1 package org.ejbca.core.protocol.ocsp; 2 3 import java.io.ByteArrayInputStream ; 4 import java.io.IOException ; 5 import java.security.NoSuchProviderException ; 6 import java.security.PrivateKey ; 7 import java.security.PublicKey ; 8 import java.security.cert.X509Certificate ; 9 import java.security.interfaces.RSAPublicKey ; 10 import java.util.ArrayList ; 11 import java.util.Date ; 12 import java.util.Enumeration ; 13 import java.util.Iterator ; 14 15 import org.apache.commons.lang.StringUtils; 16 import org.apache.log4j.Logger; 17 import org.bouncycastle.asn1.ASN1InputStream; 18 import org.bouncycastle.asn1.ASN1OctetString; 19 import org.bouncycastle.asn1.ASN1Sequence; 20 import org.bouncycastle.asn1.DERObjectIdentifier; 21 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers; 22 import org.bouncycastle.asn1.x509.X509Extension; 23 import org.bouncycastle.asn1.x509.X509Extensions; 24 import org.bouncycastle.jce.provider.JCEECPublicKey; 25 import org.bouncycastle.ocsp.BasicOCSPResp; 26 import org.bouncycastle.ocsp.BasicOCSPRespGenerator; 27 import org.bouncycastle.ocsp.OCSPException; 28 import org.bouncycastle.ocsp.OCSPReq; 29 import org.bouncycastle.ocsp.RespID; 30 import org.ejbca.core.model.ca.NotSupportedException; 31 import org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAServiceRequest; 32 import org.ejbca.core.model.ca.catoken.CATokenConstants; 33 34 public class OCSPUtil { 35 36 private static final Logger m_log = Logger.getLogger(OCSPUtil.class); 37 38 public static BasicOCSPRespGenerator createOCSPResponse(OCSPReq req, X509Certificate respondercert) throws OCSPException, NotSupportedException { 39 if (null == req) { 40 throw new IllegalArgumentException (); 41 } 42 BasicOCSPRespGenerator res = new BasicOCSPRespGenerator(respondercert.getPublicKey()); 43 X509Extensions reqexts = req.getRequestExtensions(); 44 if (reqexts != null) { 45 X509Extension ext = reqexts.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_response); 46 if (null != ext) { 47 ASN1OctetString oct = ext.getValue(); 49 try { 50 ASN1Sequence seq = ASN1Sequence.getInstance(new ASN1InputStream(new ByteArrayInputStream (oct.getOctets())).readObject()); 51 Enumeration en = seq.getObjects(); 52 boolean supportsResponseType = false; 53 while (en.hasMoreElements()) { 54 DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement(); 55 if (oid.equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic)) { 57 supportsResponseType = true; 59 m_log.debug("Response type supported: " + oid.getId()); 60 continue; 61 } 62 } 63 if (!supportsResponseType) { 64 throw new NotSupportedException("Required response type not supported, this responder only supports id-pkix-ocsp-basic."); 65 } 66 } catch (IOException e) { 67 } 68 } 69 } 70 return res; 71 } 72 73 public static BasicOCSPResp generateBasicOCSPResp(OCSPCAServiceRequest serviceReq, String sigAlg, X509Certificate signerCert, PrivateKey signerKey, String provider, X509Certificate [] chain) 74 throws NotSupportedException, OCSPException, NoSuchProviderException , IllegalArgumentException { 75 BasicOCSPResp returnval = null; 76 BasicOCSPRespGenerator basicRes = null; 77 basicRes = OCSPUtil.createOCSPResponse(serviceReq.getOCSPrequest(), signerCert); 78 ArrayList responses = serviceReq.getResponseList(); 79 if (responses != null) { 80 Iterator iter = responses.iterator(); 81 while (iter.hasNext()) { 82 OCSPResponseItem item = (OCSPResponseItem)iter.next(); 83 basicRes.addResponse(item.getCertID(), item.getCertStatus()); 84 } 85 } 86 X509Extensions exts = serviceReq.getExtensions(); 87 if (exts != null) { 88 Enumeration oids = exts.oids(); 89 if (oids.hasMoreElements()) { 90 basicRes.setResponseExtensions(exts); 91 } 92 } 93 94 returnval = basicRes.generate(sigAlg, signerKey, chain, new Date (), provider ); 95 if (m_log.isDebugEnabled()) { 96 m_log.debug("Signing OCSP response with OCSP signer cert: " + signerCert.getSubjectDN().getName()); 97 RespID respId = new RespID(signerCert.getPublicKey()); 98 if (!returnval.getResponderId().equals(respId)) { 99 m_log.error("Response responderId does not match signer certificate responderId!"); 100 } 101 boolean verify = returnval.verify(signerCert.getPublicKey(), "BC"); 102 if (verify) { 103 m_log.debug("The OCSP response is verifying."); 104 } else { 105 m_log.error("The response is NOT verifying!"); 106 } 107 } 108 return returnval; 109 } 110 111 118 public static String getSigningAlgFromAlgSelection(String sigalgs, PublicKey pk) { 119 String sigAlg = null; 120 String [] algs = StringUtils.split(sigalgs, ';'); 121 if ( (algs != null) && (algs.length > 1) ) { 122 if (pk instanceof RSAPublicKey ) { 123 if (StringUtils.contains(algs[0], CATokenConstants.KEYALGORITHM_RSA)) { 124 sigAlg = algs[0]; 125 } 126 if (StringUtils.contains(algs[1], CATokenConstants.KEYALGORITHM_RSA)) { 127 sigAlg = algs[1]; 128 } 129 } else if (pk instanceof JCEECPublicKey) { 130 if (StringUtils.contains(algs[0], CATokenConstants.KEYALGORITHM_ECDSA)) { 131 sigAlg = algs[0]; 132 } 133 if (StringUtils.contains(algs[1], CATokenConstants.KEYALGORITHM_ECDSA)) { 134 sigAlg = algs[1]; 135 } 136 } 137 m_log.debug("Using signature algorithm for response: "+sigAlg); 138 } 139 return sigAlg; 140 141 } 142 143 144 } 145 | Popular Tags |