4278N/A * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 0N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 0N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 1472N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 1472N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 0N/A * or visit www.oracle.com if you need additional information or have any 1879N/A * This class is used to process an OCSP response. 1879N/A * The OCSP Response is defined 1879N/A * in RFC 2560 and the ASN.1 encoding is as follows: 1879N/A * OCSPResponse ::= SEQUENCE { 1879N/A * responseStatus OCSPResponseStatus, 1879N/A * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 1879N/A * OCSPResponseStatus ::= ENUMERATED { 4299N/A * successful (0), --Response has valid confirmations 1879N/A * malformedRequest (1), --Illegal confirmation request 1879N/A * internalError (2), --Internal error in issuer 1929N/A * tryLater (3), --Try again later 1879N/A * sigRequired (5), --Must sign the request 4340N/A * unauthorized (6) --Request unauthorized 1879N/A * ResponseBytes ::= SEQUENCE { 1879N/A * responseType OBJECT IDENTIFIER, 1879N/A * BasicOCSPResponse ::= SEQUENCE { 1879N/A * tbsResponseData ResponseData, 1879N/A * signatureAlgorithm AlgorithmIdentifier, 1879N/A * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 1879N/A * The value for signature SHALL be computed on the hash of the DER 2073N/A * ResponseData ::= SEQUENCE { 2073N/A * version [0] EXPLICIT Version DEFAULT v1, 2073N/A * producedAt GeneralizedTime, 2073N/A * responses SEQUENCE OF SingleResponse, 2073N/A * responseExtensions [1] EXPLICIT Extensions OPTIONAL } 0N/A * ResponderID ::= CHOICE { 0N/A * byKey [2] KeyHash } 1601N/A * KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key 1601N/A * (excluding the tag and length fields) 0N/A * SingleResponse ::= SEQUENCE { 0N/A * certStatus CertStatus, 0N/A * thisUpdate GeneralizedTime, 0N/A * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 0N/A * singleExtensions [1] EXPLICIT Extensions OPTIONAL } 0N/A * CertStatus ::= CHOICE { 0N/A * good [0] IMPLICIT NULL, 0N/A * revoked [1] IMPLICIT RevokedInfo, 0N/A * unknown [2] IMPLICIT UnknownInfo } 0N/A * RevokedInfo ::= SEQUENCE { 0N/A * revocationTime GeneralizedTime, 0N/A * revocationReason [0] EXPLICIT CRLReason OPTIONAL } 0N/A * UnknownInfo ::= NULL -- this can be replaced with an enumeration 0N/A // ResponderID CHOICE tags 199N/A // Object identifier for the OCSPSigning key purpose 0N/A // Default maximum clock skew in milliseconds (15 minutes) 0N/A // allowed when checking validity of OCSP responses 0N/A * Integer value indicating the maximum allowable clock skew, in seconds, 0N/A * to be used for the OCSP check. 0N/A * Initialize the maximum allowable clock skew by getting the OCSP 242N/A * clock skew system property. If the property has not been set, or if its 242N/A * value is negative, set the skew to the default. 2627N/A // Convert to milliseconds, as the system property will be 2627N/A // an array of all of the CRLReasons (used in SingleResponse) 2627N/A * Create an OCSP response from its ASN.1 DER encoding. 2627N/A "expected ASN.1 SEQUENCE tag.");
0N/A // unspecified responseStatus 0N/A // no need to continue, responseBytes are not set. 20N/A "of OCSP response: expected ASN.1 context specific tag 0.");
20N/A "of OCSP response: expected ASN.1 SEQUENCE tag.");
0N/A // BasicOCSPResponse 0N/A // Need the DER encoded ResponseData to verify the signature later 0N/A "element of OCSP response: expected ASN.1 SEQUENCE tag.");
0N/A // seq[0] is version 0N/A //System.out.println ("version is available"); 0N/A " element of OCSP response: bad format");
0N/A "OCSP response: expected ASN.1 context specific tag 1 or 2");
0N/A responseExtension[i].getExtensionValue(); 0N/A "Unsupported OCSP critical extension: " +
0N/A // signatureAlgorithmId 0N/A // if seq[3] is available , then it is a sequence of certificates 0N/A // certs are available 0N/A "OCSP response: expected ASN.1 context specific tag 0.");
0N/A // By default, the OCSP responder's cert is the same as the issuer of 0N/A // the cert being validated. The issuer cert is the first in the list. 0N/A // Check whether the signer cert returned by the responder is trusted 0N/A // First check if signer cert matches a trusted responder cert 0N/A // signer cert is trusted, now verify the signed response 0N/A // Next check if signer cert was issued by a trusted responder 0N/A // Retrieve the issuer's key identifier 0N/A +
"in the signer certificate");
0N/A // Check that the key identifiers match, if both are present 0N/A continue;
// try next cert 0N/A // Check for the OCSPSigning key purpose 0N/A continue;
// try next cert 0N/A continue;
// try next cert 0N/A // Check algorithm constraints specified in security 0N/A // property "jdk.certpath.disabledAlgorithms". 0N/A // Check the date validity 0N/A " the validity period " + e);
0N/A continue;
// try next cert 0N/A // Check for revocation 0N/A // A CA may specify that an OCSP client can trust a 0N/A // responder for the lifetime of the responder's 0N/A // certificate. The CA does so by including the 0N/A // extension id-pkix-ocsp-nocheck. 0N/A "the extension id-pkix-ocsp-nocheck.");
0N/A // we should do the revocation checking of the 0N/A // authorized responder in a future update. 0N/A // Verify the signature 0N/A // cert is trusted, now verify the signed response 0N/A "a trusted responder");
0N/A // Confirm that the signed response was generated using the public 0N/A // key from the trusted responder cert 0N/A // Check algorithm constraints specified in security property 0N/A // "jdk.certpath.disabledAlgorithms". 0N/A "Error verifying OCSP Responder's signature");
0N/A // Need responder's cert in order to verify the signature 0N/A "Responder's certificate is not trusted for signing " +
0N/A * Returns the OCSP ResponseStatus. 0N/A * Verify the signature of the OCSP response. 0N/A * The responder's cert is implicitly trusted. 0N/A "Error verifying signature of OCSP Responder");
0N/A * Returns the SingleResponse of the specified CertId, or null if 0N/A * there is no response for that CertId. 0N/A * A class representing a single OCSP response. 0N/A // if reason out-of-range just leave as UNSPECIFIED 0N/A // We don't support any extensions yet. Therefore, if it 0N/A // is critical we must throw an exception because we 0N/A // don't know how to process it. 0N/A "Unsupported OCSP critical extension: " +
0N/A // Check that the test date is within the validity interval 0N/A "interval is out-of-date");
0N/A "interval is out-of-date");
0N/A * Return the certificate's revocation status code 0N/A * Construct a string representation of a single OCSP response.