sun.security.x509.PKIXExtensions Java Examples

The following examples show how to use sun.security.x509.PKIXExtensions. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: StatusResponseManager.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtain the URI use by the {@code StatusResponseManager} during lookups.
 * This method takes into account not only the AIA extension from a
 * certificate to be checked, but also any default URI and possible
 * override settings for the response manager.
 *
 * @param cert the subject to get the responder URI from
 *
 * @return a {@code URI} containing the address to the OCSP responder, or
 *      {@code null} if no AIA extension exists in the certificate and no
 *      default responder has been configured.
 *
 * @throws NullPointerException if {@code cert} is {@code null}.
 */
URI getURI(X509Certificate cert) {
    Objects.requireNonNull(cert);

    if (cert.getExtensionValue(
            PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {
        debugLog("OCSP NoCheck extension found.  OCSP will be skipped");
        return null;
    } else if (defaultResponder != null && respOverride) {
        debugLog("Responder override: URI is " + defaultResponder);
        return defaultResponder;
    } else {
        URI certURI = OCSP.getResponderURI(cert);
        return (certURI != null ? certURI : defaultResponder);
    }
}
 
Example #2
Source File: StatusResponseManager.java    From openjsse with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtain the URI use by the {@code StatusResponseManager} during
 * lookups.
 *
 * This method takes into account not only the AIA extension from a
 * certificate to be checked, but also any default URI and possible
 * override settings for the response manager.
 *
 * @param cert the subject to get the responder URI from
 *
 * @return a {@code URI} containing the address to the OCSP responder,
 *      or {@code null} if no AIA extension exists in the certificate
 *      and no default responder has been configured.
 *
 * @throws NullPointerException if {@code cert} is {@code null}.
 */
URI getURI(X509Certificate cert) {
    Objects.requireNonNull(cert);

    if (cert.getExtensionValue(
            PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "OCSP NoCheck extension found.  OCSP will be skipped");
        }
        return null;
    } else if (defaultResponder != null && respOverride) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
          SSLLogger.fine(
                "Responder override: URI is " + defaultResponder);
        }
        return defaultResponder;
    } else {
        URI certURI = OCSP.getResponderURI(cert);
        return (certURI != null ? certURI : defaultResponder);
    }
}
 
Example #3
Source File: OCSPNonceExtension.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Create an {@code OCSPNonceExtension} by providing the nonce length and
 * criticality setting.  The OID for the extension will
 * be the value defined by "id-pkix-ocsp-nonce" from RFC 6960.
 *
 * @param isCritical a boolean flag indicating whether the criticality bit
 *      is set for this extension
 * @param length the number of random bytes composing the nonce
 *
 * @throws IOException if any errors happen during encoding of the
 *      extension.
 * @throws IllegalArgumentException if length is not a positive integer.
 */
public OCSPNonceExtension(boolean isCritical, int length)
        throws IOException {
    this.extensionId = PKIXExtensions.OCSPNonce_Id;
    this.critical = isCritical;

    if (length > 0) {
        SecureRandom rng = new SecureRandom();
        this.nonceData = new byte[length];
        rng.nextBytes(nonceData);
        this.extensionValue = new DerValue(DerValue.tag_OctetString,
                nonceData).toByteArray();
    } else {
        throw new IllegalArgumentException(
                "Length must be a positive integer");
    }
}
 
Example #4
Source File: OCSPNonceExtension.java    From Bytecoder with Apache License 2.0 6 votes vote down vote up
/**
 * Create an {@code OCSPNonceExtension} by providing the nonce length and
 * criticality setting.  The OID for the extension will
 * be the value defined by "id-pkix-ocsp-nonce" from RFC 6960.
 *
 * @param isCritical a boolean flag indicating whether the criticality bit
 *      is set for this extension
 * @param length the number of random bytes composing the nonce
 *
 * @throws IOException if any errors happen during encoding of the
 *      extension.
 * @throws IllegalArgumentException if length is not a positive integer.
 */
public OCSPNonceExtension(boolean isCritical, int length)
        throws IOException {
    this.extensionId = PKIXExtensions.OCSPNonce_Id;
    this.critical = isCritical;

    if (length > 0) {
        SecureRandom rng = new SecureRandom();
        this.nonceData = new byte[length];
        rng.nextBytes(nonceData);
        this.extensionValue = new DerValue(DerValue.tag_OctetString,
                nonceData).toByteArray();
    } else {
        throw new IllegalArgumentException(
                "Length must be a positive integer");
    }
}
 
