org.bouncycastle.cert.ocsp.BasicOCSPResp Java Examples

private BigInteger getEmbeddedNonceValue(final OCSPResp ocspResp) {
	try {
		BasicOCSPResp basicOCSPResp = (BasicOCSPResp)ocspResp.getResponseObject();
		
		Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
		ASN1OctetString extnValue = extension.getExtnValue();
		ASN1Primitive value;
		try {
			value = ASN1Primitive.fromByteArray(extnValue.getOctets());
		} catch (IOException ex) {
			throw new OCSPException("Invalid encoding of nonce extension value in OCSP response", ex);
		}
		if (value instanceof DEROctetString) {
			return new BigInteger(((DEROctetString) value).getOctets());
		}
		throw new OCSPException("Nonce extension value in OCSP response is not an OCTET STRING");
	} catch (Exception e) {
		throw new DSSException(String.format("Unable to extract the nonce from the OCSPResponse! Reason : [%s]", e.getMessage()), e);
	}
}
 

private void checkValidationData(DSSDocument document, Collection<Long> crls, Collection<Long> ocsps, Collection<Long> certs) {
	SignedDocumentValidator validator = SignedDocumentValidator.fromDocument(document);
	validator.setCertificateVerifier(new CommonCertificateVerifier());
	List<AdvancedSignature> signatures = validator.getSignatures();
	for (AdvancedSignature signature : signatures) {
		PAdESCRLSource crlSource = (PAdESCRLSource) signature.getCRLSource();
		Map<Long, CRLBinary> crlMap = crlSource.getCrlMap();
		assertEquals(1, crlMap.size());
		for (Long crl : crls) {
			assertNotNull(crlMap.get(crl));
		}
		
		PAdESOCSPSource ocspSource = (PAdESOCSPSource) signature.getOCSPSource();
		Map<Long, BasicOCSPResp> ocspMap = ocspSource.getOcspMap();
		assertEquals(1, ocspMap.size());
		for (Long ocsp : ocsps) {
			assertNotNull(ocspMap.get(ocsp));
		}
		
		PAdESCertificateSource certificateSource = (PAdESCertificateSource) signature.getCertificateSource();
		Map<Long, CertificateToken> certificateMap = certificateSource.getCertificateMap();
		for (Long cert : certs) {
			assertNotNull(certificateMap.get(cert));
		}
	}
}
 

/**
 * The default constructor to instantiate an OCSPToken with BasicOCSPResp only
 * 
 * @param basicOCSPResp    {@link BasicOCSPResp} containing the response
 *                         binaries
 * @param latestSingleResp {@link SingleResp} to be used with the current
 *                         certificate
 * @param certificate      {@link CertificateToken} to which the revocation data
 *                         is provided for
 * @param issuer           {@link CertificateToken} issued the
 *                         {@code certificateToken}
 */
public OCSPToken(final BasicOCSPResp basicOCSPResp, final SingleResp latestSingleResp, final CertificateToken certificate, CertificateToken issuer) {
	Objects.requireNonNull(basicOCSPResp, "The OCSP Response must be defined!");
	Objects.requireNonNull(certificate, "The related certificate token cannot be null!");
	this.basicOCSPResp = basicOCSPResp;
	this.productionDate = basicOCSPResp.getProducedAt();
	this.relatedCertificate = certificate;
	this.latestSingleResp = latestSingleResp;

	if (latestSingleResp != null) {
		this.thisUpdate = latestSingleResp.getThisUpdate();
		this.nextUpdate = latestSingleResp.getNextUpdate();
		extractStatusInfo(latestSingleResp);
		extractArchiveCutOff(latestSingleResp);
		extractCertHashExtension(latestSingleResp);
	}
	
	checkSignatureValidity(issuer);
}
 

@Override
public List<RevocationToken<OCSP>> getRevocationTokens(CertificateToken certificate, CertificateToken issuer) {
	Objects.requireNonNull(certificate, "The certificate to be verified cannot be null");
	Objects.requireNonNull(issuer, "The issuer of the certificate to be verified cannot be null");

