📄 ocspservletbase.java
字号:
} if (m_reqMustBeSigned) { if (!req.isSigned()) { String errMsg = intres.getLocalizedMessage("ocsp.errorunsignedreq"); m_log.error(errMsg); throw new SignRequestException(errMsg); } //GeneralName requestor = req.getRequestorName(); X509Certificate[] certs = req.getCerts("BC"); // We must find a cert to verify the signature with... boolean verifyOK = false; for (int i = 0; i < certs.length; i++) { if (req.verify(certs[i].getPublicKey(), "BC") == true) { verifyOK = true; break; } } if (!verifyOK) { String errMsg = intres.getLocalizedMessage("ocsp.errorinvalidsignature"); m_log.error(errMsg); throw new SignRequestSignatureException(errMsg); } } Req[] requests = req.getRequestList(); if (requests.length <= 0) { String errMsg = intres.getLocalizedMessage("ocsp.errornoreqentities"); m_log.error(errMsg); { // All this just so we can create an error response cacert = findCertificateBySubject(m_defaultResponderId, m_cacerts); } throw new MalformedRequestException(errMsg); } if (m_log.isDebugEnabled()) { m_log.debug("The OCSP request contains " + requests.length + " simpleRequests."); } // Add standard response extensions Hashtable responseExtensions = getStandardResponseExtensions(req); for (int i = 0; i < requests.length; i++) { CertificateID certId = requests[i].getCertID(); byte[] hashbytes = certId.getIssuerNameHash(); String hash = null; if (hashbytes != null) { hash = new String(Hex.encode(hashbytes)); } String infoMsg = intres.getLocalizedMessage("ocsp.inforeceivedrequest", certId.getSerialNumber().toString(16), hash); m_log.info(infoMsg); boolean unknownCA = false; // if the certId was issued by an unknown CA // The algorithm here: // We will sign the response with the CA that issued the first // certificate(certId) in the request. If the issuing CA is not available // on this server, we sign the response with the default responderId (from params in web.xml). // We have to look up the ca-certificate for each certId in the request though, as we will check // for revocation on the ca-cert as well when checking for revocation on the certId. try { cacert = findCAByHash(certId, m_cacerts); if (cacert == null) { // We could not find certificate for this request so get certificate for default responder cacert = findCertificateBySubject(m_defaultResponderId, m_cacerts); unknownCA = true; } } catch (OCSPException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorgencerthash"); m_log.error(errMsg, e); cacert = null; continue; } if (cacert == null) { String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacert", new String(Hex.encode(certId.getIssuerNameHash())), m_defaultResponderId); m_log.error(errMsg); continue; } if (unknownCA == true) { String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacertusedefault", new String(Hex.encode(certId.getIssuerNameHash()))); m_log.info(errMsg); // If we can not find the CA, answer UnknowStatus responseList.add(new OCSPResponseItem(certId, new UnknownStatus())); continue; } /* * Implement logic according to * chapter 2.7 in RFC2560 * * 2.7 CA Key Compromise * If an OCSP responder knows that a particular CA's private key has * been compromised, it MAY return the revoked state for all * certificates issued by that CA. */ RevokedCertInfo rci; rci = isRevoked(m_adm, cacert.getIssuerDN().getName(), cacert.getSerialNumber()); if (null != rci && rci.getReason() == RevokedCertInfo.NOT_REVOKED) { rci = null; } CertificateStatus certStatus = null; // null mean good if (null == rci) { rci = isRevoked(m_adm, cacert.getSubjectDN().getName(), certId.getSerialNumber()); if (null == rci) { if (m_log.isDebugEnabled()) { m_log.debug("Unable to find revocation information for certificate with serial '" + certId.getSerialNumber().toString(16) + "'" + " from issuer '" + cacert.getSubjectDN().getName() + "'"); } infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", "unknown", certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName()); m_log.info(infoMsg); responseList.add(new OCSPResponseItem(certId, new UnknownStatus())); } else { BigInteger rciSerno = rci.getUserCertificate(); if (rciSerno.compareTo(certId.getSerialNumber()) == 0) { if (rci.getReason() != RevokedCertInfo.NOT_REVOKED) { certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(rci.getRevocationDate()), new CRLReason(rci.getReason()))); } else { certStatus = null; } String status = "good"; if (certStatus != null) { status ="revoked"; } infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", status, certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName()); m_log.info(infoMsg); responseList.add(new OCSPResponseItem(certId, certStatus)); } else { m_log.error("ERROR: Certificate serialNumber ("+rciSerno.toString(16)+") in response from database does not match request (" +certId.getSerialNumber().toString(16)+")."); infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", "unknown", certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName()); m_log.info(infoMsg); responseList.add(new OCSPResponseItem(certId, new UnknownStatus())); } } } else { certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(rci.getRevocationDate()), new CRLReason(rci.getReason()))); infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", "revoked", certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName()); m_log.info(infoMsg); responseList.add(new OCSPResponseItem(certId, certStatus)); } // Look for extension OIDs Iterator iter = m_extensionOids.iterator(); while (iter.hasNext()) { String oidstr = (String)iter.next(); DERObjectIdentifier oid = new DERObjectIdentifier(oidstr); X509Extensions reqexts = req.getRequestExtensions(); if (reqexts != null) { X509Extension ext = reqexts.getExtension(oid); if (null != ext) { // We found an extension, call the extenstion class if (m_log.isDebugEnabled()) { m_log.debug("Found OCSP extension oid: "+oidstr); } IOCSPExtension extObj = (IOCSPExtension)m_extensionMap.get(oidstr); if (extObj != null) { // Find the certificate from the certId X509Certificate cert = null; cert = (X509Certificate)findCertificateByIssuerAndSerno(m_adm, cacert.getSubjectDN().getName(), certId.getSerialNumber()); if (cert != null) { // Call the OCSP extension Hashtable retext = extObj.process(request, cert, certStatus); if (retext != null) { // Add the returned X509Extensions to the responseExtension we will add to the basic OCSP response responseExtensions.putAll(retext); } else { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessextension", extObj.getClass().getName(), new Integer(extObj.getLastErrorCode())); m_log.error(errMsg); } } } } } } } if ((req != null) && (cacert != null)) { // Add responseExtensions X509Extensions exts = new X509Extensions(responseExtensions); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(req, responseList, exts, cacert); ocspresp = res.generate(OCSPRespGenerator.SUCCESSFUL, basicresp); } else { String errMsg = intres.getLocalizedMessage("ocsp.errornocacreateresp"); m_log.error(errMsg); throw new ServletException(errMsg); } } catch (MalformedRequestException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.info(errMsg, e); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(req, null, null, cacert); ocspresp = res.generate(OCSPRespGenerator.MALFORMED_REQUEST, basicresp); } catch (SignRequestException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.info(errMsg, e); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(req, null, null, cacert); ocspresp = res.generate(OCSPRespGenerator.SIG_REQUIRED, basicresp); } catch (Exception e) { if (e instanceof ServletException) throw (ServletException) e; String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.error(errMsg, e); // generate the signed response object BasicOCSPResp basicresp = signOCSPResponse(req, null, null, cacert); ocspresp = res.generate(OCSPRespGenerator.INTERNAL_ERROR, basicresp); } byte[] respBytes = ocspresp.getEncoded(); response.setContentType("application/ocsp-response"); //response.setHeader("Content-transfer-encoding", "binary"); response.setContentLength(respBytes.length); response.getOutputStream().write(respBytes); response.getOutputStream().flush(); } catch (OCSPException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.error(errMsg, e); throw new ServletException(e); } catch (IllegalExtendedCAServiceRequestException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.error(errMsg, e); throw new ServletException(e); } catch (CADoesntExistsException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.error(errMsg, e); throw new ServletException(e); } catch (ExtendedCAServiceNotActiveException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.error(errMsg, e); throw new ServletException(e); } catch (ExtendedCAServiceRequestException e) { String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq"); m_log.error(errMsg, e); throw new ServletException(e); } if (m_log.isDebugEnabled()) { m_log.debug("<service()"); } }} // OCSPServlet⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -