org.bouncycastle.cert.ocsp.OCSPResp Java Examples

/**
 * OCSP Response Utils
 */
private String ocspResponseToB64(OCSPResp ocspResp)
{
  if (ocspResp == null)
  {
    return null;
  }
  try
  {
    return Base64.encodeBase64String(ocspResp.getEncoded());
  }
  catch (Throwable ex)
  {
    LOGGER.debug("Could not convert OCSP Response to Base64");
    return null;
  }
}
 

public static Map<Long, BasicOCSPResp> getOCSPsFromArray(PdfDict dict, String dictionaryName, String arrayName) {
	Map<Long, BasicOCSPResp> ocspMap = new HashMap<>();
	PdfArray ocspArray = dict.getAsArray(arrayName);
	if (ocspArray != null) {
		LOG.debug("There are {} OCSPs in the '{}' dictionary", ocspArray.size(), dictionaryName);
		for (int ii = 0; ii < ocspArray.size(); ii++) {
			try {
				final long objectNumber = ocspArray.getObjectNumber(ii);
				if (!ocspMap.containsKey(objectNumber)) {
					final OCSPResp ocspResp = new OCSPResp(ocspArray.getBytes(ii));
					final BasicOCSPResp responseObject = (BasicOCSPResp) ocspResp.getResponseObject();
					ocspMap.put(objectNumber, responseObject);
				}
			} catch (Exception e) {
				LOG.debug("Unable to read OCSP '{}' from the '{}' dictionary : {}", ii, dictionaryName, e.getMessage(), e);
			}
		}
	} else {
		LOG.debug("No OCSPs found in the '{}' dictionary", dictionaryName);
	}
	return ocspMap;
}
 

private void collectOCSPArchivalValues(AttributeTable attributes) {
	final ASN1Encodable attValue = DSSASN1Utils.getAsn1Encodable(attributes, OID.adbe_revocationInfoArchival);
	if (attValue !=null) {	
		RevocationInfoArchival revocationArchival = PAdESUtils.getRevocationInfoArchivals(attValue);
		if (revocationArchival != null) {
			for (final OCSPResponse ocspResponse : revocationArchival.getOcspVals()) {
				final OCSPResp ocspResp = new OCSPResp(ocspResponse);
				try {
					BasicOCSPResp basicOCSPResponse = (BasicOCSPResp) ocspResp.getResponseObject();
					addBinary(OCSPResponseBinary.build(basicOCSPResponse), RevocationOrigin.ADBE_REVOCATION_INFO_ARCHIVAL);
				} catch (OCSPException e) {
					LOG.warn("Error while extracting OCSPResponse from Revocation Info Archivals (ADBE) : {}", e.getMessage());
				}					
			}
		}
	}
}
 

private void addBasicOcspRespFrom_id_ri_ocsp_response() {
	final Store otherRevocationInfo = cmsSignedData.getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response);
	final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null);
	for (final Object object : otherRevocationInfoMatches) {
		if (object instanceof ASN1Sequence) {
			final ASN1Sequence otherRevocationInfoMatch = (ASN1Sequence) object;
			final BasicOCSPResp basicOCSPResp;
			if (otherRevocationInfoMatch.size() == 4) {
				basicOCSPResp = DSSRevocationUtils.getBasicOcspResp(otherRevocationInfoMatch);
			} else {
				final OCSPResp ocspResp = DSSRevocationUtils.getOcspResp(otherRevocationInfoMatch);
				basicOCSPResp = DSSRevocationUtils.fromRespToBasic(ocspResp);
			}

			OCSPResponseBinary ocspResponseIdentifier = OCSPResponseBinary.build(basicOCSPResp);
			ocspResponseIdentifier.setAsn1ObjectIdentifier(CMSObjectIdentifiers.id_ri_ocsp_response);
			addBinary(ocspResponseIdentifier, RevocationOrigin.CMS_SIGNED_DATA);
		} else {
			LOG.warn("Unsupported object type for id_ri_ocsp_response (SHALL be an ASN1Sequence) : {}", object.getClass().getSimpleName());
		}
	}
}
 