	List<RevocationToken<OCSP>> result = new ArrayList<>();
	final Set<EncapsulatedRevocationTokenIdentifier> collectedBinaries = getAllRevocationBinaries();
	LOG.trace("--> OfflineOCSPSource queried for {} contains: {} element(s).", certificate.getDSSIdAsString(), collectedBinaries.size());
	for (EncapsulatedRevocationTokenIdentifier binary : collectedBinaries) {
		OCSPResponseBinary ocspBinary = (OCSPResponseBinary) binary;
		BasicOCSPResp basicOCSPResp = ocspBinary.getBasicOCSPResp();
		SingleResp latestSingleResponse = DSSRevocationUtils.getLatestSingleResponse(basicOCSPResp, certificate, issuer);
		if (latestSingleResponse != null) {
			OCSPToken ocspToken = new OCSPToken(basicOCSPResp, latestSingleResponse, certificate, issuer);
			addRevocation(ocspToken, ocspBinary);
			result.add(ocspToken);
		}
	}
	LOG.trace("--> OfflineOCSPSource found result(s) : {}", result.size());
	return result;
}
 

public static Map<Long, BasicOCSPResp> getOCSPsFromArray(PdfDict dict, String dictionaryName, String arrayName) {
	Map<Long, BasicOCSPResp> ocspMap = new HashMap<>();
	PdfArray ocspArray = dict.getAsArray(arrayName);
	if (ocspArray != null) {
		LOG.debug("There are {} OCSPs in the '{}' dictionary", ocspArray.size(), dictionaryName);
		for (int ii = 0; ii < ocspArray.size(); ii++) {
			try {
				final long objectNumber = ocspArray.getObjectNumber(ii);
				if (!ocspMap.containsKey(objectNumber)) {
					final OCSPResp ocspResp = new OCSPResp(ocspArray.getBytes(ii));
					final BasicOCSPResp responseObject = (BasicOCSPResp) ocspResp.getResponseObject();
					ocspMap.put(objectNumber, responseObject);
				}
			} catch (Exception e) {
				LOG.debug("Unable to read OCSP '{}' from the '{}' dictionary : {}", ii, dictionaryName, e.getMessage(), e);
			}
		}
	} else {
		LOG.debug("No OCSPs found in the '{}' dictionary", dictionaryName);
	}
	return ocspMap;
}
 

private void collectOCSPArchivalValues(AttributeTable attributes) {
	final ASN1Encodable attValue = DSSASN1Utils.getAsn1Encodable(attributes, OID.adbe_revocationInfoArchival);
	if (attValue !=null) {	
		RevocationInfoArchival revocationArchival = PAdESUtils.getRevocationInfoArchivals(attValue);
		if (revocationArchival != null) {
			for (final OCSPResponse ocspResponse : revocationArchival.getOcspVals()) {
				final OCSPResp ocspResp = new OCSPResp(ocspResponse);
				try {
					BasicOCSPResp basicOCSPResponse = (BasicOCSPResp) ocspResp.getResponseObject();
					addBinary(OCSPResponseBinary.build(basicOCSPResponse), RevocationOrigin.ADBE_REVOCATION_INFO_ARCHIVAL);
				} catch (OCSPException e) {
					LOG.warn("Error while extracting OCSPResponse from Revocation Info Archivals (ADBE) : {}", e.getMessage());
				}					
			}
		}
	}
}
 

private void collectRevocationValues(AttributeTable attributes, ASN1ObjectIdentifier revocationValueAttributes,
		RevocationOrigin origin) {

	final ASN1Encodable attValue = DSSASN1Utils.getAsn1Encodable(attributes, revocationValueAttributes);
	if (attValue !=null) {

		RevocationValues revocationValues = DSSASN1Utils.getRevocationValues(attValue);
		if (revocationValues != null) {
			for (final BasicOCSPResponse basicOCSPResponse : revocationValues.getOcspVals()) {
				final BasicOCSPResp basicOCSPResp = new BasicOCSPResp(basicOCSPResponse);
				OCSPResponseBinary ocspResponseIdentifier = OCSPResponseBinary.build(basicOCSPResp);
				addBinary(ocspResponseIdentifier, origin);
			}
		}
		/*
		 * TODO: should add also OtherRevVals, but: "The syntax and semantics of the
		 * other revocation values (OtherRevVals) are outside the scope of the present
		 * document. The definition of the syntax of the other form of revocation
		 * information is as identified by OtherRevRefType."
		 */
	}
}
 

private void addBasicOcspRespFrom_id_pkix_ocsp_basic() {
	final Store otherRevocationInfo = cmsSignedData.getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic);
	final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null);
	for (final Object object : otherRevocationInfoMatches) {
		if (object instanceof ASN1Sequence) {
			final ASN1Sequence otherRevocationInfoMatch = (ASN1Sequence) object;
			final BasicOCSPResp basicOCSPResp = DSSRevocationUtils.getBasicOcspResp(otherRevocationInfoMatch);
			if (basicOCSPResp != null) {
				OCSPResponseBinary ocspResponseIdentifier = OCSPResponseBinary.build(basicOCSPResp);
				ocspResponseIdentifier.setAsn1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp_basic);
				addBinary(ocspResponseIdentifier, RevocationOrigin.CMS_SIGNED_DATA);
			} else {
				LOG.warn("Unable to create an OCSP response from an objects. The entry is skipped.");
			}
		} else {
			LOG.warn("Unsupported object type for id_pkix_ocsp_basic (SHALL be an ASN1Sequence) : {}", object.getClass().getSimpleName());
		}
	}
}
 

private void addBasicOcspRespFrom_id_ri_ocsp_response() {
	final Store otherRevocationInfo = cmsSignedData.getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response);
	final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null);
	for (final Object object : otherRevocationInfoMatches) {
		if (object instanceof ASN1Sequence) {
			final ASN1Sequence otherRevocationInfoMatch = (ASN1Sequence) object;
			final BasicOCSPResp basicOCSPResp;
			if (otherRevocationInfoMatch.size() == 4) {
				basicOCSPResp = DSSRevocationUtils.getBasicOcspResp(otherRevocationInfoMatch);
			} else {
				final OCSPResp ocspResp = DSSRevocationUtils.getOcspResp(otherRevocationInfoMatch);
				basicOCSPResp = DSSRevocationUtils.fromRespToBasic(ocspResp);
			}

			OCSPResponseBinary ocspResponseIdentifier = OCSPResponseBinary.build(basicOCSPResp);
			ocspResponseIdentifier.setAsn1ObjectIdentifier(CMSObjectIdentifiers.id_ri_ocsp_response);
			addBinary(ocspResponseIdentifier, RevocationOrigin.CMS_SIGNED_DATA);
		} else {
			LOG.warn("Unsupported object type for id_ri_ocsp_response (SHALL be an ASN1Sequence) : {}", object.getClass().getSimpleName());
		}
	}
}
 

@Override
protected List<Identifier> getEncapsulatedOCSPIdentifiers(CAdESAttribute unsignedAttribute) {
	List<Identifier> ocspIdentifiers = new ArrayList<>();
	ASN1Encodable asn1Object = unsignedAttribute.getASN1Object();
	RevocationValues revocationValues = DSSASN1Utils.getRevocationValues(asn1Object);
	if (revocationValues != null) {
		for (final BasicOCSPResponse basicOCSPResponse : revocationValues.getOcspVals()) {
			try {
				final BasicOCSPResp basicOCSPResp = new BasicOCSPResp(basicOCSPResponse);
				ocspIdentifiers.add(OCSPResponseBinary.build(basicOCSPResp));
			} catch (Exception e) {
				String errorMessage = "Unable to parse OCSP response binaries : {}";
				if (LOG.isDebugEnabled()) {
					LOG.warn(errorMessage, e.getMessage(), e);
				} else {
					LOG.warn(errorMessage, e.getMessage());
				}
			}
		}
	}
	return ocspIdentifiers;
}
 

@Override
protected OCSPToken buildRevocationTokenFromResult(ResultSet rs, CertificateToken certificateToken, CertificateToken issuerCert) {
	try {
		final byte[] data = rs.getBytes(SQL_FIND_QUERY_DATA);
		final String url = rs.getString(SQL_FIND_QUERY_LOC);
		
		final OCSPResp ocspResp = new OCSPResp(data);
		BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResp.getResponseObject();
		SingleResp latestSingleResponse = DSSRevocationUtils.getLatestSingleResponse(basicResponse, certificateToken, issuerCert);
		OCSPToken ocspToken = new OCSPToken(basicResponse, latestSingleResponse, certificateToken, issuerCert);
		ocspToken.setSourceURL(url);
		ocspToken.setExternalOrigin(RevocationOrigin.CACHED);
		return ocspToken;
	} catch (SQLException | IOException | OCSPException e) {
		throw new RevocationException("An error occurred during an attempt to obtain a revocation token");
	}
}
 

@Override
protected List<Identifier> getEncapsulatedOCSPIdentifiers(XAdESAttribute unsignedAttribute) {
	List<Identifier> ocspIdentifiers = new ArrayList<>();
	String xPathString = isTimeStampValidationData(unsignedAttribute) ? 
			xadesPaths.getCurrentRevocationValuesEncapsulatedOCSPValue() : xadesPaths.getCurrentEncapsulatedOCSPValue();
	NodeList encapsulatedNodes = unsignedAttribute.getNodeList(xPathString);
	for (int ii = 0; ii < encapsulatedNodes.getLength(); ii++) {
		Element element = (Element) encapsulatedNodes.item(ii);
		byte[] binaries = getEncapsulatedTokenBinaries(element);
		try {
			BasicOCSPResp basicOCSPResp = DSSRevocationUtils.loadOCSPFromBinaries(binaries);
			ocspIdentifiers.add(OCSPResponseBinary.build(basicOCSPResp));
		} catch (IOException e) {
			String errorMessage = "Unable to parse OCSP response binaries : {}";
			if (LOG.isDebugEnabled()) {
				LOG.error(errorMessage, e.getMessage(), e);
			} else {
				LOG.warn(errorMessage, e.getMessage());
			}
		}
	}
	return ocspIdentifiers;
}
 

/**
 * Verifies an OCSP response against a KeyStore.
 * @param ocsp the OCSP response
 * @param keystore the <CODE>KeyStore</CODE>
 * @param provider the provider or <CODE>null</CODE> to use the BouncyCastle provider
 * @return <CODE>true</CODE> is a certificate was found
 * @since	2.1.6
 */    
public static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keystore, String provider) {
    if (provider == null)
        provider = "BC";
    try {
        for (Enumeration aliases = keystore.aliases(); aliases.hasMoreElements();) {
            try {
                String alias = (String)aliases.nextElement();
                if (!keystore.isCertificateEntry(alias))
                    continue;
                X509Certificate certStoreX509 = (X509Certificate)keystore.getCertificate(alias);
                if (ocsp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(provider).build(certStoreX509.getPublicKey())))
                    return true;
            }
            catch (Exception ex) {
            }
        }
    }
    catch (Exception e) {
    }
    return false;
}
 

@Test
public void testGetOCSPCertificateIDAndMatch() throws IOException {
	CertificateToken certificate = DSSUtils.loadCertificate(new File("src/test/resources/citizen_ca.cer"));
	CertificateToken issuer = DSSUtils.loadCertificate(new File("src/test/resources/belgiumrs2.crt"));
	assertTrue(certificate.isSignedBy(issuer));

	CertificateID certificateID = DSSRevocationUtils.getOCSPCertificateID(certificate, issuer, DigestAlgorithm.SHA256);
	assertNotNull(certificateID);

	BasicOCSPResp basicOCSPResp = DSSRevocationUtils.loadOCSPBase64Encoded(
			"MIIHOgoBAKCCBzMwggcvBgkrBgEFBQcwAQEEggcgMIIHHDCCATOhRDBCMQswCQYDVQQGEwJERTEaMBgGA1UECgwRQnVuZGVzbmV0emFnZW50dXIxFzAVBgNVBAMMDjE0Ui1PQ1NQIDEyOlBOGA8yMDE2MDQyNjA5NDE0M1owgbUwgbIwOzAJBgUrDgMCGgUABBRAEkWUqHsHRftOoCVj8/DhlIT7BwQU/fNQhDCO7COa9TOy44EH3eTvgK4CAgM0gAAYDzIwMTUwOTI5MDkwOTI4WqFgMF4wXAYFKyQIAw0EUzBRMA0GCWCGSAFlAwQCAwUABED48AGg2Q8uukS9H0fDCz8LSLzuISU1he4/rk1s7xipORuO0L4BCE/uPEuEU3903zxw5ZRsbqRBysQE1tL8afTaoSIwIDAeBgkrBgEFBQcwAQYEERgPMTk4NjA0MjYwMDAwMDBaMA0GCSqGSIb3DQEBDQUAA4IBAQB3zLgjV0NAApajfNyGk2ijwzAxlTo87ktHjZyv4ccyEWYQoQf26a2K3BMNwZE/6GCY8ElXd4S7pyt5APeHDxjSjxp68OjEctF4lgghVedvMhI2BN57judwZcK9ytdfgp/vTvwVljemdFI3cNX8o1w7J6BE5IHtVuxcQfuFI/HaibvB0hbr+JLj1r/cEwBrma0O486JzfJsMH+ImIlvnAj12KAi/TSVppxycJptCaKQINjQjtM0wRNjhWI5izk8EdZV8NJi8/v8eKXUqZTbCEpbfBPZ4X3N6jDMYYEw/uCMzdvgxQGLilzW0W/CvOdHvxUAPJO5ChD0CRc98DSfVc+ooIIEzTCCBMkwggTFMIIDraADAgECAgIDNTANBgkqhkiG9w0BAQ0FADA/MQswCQYDVQQGEwJERTEaMBgGA1UECgwRQnVuZGVzbmV0emFnZW50dXIxFDASBgNVBAMMCzE0Ui1DQSAxOlBOMB4XDTExMDcyNTEyMzI0OVoXDTE2MDcyNDEyMzExOVowQjELMAkGA1UEBhMCREUxGjAYBgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRcwFQYDVQQDDA4xNFItT0NTUCAxMjpQTjCCASMwDQYJKoZIhvcNAQEBBQADggEQADCCAQsCggEBAI0NFH6AJeiimQQGaAHc+PYwUtabavb3XzTr9ACmuO5NzcMmyIBWhpa05FKB2N/0z1a6VmvvhvvH13rTEsGCybHfFhNGGBHI2CwghyL1P5s7R0K7hCzJ5r0IBJzNTEiJsU1ad/XvjL74NPravNGfNL7rKvhIWy8+JyqcT9U22fBC7lZmqyrHAIdrit0KJ3vWGOj85QaSqLfPYmyMfaJjT2Vxp1SiUDosCosDcSmc39R+41Xn8ljFeIIkVad03CZn6WldmJvKjR53tIZjk2t0BfFXyK2unEIXx7tetM35QLBIlkIuR6tPbIFDwcjCGpXBG3VYtgy/ME+2jq8ARyo3lTMCBEAAAIGjggHFMIIBwTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCBkAwGAYIKwYBBQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25kZXIwEgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGabGRhcDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFnZW50dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB/wQFMAMBAQAwHwYDVR0jBBgwFoAU/fNQhDCO7COa9TOy44EH3eTvgK4wHQYDVR0OBBYEFBFllODWsNReIMI/MM3rQ3+rIEBEMA0GCSqGSIb3DQEBDQUAA4IBAQAt3sYpIcdAKClBtX5zPG1+c9qwGq5VW0Q3AqClqI00OxY/GuK840FNUTf5RDt+aOgbgkTVb8n1lJBS05aQddFowA3k4fnxHtgyiR6KygYO3Fsl2MeEJCKgYlRaB0bqiN1A3hzMKXq3S7+l6yUKPnkNg5Nci6PoztZSe7z/TbbUyu8dY+CVYnjgy85AcUhT1tJwoa527ZfgNVDq/6GLLF3ZQzUNNebF90aZlwsW+sFtk9xkxAWuFcSkRq+IaKz/hDhVYlSYaIBlpgjR8YIIaqtky9xakC8bs8KWdBh1DcRxgdAUfLCqHMd3PwkWEw2PmLpqLZeuHFJzb7zeAcXvvVkP");

	SingleResp[] responses = basicOCSPResp.getResponses();

	assertFalse(DSSRevocationUtils.matches(certificateID, responses[0]));
}
 

public static SingleResp getLatestSingleResponse(BasicOCSPResp basicResponse, CertificateToken certificate, CertificateToken issuer) {
	List<SingleResp> singleResponses = getSingleResponses(basicResponse, certificate, issuer);
	if (Utils.isCollectionEmpty(singleResponses)) {
		return null;
	} else if (singleResponses.size() == 1) {
		return singleResponses.get(0);
	} else {
		return getLatestSingleRespInList(singleResponses);
	}
}
 

@Test
public void validation() {
	// <</Type /DSS/Certs [20 0 R]/CRLs [21 0 R]/OCSPs [22 0 R]>>
	DSSDocument doc = new InMemoryDocument(DSS1523Test.class.getResourceAsStream("/validation/PAdES-LTA.pdf"), "PAdES-LTA.pdf", MimeType.PDF);
	
	verify(doc);
	
	PDFDocumentValidator validator = new PDFDocumentValidator(doc);
	validator.setCertificateVerifier(new CommonCertificateVerifier());
	List<AdvancedSignature> signatures = validator.getSignatures();
	assertEquals(1, signatures.size());
	
	List<PdfDssDict> dssDictionaries = validator.getDssDictionaries();
	assertEquals(1, dssDictionaries.size());
	PdfDssDict pdfDssDict = dssDictionaries.get(0);

	Map<Long, CertificateToken> certificateMap = pdfDssDict.getCERTs();
	assertEquals(1, certificateMap.size());
	assertNotNull(certificateMap.get(20L));

	Map<Long, BasicOCSPResp> ocspMap = pdfDssDict.getOCSPs();
	assertEquals(1, ocspMap.size());
	assertNotNull(ocspMap.get(22L));

	Map<Long, CRLBinary> crlMap = pdfDssDict.getCRLs();
	assertEquals(1, crlMap.size());
	assertNotNull(crlMap.get(21L));
}
 

@Nonnull
public static ETriState evalOCSPResponse (@Nonnull final OCSPResp aOCSPResponse) throws OCSPException
{
  final EOCSPResponseStatus eStatus = EOCSPResponseStatus.getFromValueOrNull (aOCSPResponse.getStatus ());
  if (eStatus == null)
    throw new OCSPException ("Unsupported status code " + aOCSPResponse.getStatus () + " received!");
  if (eStatus.isFailure ())
    throw new OCSPException ("Non-success status code " + aOCSPResponse.getStatus () + " received!");

  final Object aResponseObject = aOCSPResponse.getResponseObject ();
  if (aResponseObject instanceof BasicOCSPResp)
  {
    final BasicOCSPResp aBasicResponse = (BasicOCSPResp) aResponseObject;
    final SingleResp [] aResponses = aBasicResponse.getResponses ();
    // Assume we queried only one
    if (aResponses.length == 1)
    {
      final SingleResp aResponse = aResponses[0];
      final CertificateStatus aStatus = aResponse.getCertStatus ();
      if (aStatus == CertificateStatus.GOOD)
        return ETriState.TRUE;
      if (aStatus instanceof RevokedStatus)
        return ETriState.FALSE;
      // else status is unknown
    }
  }
  return ETriState.UNDEFINED;
}
 

public static byte[] getEncoded(BasicOCSPResp basicOCSPResp) {
	try {
		BasicOCSPResponse basicOCSPResponse = BasicOCSPResponse.getInstance(basicOCSPResp.getEncoded());
		return getDEREncoded(basicOCSPResponse);
	} catch (IOException e) {
		throw new DSSException(e);
	}
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

private void extractVRIOCSPs() {
	PdfVRIDict vriDictionary = findVriDict();
	if (vriDictionary != null) {
		for (Entry<Long, BasicOCSPResp> ocspEntry : vriDictionary.getOCSPs().entrySet()) {
			if (!ocspMap.containsKey(ocspEntry.getKey())) {
				ocspMap.put(ocspEntry.getKey(), ocspEntry.getValue());
			}
			addBinary(OCSPResponseBinary.build(ocspEntry.getValue()), RevocationOrigin.VRI_DICTIONARY);
		}
	}
}
 

@Override
protected boolean verify(ChannelHandlerContext ctx, ReferenceCountedOpenSslEngine engine) throws Exception {
    byte[] staple = engine.getOcspResponse();
    if (staple == null) {
        throw new IllegalStateException("Server didn't provide an OCSP staple!");
    }

    OCSPResp response = new OCSPResp(staple);
    if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
        return false;
    }

    SSLSession session = engine.getSession();
    X509Certificate[] chain = session.getPeerCertificateChain();
    BigInteger certSerial = chain[0].getSerialNumber();

    BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
    SingleResp first = basicResponse.getResponses()[0];

    // ATTENTION: CertificateStatus.GOOD is actually a null value! Do not use
    // equals() or you'll NPE!
    CertificateStatus status = first.getCertStatus();
    BigInteger ocspSerial = first.getCertID().getSerialNumber();
    String message = new StringBuilder()
        .append("OCSP status of ").append(ctx.channel().remoteAddress())
        .append("\n  Status: ").append(status == CertificateStatus.GOOD ? "Good" : status)
        .append("\n  This Update: ").append(first.getThisUpdate())
        .append("\n  Next Update: ").append(first.getNextUpdate())
        .append("\n  Cert Serial: ").append(certSerial)
        .append("\n  OCSP Serial: ").append(ocspSerial)
        .toString();
    System.out.println(message);

    return status == CertificateStatus.GOOD && certSerial.equals(ocspSerial);
}
 

/**
 * This method returns a map with the object number and the ocsp response
 * 
 * @return a map with the object number and the ocsp response
 */
private Map<Long, BasicOCSPResp> getDssOcspMap() {
	if (dssDictionary != null) {
		ocspMap = dssDictionary.getOCSPs();
		return ocspMap;
	}
	return Collections.emptyMap();
}
 

/**
 * Returns a map of all OCSP entries contained in DSS dictionary or into nested
 * VRI dictionaries
 * 
 * @return a map of BasicOCSPResp with their object ids
 */
public Map<Long, BasicOCSPResp> getOcspMap() {
	if (ocspMap != null) {
		return ocspMap;
	}
	return Collections.emptyMap();
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

@Test
public void testRevocationOCSP() throws IOException {
	BasicOCSPResp basicOCSPResp = DSSRevocationUtils.loadOCSPBase64Encoded(
			"MIIHOgoBAKCCBzMwggcvBgkrBgEFBQcwAQEEggcgMIIHHDCCATOhRDBCMQswCQYDVQQGEwJERTEaMBgGA1UECgwRQnVuZGVzbmV0emFnZW50dXIxFzAVBgNVBAMMDjE0Ui1PQ1NQIDEyOlBOGA8yMDE2MDQyNjA5NDE0M1owgbUwgbIwOzAJBgUrDgMCGgUABBRAEkWUqHsHRftOoCVj8/DhlIT7BwQU/fNQhDCO7COa9TOy44EH3eTvgK4CAgM0gAAYDzIwMTUwOTI5MDkwOTI4WqFgMF4wXAYFKyQIAw0EUzBRMA0GCWCGSAFlAwQCAwUABED48AGg2Q8uukS9H0fDCz8LSLzuISU1he4/rk1s7xipORuO0L4BCE/uPEuEU3903zxw5ZRsbqRBysQE1tL8afTaoSIwIDAeBgkrBgEFBQcwAQYEERgPMTk4NjA0MjYwMDAwMDBaMA0GCSqGSIb3DQEBDQUAA4IBAQB3zLgjV0NAApajfNyGk2ijwzAxlTo87ktHjZyv4ccyEWYQoQf26a2K3BMNwZE/6GCY8ElXd4S7pyt5APeHDxjSjxp68OjEctF4lgghVedvMhI2BN57judwZcK9ytdfgp/vTvwVljemdFI3cNX8o1w7J6BE5IHtVuxcQfuFI/HaibvB0hbr+JLj1r/cEwBrma0O486JzfJsMH+ImIlvnAj12KAi/TSVppxycJptCaKQINjQjtM0wRNjhWI5izk8EdZV8NJi8/v8eKXUqZTbCEpbfBPZ4X3N6jDMYYEw/uCMzdvgxQGLilzW0W/CvOdHvxUAPJO5ChD0CRc98DSfVc+ooIIEzTCCBMkwggTFMIIDraADAgECAgIDNTANBgkqhkiG9w0BAQ0FADA/MQswCQYDVQQGEwJERTEaMBgGA1UECgwRQnVuZGVzbmV0emFnZW50dXIxFDASBgNVBAMMCzE0Ui1DQSAxOlBOMB4XDTExMDcyNTEyMzI0OVoXDTE2MDcyNDEyMzExOVowQjELMAkGA1UEBhMCREUxGjAYBgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRcwFQYDVQQDDA4xNFItT0NTUCAxMjpQTjCCASMwDQYJKoZIhvcNAQEBBQADggEQADCCAQsCggEBAI0NFH6AJeiimQQGaAHc+PYwUtabavb3XzTr9ACmuO5NzcMmyIBWhpa05FKB2N/0z1a6VmvvhvvH13rTEsGCybHfFhNGGBHI2CwghyL1P5s7R0K7hCzJ5r0IBJzNTEiJsU1ad/XvjL74NPravNGfNL7rKvhIWy8+JyqcT9U22fBC7lZmqyrHAIdrit0KJ3vWGOj85QaSqLfPYmyMfaJjT2Vxp1SiUDosCosDcSmc39R+41Xn8ljFeIIkVad03CZn6WldmJvKjR53tIZjk2t0BfFXyK2unEIXx7tetM35QLBIlkIuR6tPbIFDwcjCGpXBG3VYtgy/ME+2jq8ARyo3lTMCBEAAAIGjggHFMIIBwTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCBkAwGAYIKwYBBQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25kZXIwEgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGabGRhcDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFnZW50dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB/wQFMAMBAQAwHwYDVR0jBBgwFoAU/fNQhDCO7COa9TOy44EH3eTvgK4wHQYDVR0OBBYEFBFllODWsNReIMI/MM3rQ3+rIEBEMA0GCSqGSIb3DQEBDQUAA4IBAQAt3sYpIcdAKClBtX5zPG1+c9qwGq5VW0Q3AqClqI00OxY/GuK840FNUTf5RDt+aOgbgkTVb8n1lJBS05aQddFowA3k4fnxHtgyiR6KygYO3Fsl2MeEJCKgYlRaB0bqiN1A3hzMKXq3S7+l6yUKPnkNg5Nci6PoztZSe7z/TbbUyu8dY+CVYnjgy85AcUhT1tJwoa527ZfgNVDq/6GLLF3ZQzUNNebF90aZlwsW+sFtk9xkxAWuFcSkRq+IaKz/hDhVYlSYaIBlpgjR8YIIaqtky9xakC8bs8KWdBh1DcRxgdAUfLCqHMd3PwkWEw2PmLpqLZeuHFJzb7zeAcXvvVkP");
	assertNotNull(basicOCSPResp);

	OCSPResp ocspResp = DSSRevocationUtils.fromBasicToResp(basicOCSPResp);
	assertNotNull(ocspResp);

	BasicOCSPResp basicOCSPResp2 = DSSRevocationUtils.fromRespToBasic(ocspResp);
	assertNotNull(basicOCSPResp2);

	assertEquals(basicOCSPResp, basicOCSPResp2);
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

private static SingleResp[] getSingleResps(BasicOCSPResp basicResponse) {
	try {
		return basicResponse.getResponses();
	} catch (Exception e) {
		LOG.warn("Unable to extract SingleResp(s) : {}", e.getMessage());
		return new SingleResp[] {};
	}
}
 

public OCSPCertificateSource(final BasicOCSPResp basicOCSPResp) {
	Objects.requireNonNull(basicOCSPResp, "BasicOCSPResp must be provided!");
	this.basicOCSPResp = basicOCSPResp;
	
	extractCertificateTokens();
	extractCertificatRefs();
}
 

OcspRef(byte[] inOcspEncoded) {
   this.ocspEncoded = ArrayUtils.clone(inOcspEncoded);

   try {
      this.ocsp = (BasicOCSPResp)(new OCSPResp(this.ocspEncoded)).getResponseObject();
   } catch (Exception var3) {
      throw new IllegalArgumentException(var3);
   }
}
 

public static List<SingleResp> getSingleResponses(BasicOCSPResp basicResponse, CertificateToken certificate, CertificateToken issuer) {
	List<SingleResp> result = new ArrayList<>();
	SingleResp[] responses = getSingleResps(basicResponse);
	for (final SingleResp singleResp : responses) {
		DigestAlgorithm usedDigestAlgorithm = getUsedDigestAlgorithm(singleResp);
		final CertificateID certId = getOCSPCertificateID(certificate, issuer, usedDigestAlgorithm);
		if (DSSRevocationUtils.matches(certId, singleResp)) {
			result.add(singleResp);
		}
	}
	return result;
}