KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > ejbca > core > protocol > ocsp > OCSPUtil


1 package org.ejbca.core.protocol.ocsp;
2
3 import java.io.ByteArrayInputStream JavaDoc;
4 import java.io.IOException JavaDoc;
5 import java.security.NoSuchProviderException JavaDoc;
6 import java.security.PrivateKey JavaDoc;
7 import java.security.PublicKey JavaDoc;
8 import java.security.cert.X509Certificate JavaDoc;
9 import java.security.interfaces.RSAPublicKey JavaDoc;
10 import java.util.ArrayList JavaDoc;
11 import java.util.Date JavaDoc;
12 import java.util.Enumeration JavaDoc;
13 import java.util.Iterator JavaDoc;
14
15 import org.apache.commons.lang.StringUtils;
16 import org.apache.log4j.Logger;
17 import org.bouncycastle.asn1.ASN1InputStream;
18 import org.bouncycastle.asn1.ASN1OctetString;
19 import org.bouncycastle.asn1.ASN1Sequence;
20 import org.bouncycastle.asn1.DERObjectIdentifier;
21 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
22 import org.bouncycastle.asn1.x509.X509Extension;
23 import org.bouncycastle.asn1.x509.X509Extensions;
24 import org.bouncycastle.jce.provider.JCEECPublicKey;
25 import org.bouncycastle.ocsp.BasicOCSPResp;
26 import org.bouncycastle.ocsp.BasicOCSPRespGenerator;
27 import org.bouncycastle.ocsp.OCSPException;
28 import org.bouncycastle.ocsp.OCSPReq;
29 import org.bouncycastle.ocsp.RespID;
30 import org.ejbca.core.model.ca.NotSupportedException;
31 import org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAServiceRequest;
32 import org.ejbca.core.model.ca.catoken.CATokenConstants;
33
34 public class OCSPUtil {
35
36     private static final Logger m_log = Logger.getLogger(OCSPUtil.class);
37
38     public static BasicOCSPRespGenerator createOCSPResponse(OCSPReq req, X509Certificate JavaDoc respondercert) throws OCSPException, NotSupportedException {
39         if (null == req) {
40             throw new IllegalArgumentException JavaDoc();
41         }
42         BasicOCSPRespGenerator res = new BasicOCSPRespGenerator(respondercert.getPublicKey());
43         X509Extensions reqexts = req.getRequestExtensions();
44         if (reqexts != null) {
45             X509Extension ext = reqexts.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_response);
46             if (null != ext) {
47                 //m_log.debug("Found extension AcceptableResponses");
48
ASN1OctetString oct = ext.getValue();
49                 try {
50                     ASN1Sequence seq = ASN1Sequence.getInstance(new ASN1InputStream(new ByteArrayInputStream JavaDoc(oct.getOctets())).readObject());
51                     Enumeration JavaDoc en = seq.getObjects();
52                     boolean supportsResponseType = false;
53                     while (en.hasMoreElements()) {
54                         DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
55                         //m_log.debug("Found oid: "+oid.getId());
56
if (oid.equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic)) {
57                             // This is the response type we support, so we are happy! Break the loop.
58
supportsResponseType = true;
59                             m_log.debug("Response type supported: " + oid.getId());
60                             continue;
61                         }
62                     }
63                     if (!supportsResponseType) {
64                         throw new NotSupportedException("Required response type not supported, this responder only supports id-pkix-ocsp-basic.");
65                     }
66                 } catch (IOException JavaDoc e) {
67                 }
68             }
69         }
70         return res;
71     }
72     
73     public static BasicOCSPResp generateBasicOCSPResp(OCSPCAServiceRequest serviceReq, String JavaDoc sigAlg, X509Certificate JavaDoc signerCert, PrivateKey JavaDoc signerKey, String JavaDoc provider, X509Certificate JavaDoc[] chain)
74     throws NotSupportedException, OCSPException, NoSuchProviderException JavaDoc, IllegalArgumentException JavaDoc {
75         BasicOCSPResp returnval = null;
76         BasicOCSPRespGenerator basicRes = null;
77         basicRes = OCSPUtil.createOCSPResponse(serviceReq.getOCSPrequest(), signerCert);
78         ArrayList JavaDoc responses = serviceReq.getResponseList();
79         if (responses != null) {
80             Iterator JavaDoc iter = responses.iterator();
81             while (iter.hasNext()) {
82                 OCSPResponseItem item = (OCSPResponseItem)iter.next();
83                 basicRes.addResponse(item.getCertID(), item.getCertStatus());
84             }
85         }
86         X509Extensions exts = serviceReq.getExtensions();
87         if (exts != null) {
88             Enumeration JavaDoc oids = exts.oids();
89             if (oids.hasMoreElements()) {
90                 basicRes.setResponseExtensions(exts);
91             }
92         }
93
94         returnval = basicRes.generate(sigAlg, signerKey, chain, new Date JavaDoc(), provider );
95         if (m_log.isDebugEnabled()) {
96             m_log.debug("Signing OCSP response with OCSP signer cert: " + signerCert.getSubjectDN().getName());
97             RespID respId = new RespID(signerCert.getPublicKey());
98             if (!returnval.getResponderId().equals(respId)) {
99                 m_log.error("Response responderId does not match signer certificate responderId!");
100             }
101             boolean verify = returnval.verify(signerCert.getPublicKey(), "BC");
102             if (verify) {
103                 m_log.debug("The OCSP response is verifying.");
104             } else {
105                 m_log.error("The response is NOT verifying!");
106             }
107         }
108         return returnval;
109     }
110     
111     /**
112      * Returns a signing algorithm to use selecting from a list of possible algorithms.
113      *
114      * @param sigalgs the list of possible algorithms, ;-separated. Example "SHA1WithRSA;SHA1WithECDSA".
115      * @param pk public key of signer, so we can choose between RSA and ECDSA algorithms
116      * @return A singe algorithm to use Example: SHA1WithRSA or SHA1WithECDSA
117      */

118     public static String JavaDoc getSigningAlgFromAlgSelection(String JavaDoc sigalgs, PublicKey JavaDoc pk) {
119         String JavaDoc sigAlg = null;
120         String JavaDoc[] algs = StringUtils.split(sigalgs, ';');
121         if ( (algs != null) && (algs.length > 1) ) {
122             if (pk instanceof RSAPublicKey JavaDoc) {
123                 if (StringUtils.contains(algs[0], CATokenConstants.KEYALGORITHM_RSA)) {
124                     sigAlg = algs[0];
125                 }
126                 if (StringUtils.contains(algs[1], CATokenConstants.KEYALGORITHM_RSA)) {
127                     sigAlg = algs[1];
128                 }
129             } else if (pk instanceof JCEECPublicKey) {
130                 if (StringUtils.contains(algs[0], CATokenConstants.KEYALGORITHM_ECDSA)) {
131                     sigAlg = algs[0];
132                 }
133                 if (StringUtils.contains(algs[1], CATokenConstants.KEYALGORITHM_ECDSA)) {
134                     sigAlg = algs[1];
135                 }
136             }
137             m_log.debug("Using signature algorithm for response: "+sigAlg);
138         }
139         return sigAlg;
140
141     }
142
143
144 }
145
Popular Tags