Example #5
Source File: StatusResponseManager.java    From Bytecoder with Apache License 2.0 6 votes vote down vote up
/**
 * Obtain the URI use by the {@code StatusResponseManager} during
 * lookups.
 *
 * This method takes into account not only the AIA extension from a
 * certificate to be checked, but also any default URI and possible
 * override settings for the response manager.
 *
 * @param cert the subject to get the responder URI from
 *
 * @return a {@code URI} containing the address to the OCSP responder,
 *      or {@code null} if no AIA extension exists in the certificate
 *      and no default responder has been configured.
 *
 * @throws NullPointerException if {@code cert} is {@code null}.
 */
URI getURI(X509Certificate cert) {
    Objects.requireNonNull(cert);

    if (cert.getExtensionValue(
            PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "OCSP NoCheck extension found.  OCSP will be skipped");
        }
        return null;
    } else if (defaultResponder != null && respOverride) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
          SSLLogger.fine(
                "Responder override: URI is " + defaultResponder);
        }
        return defaultResponder;
    } else {
        URI certURI = OCSP.getResponderURI(cert);
        return (certURI != null ? certURI : defaultResponder);
    }
}
 
Example #6
Source File: SimpleOCSPServer.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Set the response extensions based on the request extensions
 * that were received.  Right now, this is limited to the
 * OCSP nonce extension.
 *
 * @param reqExts a {@code Map} of zero or more request extensions
 *
 * @return a {@code Map} of zero or more response extensions, keyed
 * by the extension object identifier in {@code String} form.
 */
private Map<String, Extension> setResponseExtensions(
        Map<String, Extension> reqExts) {
    Map<String, Extension> respExts = new HashMap<>();
    String ocspNonceStr = PKIXExtensions.OCSPNonce_Id.toString();

    if (reqExts != null) {
        for (String id : reqExts.keySet()) {
            if (id.equals(ocspNonceStr)) {
                // We found a nonce, add it into the response extensions
                Extension ext = reqExts.get(id);
                if (ext != null) {
                    respExts.put(id, ext);
                    log("Added OCSP Nonce to response");
                } else {
                    log("Error: Found nonce entry, but found null " +
                            "value.  Skipping");
                }
            }
        }
    }

    return respExts;
}
 
Example #7
Source File: OCSP.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #8
Source File: StatusResponseManager.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.getExtensions()) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            debugLog("Nonce extension found, skipping cache check");
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        debugLog("nextUpdate threshold exceeded, purging from cache");
        respEntry = null;
    }

    debugLog("Check cache for SN" + cid.getSerialNumber() + ": " +
            (respEntry != null ? "HIT" : "MISS"));
    return respEntry;
}
 
Example #9
Source File: OCSP.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #10
Source File: StatusResponseManager.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.extensions) {
        if (ext.getId().equals(
                PKIXExtensions.OCSPNonce_Id.toString())) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                        "Nonce extension found, skipping cache check");
            }
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "nextUpdate threshold exceeded, purging from cache");
        }
        respEntry = null;
    }

    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
        SSLLogger.fine(
                "Check cache for SN" + cid.getSerialNumber() + ": " +
                (respEntry != null ? "HIT" : "MISS"));
    }
    return respEntry;
}
 
Example #11
Source File: OCSP.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #12
Source File: OCSPNonceExtensionTests.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
public static void verifyExtStructure(byte[] derData) throws IOException {
    debuglog("verifyASN1Extension() received " + derData.length + " bytes");
    DerInputStream dis = new DerInputStream(derData);

    // The sequenceItems array should be either two or three elements
    // long.  If three, then the criticality bit setting has been asserted.
    DerValue[] sequenceItems = dis.getSequence(3);
    debuglog("Found sequence containing " + sequenceItems.length +
            " elements");
    if (sequenceItems.length != 2 && sequenceItems.length != 3) {
        throw new RuntimeException("Incorrect number of items found in " +
                "the SEQUENCE (Got " + sequenceItems.length +
                ", expected 2 or 3 items)");
    }

    int seqIndex = 0;
    ObjectIdentifier extOid = sequenceItems[seqIndex++].getOID();
    debuglog("Found OID: " + extOid.toString());
    if (!extOid.equals((Object)PKIXExtensions.OCSPNonce_Id)) {
        throw new RuntimeException("Incorrect OID (Got " +
                extOid.toString() + ", expected " +
                PKIXExtensions.OCSPNonce_Id.toString() + ")");
    }

    if (sequenceItems.length == 3) {
        // Non-default criticality bit setting should be at index 1
        boolean isCrit = sequenceItems[seqIndex++].getBoolean();
        debuglog("Found BOOLEAN (critical): " + isCrit);
    }

    // The extnValue is an encapsulating OCTET STRING that contains the
    // extension's value.  For the OCSP Nonce, that value itself is also
    // an OCTET STRING consisting of the random bytes.
    DerValue extnValue =
            new DerValue(sequenceItems[seqIndex++].getOctetString());
    byte[] nonceData = extnValue.getOctetString();
    debuglog("Found " + nonceData.length + " bytes of nonce data");
}
 
Example #13
Source File: OCSP.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #14
Source File: OCSP.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #15
Source File: OCSP.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #16
Source File: OCSP.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #17
Source File: StatusResponseManager.java    From openjsse with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.extensions) {
        if (ext.getId().equals(
                PKIXExtensions.OCSPNonce_Id.toString())) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                        "Nonce extension found, skipping cache check");
            }
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "nextUpdate threshold exceeded, purging from cache");
        }
        respEntry = null;
    }

