📄 ocspservletbase.java
字号:
return cacert; } } String iMsg = intres.getLocalizedMessage("ocsp.nomatchingcacert", subjectDN); m_log.info(iMsg); return null; } /** returns an HashTable of responseExtensions to be added to the BacisOCSPResponseGenerator with * <code> * X509Extensions exts = new X509Extensions(table); * basicRes.setResponseExtensions(responseExtensions); * </code> * * @param req OCSPReq * @return a Hashtable, can be empty nut not null */ private Hashtable getStandardResponseExtensions(OCSPReq req) { X509Extensions reqexts = req.getRequestExtensions(); Hashtable table = new Hashtable(); if (reqexts != null) { // Table of extensions to include in the response X509Extension ext = reqexts.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (null != ext) { //m_log.debug("Found extension Nonce"); table.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, ext); } } return table; } protected int getCaid( X509Certificate cacert ) { int result = CertTools.stringToBCDNString(cacert.getSubjectDN().toString()).hashCode(); m_log.debug( cacert.getSubjectDN() + " has caid: " + result ); return result; } private BasicOCSPResp signOCSPResponse(OCSPReq req, ArrayList responseList, X509Extensions exts, X509Certificate cacert) throws CADoesntExistsException, ExtendedCAServiceRequestException, ExtendedCAServiceNotActiveException, IllegalExtendedCAServiceRequestException { // Find the OCSP signing key and cert for the issuer BasicOCSPResp retval = null; { // Call extended CA services to get our OCSP stuff OCSPCAServiceResponse caserviceresp = extendedService(m_adm, getCaid(cacert), new OCSPCAServiceRequest(req, responseList, exts, m_sigAlg, m_useCASigningCert, m_includeChain)); // Now we can use the returned OCSPServiceResponse to get private key and cetificate chain to sign the ocsp response if (m_log.isDebugEnabled()) { Collection coll = caserviceresp.getOCSPSigningCertificateChain(); m_log.debug("Cert chain for OCSP signing is of size " + coll.size()); } retval = caserviceresp.getBasicOCSPResp(); } return retval; } public void init(ServletConfig config) throws ServletException { super.init(config); CertTools.installBCProvider(); m_adm = new Admin(Admin.TYPE_INTERNALUSER); // Parameters for OCSP signing (private) key m_sigAlg = config.getInitParameter("SignatureAlgorithm"); if (StringUtils.isEmpty(m_sigAlg)) { m_log.error("Signature algorithm not defined in initialization parameters."); throw new ServletException("Missing signature algorithm in initialization parameters."); } m_defaultResponderId = config.getInitParameter("defaultResponderID"); if (StringUtils.isEmpty(m_defaultResponderId)) { m_log.error("Default responder id not defined in initialization parameters."); throw new ServletException("Missing default responder id in initialization parameters."); } String initparam = config.getInitParameter("enforceRequestSigning"); if (m_log.isDebugEnabled()) { m_log.debug("Enforce request signing : '" + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam) + "'"); } m_reqMustBeSigned = true; if (!StringUtils.isEmpty(initparam)) { if (initparam.equalsIgnoreCase("false") || initparam.equalsIgnoreCase("no")) { m_reqMustBeSigned = false; } } initparam = config.getInitParameter("useCASigningCert"); if (m_log.isDebugEnabled()) { m_log.debug("Use CA signing cert : '" + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam) + "'"); } m_useCASigningCert = false; if (!StringUtils.isEmpty(initparam)) { if (initparam.equalsIgnoreCase("true") || initparam.equalsIgnoreCase("yes")) { m_useCASigningCert = true; } } initparam = config.getInitParameter("includeCertChain"); if (m_log.isDebugEnabled()) { m_log.debug("Include certificate chain: '" + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam) + "'"); } m_includeChain = true; if (!StringUtils.isEmpty(initparam)) { if (initparam.equalsIgnoreCase("false") || initparam.equalsIgnoreCase("no")) { m_includeChain = false; } } String extensionOid = null; String extensionClass = null; extensionOid = config.getInitParameter("extensionOid"); if (StringUtils.isEmpty(extensionOid)) { m_log.info("ExtensionOid not defined in initialization