@Override
protected OCSPToken buildRevocationTokenFromResult(ResultSet rs, CertificateToken certificateToken, CertificateToken issuerCert) {
	try {
		final byte[] data = rs.getBytes(SQL_FIND_QUERY_DATA);
		final String url = rs.getString(SQL_FIND_QUERY_LOC);
		
		final OCSPResp ocspResp = new OCSPResp(data);
		BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResp.getResponseObject();
		SingleResp latestSingleResponse = DSSRevocationUtils.getLatestSingleResponse(basicResponse, certificateToken, issuerCert);
		OCSPToken ocspToken = new OCSPToken(basicResponse, latestSingleResponse, certificateToken, issuerCert);
		ocspToken.setSourceURL(url);
		ocspToken.setExternalOrigin(RevocationOrigin.CACHED);
		return ocspToken;
	} catch (SQLException | IOException | OCSPException e) {
		throw new RevocationException("An error occurred during an attempt to obtain a revocation token");
	}
}
 

private BigInteger getEmbeddedNonceValue(final OCSPResp ocspResp) {
	try {
		BasicOCSPResp basicOCSPResp = (BasicOCSPResp)ocspResp.getResponseObject();
		
		Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
		ASN1OctetString extnValue = extension.getExtnValue();
		ASN1Primitive value;
		try {
			value = ASN1Primitive.fromByteArray(extnValue.getOctets());
		} catch (IOException ex) {
			throw new OCSPException("Invalid encoding of nonce extension value in OCSP response", ex);
		}
		if (value instanceof DEROctetString) {
			return new BigInteger(((DEROctetString) value).getOctets());
		}
		throw new OCSPException("Nonce extension value in OCSP response is not an OCTET STRING");
	} catch (Exception e) {
		throw new DSSException(String.format("Unable to extract the nonce from the OCSPResponse! Reason : [%s]", e.getMessage()), e);
	}
}
 

@Override
public OCSPResp ask(X509Cert issuerCert, X509Cert[] certs,
    URL responderUrl, RequestOptions requestOptions, ReqRespDebug debug)
    throws OcspResponseException, OcspRequestorException {
  Args.notNull(issuerCert, "issuerCert");
  Args.notNull(certs, "certs");
  Args.positive(certs.length, "certs.length");

  BigInteger[] serialNumbers = new BigInteger[certs.length];
  for (int i = 0; i < certs.length; i++) {
    X509Cert cert = certs[i];
    try {
      if (!X509Util.issues(issuerCert, cert)) {
        throw new IllegalArgumentException(
            "cert at index " + i + " and issuerCert do not match");
      }
    } catch (CertificateEncodingException ex) {
      throw new OcspRequestorException(ex.getMessage(), ex);
    }
    serialNumbers[i] = cert.getSerialNumber();
  }

  return ask(issuerCert, serialNumbers, responderUrl, requestOptions, debug);
}
 

@Override
public OCSPResp ask(X509Cert issuerCert, X509Cert cert,
    URL responderUrl, RequestOptions requestOptions, ReqRespDebug debug)
    throws OcspResponseException, OcspRequestorException {
  Args.notNull(issuerCert, "issuerCert");
  Args.notNull(cert, "cert");

  try {
    if (!X509Util.issues(issuerCert, cert)) {
      throw new IllegalArgumentException("cert and issuerCert do not match");
    }
  } catch (CertificateEncodingException ex) {
    throw new OcspRequestorException(ex.getMessage(), ex);
  }

  return ask(issuerCert, new BigInteger[]{cert.getSerialNumber()}, responderUrl,
      requestOptions, debug);
}
 

public ValidationResult checkOcsp(OCSPResp response, OcspError expectedOcspError) {
  Args.notNull(response, "response");
  Args.notNull(expectedOcspError, "expectedOcspError");

  List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();

  int status = response.getStatus();

  // Response status
  ValidationIssue issue = new ValidationIssue("OCSP.STATUS", "response.status");
  resultIssues.add(issue);
  if (status != expectedOcspError.getStatus()) {
    issue.setFailureMessage("is '" + Unsuccessful.getStatusText(status) + "', but expected '"
        + Unsuccessful.getStatusText(expectedOcspError.getStatus()) + "'");
  }

  return new ValidationResult(resultIssues);
}
 

private static ChannelInitializer<Channel> newServerHandler(final ReferenceCountedOpenSslContext context,
        final OCSPResp response) {
    return new ChannelInitializer<Channel>() {
        @Override
        protected void initChannel(Channel ch) throws Exception {
            SslHandler sslHandler = context.newHandler(ch.alloc());

            if (response != null) {
                ReferenceCountedOpenSslEngine engine
                    = (ReferenceCountedOpenSslEngine) sslHandler.engine();

                engine.setOcspResponse(response.getEncoded());
            }

            ChannelPipeline pipeline = ch.pipeline();
            pipeline.addLast(sslHandler);

            // so on and so forth...
        }
    };
}
 

/**
 * Convert a BasicOCSPResp in OCSPResp (connection status is set to
 * SUCCESSFUL).
 *
 * @param basicOCSPRespBinary
 *            the binary of BasicOCSPResp
 * @return an instance of OCSPResp
 */
public static OCSPResp fromBasicToResp(final byte[] basicOCSPRespBinary) {
	final OCSPResponseStatus responseStatus = new OCSPResponseStatus(OCSPResponseStatus.SUCCESSFUL);
	final DEROctetString derBasicOCSPResp = new DEROctetString(basicOCSPRespBinary);
	final ResponseBytes responseBytes = new ResponseBytes(OCSPObjectIdentifiers.id_pkix_ocsp_basic, derBasicOCSPResp);
	final OCSPResponse ocspResponse = new OCSPResponse(responseStatus, responseBytes);
	// !!! todo to be checked: System.out.println("===> RECREATED: " +
	// ocspResp.hashCode());
	return new OCSPResp(ocspResponse);
}
 

public ValidationResult checkOcsp(OCSPResp response, IssuerHash issuerHash,
    BigInteger serialNumber, byte[] encodedCert,
    OcspCertStatus expectedOcspStatus, OcspResponseOption responseOption,
    Date exptectedRevTime, boolean noSigVerify) {
  List<BigInteger> serialNumbers = new ArrayList<>(1);
  serialNumbers.add(serialNumber);

  Map<BigInteger, byte[]> encodedCerts = null;
  if (encodedCert != null) {
    encodedCerts = new HashMap<>();
    encodedCerts.put(serialNumber, encodedCert);
  }

  Map<BigInteger, OcspCertStatus> expectedOcspStatuses = null;
  if (expectedOcspStatus != null) {
    expectedOcspStatuses = new HashMap<>();
    expectedOcspStatuses.put(serialNumber, expectedOcspStatus);
  }

  Map<BigInteger, Date> exptectedRevTimes = null;
  if (exptectedRevTime != null) {
    exptectedRevTimes = new HashMap<>();
    exptectedRevTimes.put(serialNumber, exptectedRevTime);
  }

  return checkOcsp(response, issuerHash, serialNumbers, encodedCerts,
      expectedOcspStatuses, exptectedRevTimes, responseOption, noSigVerify);
}
 

public static byte[] getEncodedFromBasicResp(final BasicOCSPResp basicOCSPResp) {
	try {
		if (basicOCSPResp != null) {
			final OCSPResp ocspResp = DSSRevocationUtils.fromBasicToResp(basicOCSPResp);
			return ocspResp.getEncoded();
		} else {
			throw new DSSException("Empty OCSP response");
		}
	} catch (IOException e) {
		throw new DSSException("OCSP encoding error: " + e.getMessage(), e);
	}
}
 

public static byte[] getEncoded(OCSPResp ocspResp) {
	try {
		return ocspResp.getEncoded();
	} catch (IOException e) {
		throw new DSSException(e);
	}
}
 

/**
 * Convert a BasicOCSPResp in OCSPResp (connection status is set to
 * SUCCESSFUL).
 *
 * @param basicOCSPResp
 *            the {@code BasicOCSPResp} to be converted to {@code OCSPResp}
 * @return the result of the conversion
 */
public static OCSPResp fromBasicToResp(final BasicOCSPResp basicOCSPResp) {
	try {
		final byte[] encoded = basicOCSPResp.getEncoded();
		return fromBasicToResp(encoded);
	} catch (IOException e) {
		throw new DSSException(e);
	}
}
 

