    // generate the signed response object                    BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert);                    ocspresp = res.generate(OCSPRespGenerator.SUCCESSFUL, basicresp);                } else {                    final String msg = "Unable to find CA certificate and key to generate OCSP response!";                    m_log.error(msg);                    throw new ServletException(msg);                }            } catch (MalformedRequestException e) {                m_log.info("MalformedRequestException caught : ", e);                // generate the signed response object                BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert);                ocspresp = res.generate(OCSPRespGenerator.MALFORMED_REQUEST, basicresp);            } catch (SignRequestException e) {                m_log.info("SignRequestException caught : ", e);                // generate the signed response object                BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert);                ocspresp = res.generate(OCSPRespGenerator.SIG_REQUIRED, basicresp);            } catch (Exception e) {                m_log.error("Unable to handle OCSP request.", e);                if (e instanceof ServletException)                    throw (ServletException) e;                // generate the signed response object                BasicOCSPResp basicresp = signOCSPResponse(basicRes, cacert);                ocspresp = res.generate(OCSPRespGenerator.INTERNAL_ERROR, basicresp);            }            byte[] respBytes = ocspresp.getEncoded();            response.setContentType("application/ocsp-response");            //response.setHeader("Content-transfer-encoding", "binary");            response.setContentLength(respBytes.length);            response.getOutputStream().write(respBytes);            response.getOutputStream().flush();        } catch (OCSPException e) {            m_log.error("OCSPException caught, fatal error : ", e);            throw new ServletException(e);        } catch (IllegalExtendedCAServiceRequestException e) {            m_log.error("Can't generate any type of OCSP response: ", e);            throw new ServletException(e);        } catch (CADoesntExistsException e) {            m_log.error("CA used to sign OCSP response does not exist: ", e);            throw new ServletException(e);        } catch (ExtendedCAServiceNotActiveException e) {            m_log.error("Error in CAs extended service: ", e);            throw new ServletException(e);        } catch (ExtendedCAServiceRequestException e) {            m_log.error("Error in CAs extended service: ", e);            throw new ServletException(e);        }        m_log.debug("<service()");    }} // OCSPServlet
123

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -