Class OCSPClientImpl
java.lang.Object
eu.emi.security.authn.x509.helpers.ocsp.OCSPClientImpl
OCSP client is responsible for the network related activity of the OCSP invocation pipeline.
This class is state less and thread safe.
It is implementing the RFC 2560 also taking care to support the lightweight profile recommendations defined in the RFC 5019.
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprivate boolean
checkCertIDMatching
(X509Certificate toFind, X509Certificate issuerCert, org.bouncycastle.cert.ocsp.CertificateID checkedCertId) private void
configureHttpConnection
(HttpURLConnection con, int timeout) org.bouncycastle.cert.ocsp.OCSPReq
createRequest
(X509Certificate toCheckCert, X509Certificate issuerCert, X509Credential requester, boolean addNonce) private HttpURLConnection
private PublicKey
establishResponsePubKey
(org.bouncycastle.cert.ocsp.BasicOCSPResp bresp, X509Certificate issuerCert) static byte[]
extractNonce
(org.bouncycastle.cert.ocsp.OCSPReq request) private String
getHttpGetUrl
(URL responder, byte[] request) static Date
private static String
getResponderErrorDesc
(int errorNo) queryForCertificate
(URL responder, X509Certificate toCheckCert, X509Certificate issuerCert, X509Credential requester, boolean addNonce, int timeout) Returns a verified single response, related to the checked certificate.org.bouncycastle.cert.ocsp.SingleResp
verifyResponse
(org.bouncycastle.cert.ocsp.OCSPResp response, X509Certificate toCheckCert, X509Certificate issuerCert, byte[] checkNonce) Verifies the provided responseprivate void
verifyTimeRange
(Date thisUpdate, Date nextUpdate)
-
Field Details
-
ASCII
-
MAX_RESPONSE_SIZE
private static final int MAX_RESPONSE_SIZE- See Also:
-
-
Constructor Details
-
OCSPClientImpl
public OCSPClientImpl()
-
-
Method Details
-
queryForCertificate
public OCSPResult queryForCertificate(URL responder, X509Certificate toCheckCert, X509Certificate issuerCert, X509Credential requester, boolean addNonce, int timeout) throws IOException, org.bouncycastle.cert.ocsp.OCSPException Returns a verified single response, related to the checked certificate. This is single-shot version, which can be used instead of manual invocation of low-level methods.- Parameters:
responder
- mandatory - URL of the responder. HTTP or HTTPs, however in https mode thetoCheckCert
- mandatory certificate to be checkedissuerCert
- mandatory certificate of the toCheckCert issuerrequester
- if not null, then it is assumed that request must be signed by the requester.addNonce
- if true nonce will be added to the request and required in responsetimeout
- timeout- Returns:
- Final OCSP checking result
- Throws:
IOException
- IO exceptionorg.bouncycastle.cert.ocsp.OCSPException
- OCSP exception
-
createRequest
public org.bouncycastle.cert.ocsp.OCSPReq createRequest(X509Certificate toCheckCert, X509Certificate issuerCert, X509Credential requester, boolean addNonce) throws org.bouncycastle.cert.ocsp.OCSPException - Throws:
org.bouncycastle.cert.ocsp.OCSPException
-
send
public OCSPResponseStructure send(URL responder, org.bouncycastle.cert.ocsp.OCSPReq requestO, int timeout) throws IOException - Throws:
IOException
-
configureHttpConnection
-
getHttpGetUrl
- Returns:
- null if the encoded request is > 255, or the string which can be used as GET request URL with request encoded.
-
doPost
- Throws:
IOException
-
getNextUpdateFromCacheHeader
-
getResponderErrorDesc
-
verifyResponse
public org.bouncycastle.cert.ocsp.SingleResp verifyResponse(org.bouncycastle.cert.ocsp.OCSPResp response, X509Certificate toCheckCert, X509Certificate issuerCert, byte[] checkNonce) throws org.bouncycastle.cert.ocsp.OCSPException Verifies the provided response- Parameters:
response
- OCSP responsetoCheckCert
- mandatory certificate to be checkedissuerCert
- mandatory certificate of the toCheckCert issuercheckNonce
- expected OCSP nonce- Returns:
- verified response corresponding to the certificate being checked
- Throws:
org.bouncycastle.cert.ocsp.OCSPException
- OCSP exception
-
verifyTimeRange
private void verifyTimeRange(Date thisUpdate, Date nextUpdate) throws org.bouncycastle.cert.ocsp.OCSPException - Throws:
org.bouncycastle.cert.ocsp.OCSPException
-
checkCertIDMatching
private boolean checkCertIDMatching(X509Certificate toFind, X509Certificate issuerCert, org.bouncycastle.cert.ocsp.CertificateID checkedCertId) throws org.bouncycastle.cert.ocsp.OCSPException - Throws:
org.bouncycastle.cert.ocsp.OCSPException
-
establishResponsePubKey
private PublicKey establishResponsePubKey(org.bouncycastle.cert.ocsp.BasicOCSPResp bresp, X509Certificate issuerCert) throws org.bouncycastle.cert.ocsp.OCSPException - Throws:
org.bouncycastle.cert.ocsp.OCSPException
-
extractNonce
- Throws:
IOException
-