@Test
public void testRevocationOCSP() throws IOException {
	BasicOCSPResp basicOCSPResp = DSSRevocationUtils.loadOCSPBase64Encoded(
			"MIIHOgoBAKCCBzMwggcvBgkrBgEFBQcwAQEEggcgMIIHHDCCATOhRDBCMQswCQYDVQQGEwJERTEaMBgGA1UECgwRQnVuZGVzbmV0emFnZW50dXIxFzAVBgNVBAMMDjE0Ui1PQ1NQIDEyOlBOGA8yMDE2MDQyNjA5NDE0M1owgbUwgbIwOzAJBgUrDgMCGgUABBRAEkWUqHsHRftOoCVj8/DhlIT7BwQU/fNQhDCO7COa9TOy44EH3eTvgK4CAgM0gAAYDzIwMTUwOTI5MDkwOTI4WqFgMF4wXAYFKyQIAw0EUzBRMA0GCWCGSAFlAwQCAwUABED48AGg2Q8uukS9H0fDCz8LSLzuISU1he4/rk1s7xipORuO0L4BCE/uPEuEU3903zxw5ZRsbqRBysQE1tL8afTaoSIwIDAeBgkrBgEFBQcwAQYEERgPMTk4NjA0MjYwMDAwMDBaMA0GCSqGSIb3DQEBDQUAA4IBAQB3zLgjV0NAApajfNyGk2ijwzAxlTo87ktHjZyv4ccyEWYQoQf26a2K3BMNwZE/6GCY8ElXd4S7pyt5APeHDxjSjxp68OjEctF4lgghVedvMhI2BN57judwZcK9ytdfgp/vTvwVljemdFI3cNX8o1w7J6BE5IHtVuxcQfuFI/HaibvB0hbr+JLj1r/cEwBrma0O486JzfJsMH+ImIlvnAj12KAi/TSVppxycJptCaKQINjQjtM0wRNjhWI5izk8EdZV8NJi8/v8eKXUqZTbCEpbfBPZ4X3N6jDMYYEw/uCMzdvgxQGLilzW0W/CvOdHvxUAPJO5ChD0CRc98DSfVc+ooIIEzTCCBMkwggTFMIIDraADAgECAgIDNTANBgkqhkiG9w0BAQ0FADA/MQswCQYDVQQGEwJERTEaMBgGA1UECgwRQnVuZGVzbmV0emFnZW50dXIxFDASBgNVBAMMCzE0Ui1DQSAxOlBOMB4XDTExMDcyNTEyMzI0OVoXDTE2MDcyNDEyMzExOVowQjELMAkGA1UEBhMCREUxGjAYBgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRcwFQYDVQQDDA4xNFItT0NTUCAxMjpQTjCCASMwDQYJKoZIhvcNAQEBBQADggEQADCCAQsCggEBAI0NFH6AJeiimQQGaAHc+PYwUtabavb3XzTr9ACmuO5NzcMmyIBWhpa05FKB2N/0z1a6VmvvhvvH13rTEsGCybHfFhNGGBHI2CwghyL1P5s7R0K7hCzJ5r0IBJzNTEiJsU1ad/XvjL74NPravNGfNL7rKvhIWy8+JyqcT9U22fBC7lZmqyrHAIdrit0KJ3vWGOj85QaSqLfPYmyMfaJjT2Vxp1SiUDosCosDcSmc39R+41Xn8ljFeIIkVad03CZn6WldmJvKjR53tIZjk2t0BfFXyK2unEIXx7tetM35QLBIlkIuR6tPbIFDwcjCGpXBG3VYtgy/ME+2jq8ARyo3lTMCBEAAAIGjggHFMIIBwTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCBkAwGAYIKwYBBQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25kZXIwEgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGabGRhcDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFnZW50dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB/wQFMAMBAQAwHwYDVR0jBBgwFoAU/fNQhDCO7COa9TOy44EH3eTvgK4wHQYDVR0OBBYEFBFllODWsNReIMI/MM3rQ3+rIEBEMA0GCSqGSIb3DQEBDQUAA4IBAQAt3sYpIcdAKClBtX5zPG1+c9qwGq5VW0Q3AqClqI00OxY/GuK840FNUTf5RDt+aOgbgkTVb8n1lJBS05aQddFowA3k4fnxHtgyiR6KygYO3Fsl2MeEJCKgYlRaB0bqiN1A3hzMKXq3S7+l6yUKPnkNg5Nci6PoztZSe7z/TbbUyu8dY+CVYnjgy85AcUhT1tJwoa527ZfgNVDq/6GLLF3ZQzUNNebF90aZlwsW+sFtk9xkxAWuFcSkRq+IaKz/hDhVYlSYaIBlpgjR8YIIaqtky9xakC8bs8KWdBh1DcRxgdAUfLCqHMd3PwkWEw2PmLpqLZeuHFJzb7zeAcXvvVkP");
	assertNotNull(basicOCSPResp);

	OCSPResp ocspResp = DSSRevocationUtils.fromBasicToResp(basicOCSPResp);
	assertNotNull(ocspResp);

	BasicOCSPResp basicOCSPResp2 = DSSRevocationUtils.fromRespToBasic(ocspResp);
	assertNotNull(basicOCSPResp2);

	assertEquals(basicOCSPResp, basicOCSPResp2);
}
 

@Nonnull
public static ETriState evalOCSPResponse (@Nonnull final OCSPResp aOCSPResponse) throws OCSPException
{
  final EOCSPResponseStatus eStatus = EOCSPResponseStatus.getFromValueOrNull (aOCSPResponse.getStatus ());
  if (eStatus == null)
    throw new OCSPException ("Unsupported status code " + aOCSPResponse.getStatus () + " received!");
  if (eStatus.isFailure ())
    throw new OCSPException ("Non-success status code " + aOCSPResponse.getStatus () + " received!");

  final Object aResponseObject = aOCSPResponse.getResponseObject ();
  if (aResponseObject instanceof BasicOCSPResp)
  {
    final BasicOCSPResp aBasicResponse = (BasicOCSPResp) aResponseObject;
    final SingleResp [] aResponses = aBasicResponse.getResponses ();
    // Assume we queried only one
    if (aResponses.length == 1)
    {
      final SingleResp aResponse = aResponses[0];
      final CertificateStatus aStatus = aResponse.getCertStatus ();
      if (aStatus == CertificateStatus.GOOD)
        return ETriState.TRUE;
      if (aStatus instanceof RevokedStatus)
        return ETriState.FALSE;
      // else status is unknown
    }
  }
  return ETriState.UNDEFINED;
}
 

public OCSPResp requestOCSPResponse(String url, OCSPReq ocspReq) throws IOException, MalformedURLException {
	byte[] ocspReqData = ocspReq.getEncoded();

	HttpURLConnection con = (HttpURLConnection) new URL(url).openConnection();
	try {
		con.setRequestProperty("Content-Type", "application/ocsp-request");
		con.setRequestProperty("Accept", "application/ocsp-response");

		con.setDoInput(true);
		con.setDoOutput(true);
		con.setUseCaches(false);

		OutputStream out = con.getOutputStream();
		try {
			IOUtils.write(ocspReqData, out);
			out.flush();
		} finally {
			IOUtils.closeQuietly(out);
		}

		byte[] responseBytes = IOUtils.toByteArray(con.getInputStream());
		OCSPResp ocspResp = new OCSPResp(responseBytes);

		return ocspResp;
	} finally {
		if (con != null) {
			con.disconnect();
		}
	}
}
 

/**
 * This method adds the OCSP basic ocspResponses to the general list.
 *
 * @param inputStream
 */
private void load(final InputStream inputStream) {
	try (InputStream is = inputStream) {
		final OCSPResp ocspResp = new OCSPResp(is);
		final BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
		addBinary(OCSPResponseBinary.build(basicOCSPResp), RevocationOrigin.EXTERNAL);
	} catch (Exception e) {
		throw new DSSException(e);
	}
}
 

private void verifyNonce(final OCSPResp ocspResp, final BigInteger expectedNonceValue) {
	if (expectedNonceValue != null) {
		BigInteger receivedNonce = getEmbeddedNonceValue(ocspResp);
		if (!expectedNonceValue.equals(receivedNonce)) {
			throw new DSSException(String.format("Nonce received from OCSP response '%s' does not match a dispatched nonce '%s'.", 
					receivedNonce, expectedNonceValue));
		}
	}
}
 

private OCSPResp b64ToOCSPResp(String ocspRespB64)
{
  try
  {
    return new OCSPResp(Base64.decodeBase64(ocspRespB64));
  }
  catch (Throwable ex)
  {
    LOGGER.debug("Could not cover OCSP Response from Base64 to OCSPResp object");
    return null;
  }
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

@Override
protected boolean verify(ChannelHandlerContext ctx, ReferenceCountedOpenSslEngine engine) throws Exception {
    byte[] staple = engine.getOcspResponse();
    if (staple == null) {
        throw new IllegalStateException("Server didn't provide an OCSP staple!");
    }

    OCSPResp response = new OCSPResp(staple);
    if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
        return false;
    }

    SSLSession session = engine.getSession();
    X509Certificate[] chain = session.getPeerCertificateChain();
    BigInteger certSerial = chain[0].getSerialNumber();

    BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
    SingleResp first = basicResponse.getResponses()[0];

    // ATTENTION: CertificateStatus.GOOD is actually a null value! Do not use
    // equals() or you'll NPE!
    CertificateStatus status = first.getCertStatus();
    BigInteger ocspSerial = first.getCertID().getSerialNumber();
    String message = new StringBuilder()
        .append("OCSP status of ").append(ctx.channel().remoteAddress())
        .append("\n  Status: ").append(status == CertificateStatus.GOOD ? "Good" : status)
        .append("\n  This Update: ").append(first.getThisUpdate())
        .append("\n  Next Update: ").append(first.getNextUpdate())
        .append("\n  Cert Serial: ").append(certSerial)
        .append("\n  OCSP Serial: ").append(ocspSerial)
        .toString();
    System.out.println(message);

    return status == CertificateStatus.GOOD && certSerial.equals(ocspSerial);
}
 

@Override
public OCSPResp ask(X509Cert issuerCert, BigInteger serialNumber, URL responderUrl,
    RequestOptions requestOptions, ReqRespDebug debug)
    throws OcspResponseException, OcspRequestorException {
  return ask(issuerCert, new BigInteger[]{serialNumber}, responderUrl, requestOptions, debug);
}
 

@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
    if (exchange.isInIoThread()) {
        exchange.dispatch(this);
        return;
    }

    final byte[] buffy = new byte[16384];
    try (InputStream requestStream = exchange.getInputStream()) {
        requestStream.read(buffy);
    }

    final OCSPReq request = new OCSPReq(buffy);
    final Req[] requested = request.getRequestList();

    final Extension nonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);

    final DigestCalculator sha1Calculator = new JcaDigestCalculatorProviderBuilder().build()
            .get(AlgorithmIdentifier.getInstance(RespID.HASH_SHA1));

    final BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder(subjectPublicKeyInfo, sha1Calculator);

    if (nonce != null) {
        responseBuilder.setResponseExtensions(new Extensions(nonce));
    }

    for (final Req req : requested) {
        final CertificateID certId = req.getCertID();

        final BigInteger certificateSerialNumber = certId.getSerialNumber();
        responseBuilder.addResponse(certId, REVOKED_CERTIFICATES_STATUS.get(certificateSerialNumber));
    }

    final ContentSigner contentSigner = new BcRSAContentSignerBuilder(
            new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption),
            new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256)).build(privateKey);

    final OCSPResp response = new OCSPRespBuilder().build(OCSPResp.SUCCESSFUL,
            responseBuilder.build(contentSigner, chain, new Date()));

    final byte[] responseBytes = response.getEncoded();

    final HeaderMap responseHeaders = exchange.getResponseHeaders();
    responseHeaders.put(Headers.CONTENT_TYPE, "application/ocsp-response");

    final Sender responseSender = exchange.getResponseSender();
    responseSender.send(ByteBuffer.wrap(responseBytes));

    exchange.endExchange();
}
 

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
	X509Certificate issuer = issuers.get(0);
	ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);

	try {
		Principal subjectX500Principal = certificate.getSubjectX500Principal();

		String ocspUrl = getOCSPUrl(certificate);
		if (ocspUrl == null) {
			log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
			return status;
		}

		log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");

		DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
		CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());

		// Generate OCSP request
		OCSPReq ocspReq = generateOCSPRequest(certificateId);

		// Get OCSP response from server
		OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
		if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
			log.error("OCSP response is invalid!");
			status.setValidity(CertificateValidity.INVALID);
			return status;
		}

		boolean foundResponse = false;
		BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
		SingleResp[] singleResps = basicOCSPResp.getResponses();
		for (SingleResp singleResp : singleResps) {
			CertificateID responseCertificateId = singleResp.getCertID();
			if (!certificateId.equals(responseCertificateId)) {
				continue;
			}

			foundResponse = true;

			log.debug("OCSP validationDate: " + validationDate);
			log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
			log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());

			status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());

			Object certStatus = singleResp.getCertStatus();
			if (certStatus == CertificateStatus.GOOD) {
				log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
				status.setValidity(CertificateValidity.VALID);
			} else {
				if (singleResp.getCertStatus() instanceof RevokedStatus) {
					log.warn("OCSP status is revoked for: " + subjectX500Principal);
					if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
						log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
						status.setValidity(CertificateValidity.VALID);
					} else {
						Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
						log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
						status.setRevocationDate(revocationDate);
						status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
						status.setValidity(CertificateValidity.REVOKED);
					}
				}
			}
		}

		if (!foundResponse) {
			log.error("There is no matching OCSP response entries");
		}
	} catch (Exception ex) {
		log.error("OCSP exception: ", ex);
	}

	return status;
}