    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
        SSLLogger.fine(
                "Check cache for SN" + cid.getSerialNumber() + ": " +
                (respEntry != null ? "HIT" : "MISS"));
    }
    return respEntry;
}
 
Example #18
Source File: OCSPNonceExtension.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Create an {@code OCSPNonceExtension} by providing a nonce value and
 * criticality setting.  The OID for the extension will
 * be the value defined by "id-pkix-ocsp-nonce" from RFC 6960.
 *
 * @param isCritical a boolean flag indicating whether the criticality bit
 *      is set for this extension
 * @param incomingNonce The nonce data to be set for the extension.  This
 *      must be a non-null array of at least one byte long.
 *
 * @throws IOException if any errors happen during encoding of the
 *      extension.
 * @throws IllegalArgumentException if the incomingNonce length is not a
 *      positive integer.
 * @throws NullPointerException if the incomingNonce is null.
 */
public OCSPNonceExtension(boolean isCritical, byte[] incomingNonce)
        throws IOException {
    this.extensionId = PKIXExtensions.OCSPNonce_Id;
    this.critical = isCritical;

    Objects.requireNonNull(incomingNonce, "Nonce data must be non-null");
    if (incomingNonce.length > 0) {
        this.nonceData = incomingNonce.clone();
        this.extensionValue = new DerValue(DerValue.tag_OctetString,
                nonceData).toByteArray();
    } else {
        throw new IllegalArgumentException(
                "Nonce data must be at least 1 byte in length");
    }
}
 
Example #19
Source File: OCSPRequest.java    From jdk8u_jdk with GNU General Public License v2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }
 
Example #20
Source File: OCSPRequest.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }
 
Example #21
Source File: OCSPNonceExtension.java    From Bytecoder with Apache License 2.0 4 votes vote down vote up
/**
 * Create an {@code OCSPNonceExtension} by providing a nonce value and
 * criticality setting.  The OID for the extension will
 * be the value defined by "id-pkix-ocsp-nonce" from RFC 6960.
 *
 * @param isCritical a boolean flag indicating whether the criticality bit
 *      is set for this extension
 * @param incomingNonce The nonce data to be set for the extension.  This
 *      must be a non-null array of at least one byte long.
 *
 * @throws IOException if any errors happen during encoding of the
 *      extension.
 * @throws IllegalArgumentException if the incomingNonce length is not a
 *      positive integer.
 * @throws NullPointerException if the incomingNonce is null.
 */
public OCSPNonceExtension(boolean isCritical, byte[] incomingNonce)
        throws IOException {
    this.extensionId = PKIXExtensions.OCSPNonce_Id;
    this.critical = isCritical;

    Objects.requireNonNull(incomingNonce, "Nonce data must be non-null");
    if (incomingNonce.length > 0) {
        this.nonceData = incomingNonce.clone();
        this.extensionValue = new DerValue(DerValue.tag_OctetString,
                nonceData).toByteArray();
    } else {
        throw new IllegalArgumentException(
                "Nonce data must be at least 1 byte in length");
    }
}
 
Example #22
Source File: OCSPRequest.java    From Bytecoder with Apache License 2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }
 
Example #23
Source File: OCSPRequest.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }
 
Example #24
Source File: OCSPRequest.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }
 
Example #25
Source File: OCSPRequest.java    From TencentKona-8 with GNU General Public License v2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }
 
Example #26
Source File: OCSPRequest.java    From dragonwell8_jdk with GNU General Public License v2.0 4 votes vote down vote up
byte[] encodeBytes() throws IOException {

        // encode tbsRequest
        DerOutputStream tmp = new DerOutputStream();
        DerOutputStream requestsOut = new DerOutputStream();
        for (CertId certId : certIds) {
            DerOutputStream certIdOut = new DerOutputStream();
            certId.encode(certIdOut);
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
        }

        tmp.write(DerValue.tag_Sequence, requestsOut);
        if (!extensions.isEmpty()) {
            DerOutputStream extOut = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extOut);
                if (ext.getId().equals(
                        PKIXExtensions.OCSPNonce_Id.toString())) {
                    nonce = ext.getValue();
                }
            }
            DerOutputStream extsOut = new DerOutputStream();
            extsOut.write(DerValue.tag_Sequence, extOut);
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                         true, (byte)2), extsOut);
        }

        DerOutputStream tbsRequest = new DerOutputStream();
        tbsRequest.write(DerValue.tag_Sequence, tmp);

        // OCSPRequest without the signature
        DerOutputStream ocspRequest = new DerOutputStream();
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);

        byte[] bytes = ocspRequest.toByteArray();

        if (dump) {
            HexDumpEncoder hexEnc = new HexDumpEncoder();
            debug.println("OCSPRequest bytes...\n\n" +
                hexEnc.encode(bytes) + "\n");
        }

        return bytes;
    }