protected SingleResp getBestSingleResp(final CertificateID certificateId, final BasicOCSPResp basicOCSPResp) { Date bestUpdate = null; SingleResp bestSingleResp = null; for (final SingleResp singleResp : basicOCSPResp.getResponses()) { if (DSSRevocationUtils.matches(certificateId, singleResp)) { final Date thisUpdate = singleResp.getThisUpdate(); if (bestUpdate == null || thisUpdate.after(bestUpdate)) { bestSingleResp = singleResp; bestUpdate = thisUpdate; } } } return bestSingleResp; }
@Override public byte[] getEncoded() { final OCSPResp ocspResp = DSSRevocationUtils.fromBasicToResp(basicOCSPResp); try { final byte[] bytes = ocspResp.getEncoded(); return bytes; } catch (IOException e) { throw new DSSException("CRL encoding error: " + e.getMessage(), e); } } }
BasicOCSPResp bestBasicOCSPResp = null; SingleResp bestSingleResp = null; final CertificateID certId = DSSRevocationUtils.getCertificateID(certificateToken); for (final BasicOCSPResp basicOCSPResp : containedOCSPResponses) { if (DSSRevocationUtils.matches(certId, singleResp)) {
@Override public OCSPToken getOCSPToken(final CertificateToken certificateToken, final CertificatePool certificatePool) { if (certificateToken == null) { return null; } if (certificateToken.getIssuerToken() == null) { return null; } final String ocspAccessLocation = getAccessLocation(certificateToken); if (DSSUtils.isEmpty(ocspAccessLocation)) { return null; } final CertificateID certificateId = DSSRevocationUtils.getCertificateID(certificateToken); // The nonce extension is used to bind the request to the response, to prevent replay attacks. final NonceContainer nonceContainer = getNonceContainer(); final byte[] ocspRequest = buildOCSPRequest(certificateId, nonceContainer); final boolean refresh = shouldCacheBeRefreshed(certificateId); final BasicOCSPResp basicOCSPResp = buildBasicOCSPResp(ocspAccessLocation, ocspRequest, refresh); checkNonce(certificateToken.getDSSIdAsString(), basicOCSPResp, nonceContainer); final SingleResp bestSingleResp = getBestSingleResp(certificateId, basicOCSPResp); if (bestSingleResp == null) { return null; } final OCSPToken ocspToken = new OCSPToken(basicOCSPResp, bestSingleResp, certificatePool); ocspToken.setSourceURI(ocspAccessLocation); certificateToken.setRevocationToken(ocspToken); updateCacheIfRefreshed(certificateId, refresh, ocspToken); return ocspToken; }
final boolean tokenIn = DSSRevocationUtils.isTokenIn(revocationToken, containedBasicOCSPResponses); if (!tokenIn) {
/** * @param certificateToken the {@code CertificateToken} which is managed by this CRL. */ private void setRevocationStatus(final CertificateToken certificateToken) { final CertificateToken issuerToken = certificateToken.getIssuerToken(); if (!issuerToken.equals(crlValidity.issuerToken)) { if (!crlValidity.signatureIntact) { throw new DSSException(crlValidity.signatureInvalidityReason); } throw new DSSException("The CRLToken is not signed by the same issuer as the CertificateToken to be verified!"); } final BigInteger serialNumber = certificateToken.getSerialNumber(); final X509CRL x509crl = crlValidity.x509CRL; final X509CRLEntry crlEntry = x509crl.getRevokedCertificate(serialNumber); status = null == crlEntry; if (!status) { revocationDate = crlEntry.getRevocationDate(); final String revocationReason = DSSRevocationUtils.getRevocationReason(crlEntry); reason = revocationReason; } }
/** * Convert a BasicOCSPResp in OCSPResp (connection status is set to SUCCESSFUL). * * @param basicOCSPResp * @return */ public static final OCSPResp fromBasicToResp(final BasicOCSPResp basicOCSPResp) { try { final byte[] encoded = basicOCSPResp.getEncoded(); final OCSPResp ocspResp = fromBasicToResp(encoded); return ocspResp; } catch (IOException e) { throw new DSSException(e); } }
/** * @param ocspResp * @return */ public boolean match(final BasicOCSPResp ocspResp) { if (digestAlgorithm == null) { // -444 return false; } try { MessageDigest digest = DSSUtils.getMessageDigest(digestAlgorithm); if (matchOnlyBasicOCSPResponse) { digest.update(ocspResp.getEncoded()); } else { digest.update(DSSRevocationUtils.fromBasicToResp(ocspResp).getEncoded()); } byte[] computedValue = digest.digest(); if (LOG.isInfoEnabled()) { LOG.info("Compare " + DSSUtils.encodeHexString(digestValue) + " to computed value " + DSSUtils.encodeHexString(computedValue) + " of " + "BasicOCSPResp produced at " + ocspResp.getProducedAt()); } return Arrays.equals(digestValue, computedValue); } catch (NoSuchAlgorithmException e) { throw new DSSException(e); } catch (IOException e) { throw new DSSException(e); } }