parameters."); } else { String[] oids = extensionOid.split(";"); m_extensionOids = Arrays.asList(oids); } extensionClass = config.getInitParameter("extensionClass"); if (StringUtils.isEmpty(extensionClass)) { m_log.info("ExtensionClass not defined in initialization parameters."); } else { String[] classes = extensionClass.split(";"); m_extensionClasses = Arrays.asList(classes); } // Check that we have the same amount of extension oids as classes if (m_extensionClasses.size() != m_extensionOids.size()) { throw new ServletException("Number of extension classes does not match no of extension oids."); } // Init extensions Iterator iter = m_extensionClasses.iterator(); Iterator iter2 = m_extensionOids.iterator(); m_extensionMap = new HashMap(); while (iter.hasNext()) { String clazz = (String)iter.next(); String oid = (String)iter2.next(); IOCSPExtension ext = null; try { ext = (IOCSPExtension)Class.forName(clazz).newInstance(); ext.init(config); } catch (Exception e) { m_log.error("Can not create extension with class "+clazz, e); continue; } m_extensionMap.put(oid,ext); } } public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { m_log.debug(">doPost()"); String contentType = request.getHeader("Content-Type"); if (!contentType.equalsIgnoreCase("application/ocsp-request")) { m_log.debug("Content type is not application/ocsp-request"); response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Content type is not application/ocsp-request"); return; } // Get the request data BufferedReader in = request.getReader(); ByteArrayOutputStream baos = new ByteArrayOutputStream(); // This works for small requests, and OCSP requests are small int b = in.read(); while (b != -1) { baos.write(b); b = in.read(); } baos.flush(); in.close(); byte[] reqBytes = baos.toByteArray(); // Do it... service(request, response, reqBytes); m_log.debug("<doPost()"); } //doPost public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { m_log.debug(">doGet()"); /** * We only support POST operation, so return * an appropriate HTTP error code to caller. */ // We have one command though, to force reloading of keys, can only be run from localhost String reloadCAKeys = request.getParameter("reloadkeys"); if (StringUtils.equals(reloadCAKeys, "true")) { String remote = request.getRemoteAddr(); if (StringUtils.equals(remote, "127.0.0.1")) { String iMsg = intres.getLocalizedMessage("ocsp.reloadkeys", remote); m_log.info(iMsg); m_certValidTo = 0; } else { m_log.info("Got reloadKeys command from unauthorized ip: "+remote); } } response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "OCSP only supports POST"); m_log.debug("<doGet()"); } // doGet public void service(HttpServletRequest request, HttpServletResponse response, byte[] reqBytes) throws IOException, ServletException { if (m_log.isDebugEnabled()) { m_log.debug(">service()"); } if ((reqBytes == null) || (reqBytes.length == 0)) { m_log.debug("No request bytes"); response.sendError(HttpServletResponse.SC_BAD_REQUEST, "No request bytes."); return; } try { OCSPResp ocspresp = null; ArrayList responseList = new ArrayList(); OCSPRespGenerator res = new OCSPRespGenerator(); X509Certificate cacert = null; // CA-certificate used to sign response OCSPReq req = new OCSPReq(reqBytes); try { //m_log.debug("OCSPReq: "+new String(Base64.encode(req.getEncoded()))); loadCertificates(); if (m_log.isDebugEnabled()) { StringBuffer certInfo = new StringBuffer(); Iterator iter = m_cacerts.iterator(); while (iter.hasNext()) { X509Certificate cert = (X509Certificate) iter.next(); certInfo.append(cert.getSubjectDN().getName()); certInfo.append(','); certInfo.append(cert.getSerialNumber().toString(16)); certInfo.append('\n'); } m_log.debug("Found the following CA certificates : \n" + certInfo.toString()); } /** * check the signature if contained in request. * if the request does not contain a signature * and the servlet is configured in the way * the a signature is required we send back * 'sigRequired' response. */ if (m_log.isDebugEnabled()) { m_log.debug("Incoming OCSP request is signed : " + req.isSigned());⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -