iaik.x509.ocsp

Class BasicOCSPResponse

java.lang.Object

iaik.x509.ocsp.Response

iaik.x509.ocsp.BasicOCSPResponse

public class BasicOCSPResponse
extends Response

This class implements the OCSP type BasicOCSPResponse.

When sending an OCSPResponse in response to an OCSPRequest, a successful response may include ResponseBytes giving more detailed information about the status of the certificates asked for. ResponseBytes may include Response information of any type, identified by its object identifier (see RFC 2560, RFC 6960):

 OCSPResponse ::= SEQUENCE {
    responseStatus         OCSPResponseStatus,
    responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
 
 OCSPResponseStatus ::= ENUMERATED {
     successful            (0),  --Response has valid confirmations
     malformedRequest      (1),  --Illegal confirmation request
     internalError         (2),  --Internal error in issuer
     tryLater              (3),  --Try again later
                                 --(4) is not used
     sigRequired           (5),  --Must sign the request
      unauthorized          (6)   --Request unauthorized
  }
 
 ResponseBytes ::=       SEQUENCE {
    responseType   OBJECT IDENTIFIER,
    response       OCTET STRING }
 

This class implements the only one response type predefined by RFC 2560, RFC 6960 BasicOCSResponse which shall be supported by all OCSP clients and servers:

 BasicOCSPResponse       ::= SEQUENCE {
   tbsResponseData      ResponseData,
   signatureAlgorithm   AlgorithmIdentifier,
   signature            BIT STRING,
   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 
  ResponseData ::= SEQUENCE {
    version              [0] EXPLICIT Version DEFAULT v1,
    responderID              ResponderID,
    producedAt               GeneralizedTime,
    responses                SEQUENCE OF SingleResponse,
     responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
 

After creating a BasicOCSPResponse and setting ResponderID and producedAt date, add single responses for any single request included in the OCSPRequest received, e.g.:

 // the ocsp request received
 OCSPrequest ocspRequest = ...;
 Request[] requests = ocspRequest.getRequestList();
 SingleResponse[] singleResponses = new SingleResponse[requests.length];
 // create a single response for any request included:   
 for (int i = 0; i < requests.length; i++) {
   ...
   singleResponses[i] = ...;
   ...
 }
 // create the BasicOCSPResponse:
 BasicOCSPResponse basicOCSPResponse = new BasicOCSPResponse();
 // set the ResponderID:
 ResponderID responderID = ...;
 basicOCSPResponse.setResponderID(responderID);
 // set the producedAt date:
 basicOCSPResponse.setProducedAt(new Date());
 // add the single responses:
 basicOCSPResponse.setSingleResponses(singleResponses);
 

Before signing the BasicOCSPResponse extensions may be added and the certificates of the signer may be included to help the OCSP requestor to verify the signature, e.g.:

 // the certificates of the responder
 X509Certificate[] responderCerts = ...;
 // the private key of the responder, used for signing:
 PrivateKey responderKey = ...;
 // set the certificates:
 basicOCSPResponse.setCertificates(responderCerts);
 // sign the response:
 ocspResponse.sign(AlgorithmID.sha1WithRSAEncryption, responderKey);
 

Finally the BasicOCSPResponse has to be included into an OCSPResponse message for being sent back to the requester:

 OCSPResponse ocspResponse = new OCSPResponse(basicOCSPResponse);
 OutputStream os = ...;
 // encode the OCSP response
 ocspResponse.writeTo(os);
 

A requester receiving an ocsp response, checks the response status and -- if successful -- gets the BasicOCSPResponse included:

 // the stream supplying the encoded OCSP response:
 InputStream is = ...;
 OCSPResponse ocspResponse = new OCSPResponse(is);
 // get the response status:
 int responseStatus = ocspResponse.getResponseStatus();
 if (responseStatus != OCSPResponse.successful) {
   System.out.println("Not successful; got response status: " + 
                       ocspResponse.getResponseStatusName());   
   ...  
 } else {
   // get the basicOCSPResponse
   BasicOCSPResponse basicOCSPResponse = 
      (BasicOCSPResponse)ocspResponse.getResponse();
 

After verifying the signature of the responder the basicOCSPResponse may be searched for the single response given for a particular certificate request sent to the server:

 // verify the response
 try {
  if (basicOCSPResponse.containsCertificates()) {
    X509Certificate signerCert = basicOCSPResponse.verify(); 
    System.out.println("Signature ok from response signer " + signerCert.getSubjectDN());
  } else {
    basicOCSPResponse.verify(responderCerts[0].getPublicKey()); 
    System.out.println("Signature ok!");
  }
 } catch (SignatureException ex) {
   System.out.println("Signature verification error!!!"); 
 } 
 // is there a single response for our request?
 SingleResponse singleResponse = null;
 try {
   singleResponse = basicOCSPResponse.getSingleResponse(reqCert);
 } catch (OCSPException ex) {
   singleResponse = basicOCSPResponse.getSingleResponse(targetCerts[0], 
     targetCerts[1], null);  
 }    
 if (singleResponse != null) {
   System.out.println("Status information got for cert: ");
   System.out.println(singleResponse.getCertStatus());
   ...
 } else {
   System.out.println("No response got!");
 

Version:

File Revision 31

See Also:

OCSPRequest, Request, OCSPResponse, ResponseBytes, SingleResponse, ReqCert, CertStatus

Field Summary

Fields

Modifier and Type	Field and Description
static ObjectID	responseType The response type of the BasicOCSPResponse.

Constructor Summary

Constructors

Constructor and Description
BasicOCSPResponse() Default constructor for creating a new empty BasicOCSPResponse.
BasicOCSPResponse(byte[] array) Creates a BasicOCSPResponse form a PEM or DER byte array.
BasicOCSPResponse(java.io.InputStream is) Creates a BasicOCSPResponse from an input stream.

Method Summary

Methods

Modifier and Type	Method and Description
void	addExtension(V3Extension e) Adds the given extension.
boolean	containsCertificates() Checks if certificates are included.
int	countExtensions() Returns the number of extensions included in this basic ocsp response.
int	countSingleResponses() Returns the number of single responses included.
void	decode(ASN1Object obj) Decodes a BasicOCSPResponse from an ASN1Object.
void	decode(byte[] enc) Decodes a BasicOCSPResponse from an byte array.
void	decode(java.io.InputStream is) Decodes a BasicOCSPResponse from an InputStream.
CertificateResponse	getCertificateResponse(ReqCert reqCert) Searches for the certificate response corresponding to the certificate identified by the given reqCert.
CertificateResponse	getCertificateResponse(X509Certificate targetCert, X509Certificate issuerCert, GeneralName generalName) Searches this BasicOCSPResponse for status information about the certificate identified by the given certificate information.
X509Certificate[]	getCertificates() Returns the signer certificates that may be included in this response.
byte[]	getEncoded() Returns this BasicOCSPResponse as DER encoded ASN.1 data structure
V3Extension	getExtension(ObjectID oid) Returns a specific extension, identified by its object identifier.
byte[]	getNonce() A convenience method for getting the value of the Nonce extension, if included in this response.
java.util.Date	getProducedAt() Returns the producedAt date of this BasicOCSPResponse.
ResponderID	getResponderID() Returns the responderID.
ObjectID	getResponseType() Returns the response type identifying this BasicOCSPResponse The corresponding OID string is "1.3.6.1.5.5.7.1.11.1".
byte[]	getSignature() Returns the signature of this BasicOCSPResponse.
AlgorithmID	getSignatureAlgorithm() Returns the signature algorithm of this BasicOCSPResponse.
X509Certificate	getSignerCertificate() Returns the response signer certificate or null if no certificates are included.
SingleResponse	getSingleResponse(ReqCert reqCert) Searches for the single response corresponding to the certificate identified by the given reqCert.
SingleResponse	getSingleResponse(X509Certificate targetCert, X509Certificate issuerCert, GeneralName generalName) Searches this BasicOCSPResponse for status information about the certificate identified by the given certificate information.
SingleResponse[]	getSingleResponses() Returns all single responses included in this BasicOCSPResponse.
byte[]	getTBSResponseData() Returns the DER encoded TBSResponseData ASN.1 data structure specifying response data to be signed.
int	getVersion() Returns the version number of this BasicOCSPResponse as int.
boolean	hasExtensions() Checks, if there are any extensions included in this basic ocsp response.
boolean	hasUnsupportedCriticalExtension() Returns true if there are unsupported critical extensions.
java.util.Enumeration	listExtensions() Returns an enumeration of all extensions included in this basic ocsp response.
void	removeAllExtensions() Removes all extensions from this basic ocsp response.
boolean	removeExtension(ObjectID oid) Removes the extension specified by its object identifier.
void	setCertificates(X509Certificate[] signerCerts) Sets the certificates to be included into this BasicOCSPResponse.
void	setNonce(byte[] nonce) A convenience method for setting the value of the Nonce extension.
void	setProducedAt(java.util.Date producedAtDate) Sets the producedAt date of this certificate.
void	setResponderID(ResponderID responderID) Sets the responderID.
void	setSignature(AlgorithmID signatureAlg, byte[] signature) Sets the signature value of this BasicOCSPResponse.
void	setSingleResponses(SingleResponse[] singleResponses) Sets the single responses of this BasicOCSPResponse.
void	sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK) Signs the BasicOCSPResponse with the private key of the issuer.
void	sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.spec.AlgorithmParameterSpec signatureParams, java.security.Provider provider) Signs the BasicOCSPResponse with the private key of the issuer.
void	sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.spec.AlgorithmParameterSpec signatureParams, java.lang.String providerName) Signs the BasicOCSPResponse with the private key of the issuer.
void	sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.security.Provider provider) Signs the BasicOCSPResponse with the private key of the issuer.
void	sign(AlgorithmID signatureAlg, java.security.PrivateKey issuerPK, java.lang.String providerName) Signs the BasicOCSPResponse with the private key of the issuer.
ASN1Object	toASN1Object() Returns the BasicOCSPResponse as an ASN1Object.
java.lang.String	toString() Returns a string that represents the contents of this BasicOCSPResponse.
java.lang.String	toString(boolean detailed) Returns a string that represents the contents of this BasicOCSPResponse.
X509Certificate	verify() Verifies this BasicOCSPResponse using the included signer certificates.
void	verify(java.security.PublicKey key) Uses the given public key to verify this BasicOCSPResponse.
void	verify(java.security.PublicKey key, java.security.Provider provider) Uses the given public key to verify this BasicOCSPResponse.
void	verify(java.security.PublicKey key, java.lang.String providerName) Uses the given public key to verify this BasicOCSPResponse.
void	writeTo(java.io.OutputStream os) Writes this BasicOCSPResponse DER encoded to the given output stream.

Methods inherited from class iaik.x509.ocsp.Response

getName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

responseType

public static final ObjectID responseType

The response type of the BasicOCSPResponse. The corresponding OID string is "1.3.6.1.5.5.7.48.1.1".

Constructor Detail

BasicOCSPResponse

public BasicOCSPResponse()

Default constructor for creating a new empty BasicOCSPResponse.

Any value may be set using the corresponding set<Value> method. The version number per default is set to 0 indicating a v1 response.

BasicOCSPResponse

public BasicOCSPResponse(java.io.InputStream is)
                  throws java.io.IOException,
                         CodingException

Creates a BasicOCSPResponse from an input stream.

The supplied BasicOCSPResponse can be in PEM or DER format. This constructor reads a BasicOCSPResponse previously written with method writeTo(OutputStream).

For instance:

 InputStream is = ...;
 BasicOCSPResponse response = new BasicOCSPResponse(is);
 is.close();
 

Parameters:

is - InputStream from which to create the BasicOCSPResponse

Throws:

java.io.IOException - if the response could not be read

CodingException - if there is a problem with the response

BasicOCSPResponse

public BasicOCSPResponse(byte[] array)
                  throws CodingException

Creates a BasicOCSPResponse form a PEM or DER byte array.

This constructor may be used for parsing an already existing BasicOCSPResponse ASN.1 object, supplied as DER encoded byte array, which may have been created by calling method getEncoded.

Parameters:

array - the byte array containing the DER encoded response

Throws:

CodingException - if the response cannot be decoded

Method Detail

decode

public void decode(ASN1Object obj)
            throws CodingException

Decodes a BasicOCSPResponse from an ASN1Object.

The given ASN1Object represents an already existing BasicOCSPResponse which may have been created by calling the toASN1Object method.

Parameters:

obj - the ASN1Object which representing the response

Throws:

CodingException - if there is a problem when parsing the response

decode

public void decode(byte[] enc)
            throws CodingException

Decodes a BasicOCSPResponse from an byte array. The given byte array supplies the OCSP response in DER encoded format. This method internally is called when creating a BasicOCSPResponse from an byte array.

Specified by:

decode in class Response

Parameters:

enc - is the byte array from where the response should be read

Throws:

CodingException - if an decoding/parsing error occurs

decode

public void decode(java.io.InputStream is)
            throws java.io.IOException

Decodes a BasicOCSPResponse from an InputStream. The given InputStream supplies the OCSP response in DER encoded format. This method internally is called when creating a BasicOCSPResponse from an InputStream.

Parameters:

is - the InputStream from where the response should be read

Throws:

java.io.IOException - if something is wrong with the InputStream

sign

public void sign(AlgorithmID signatureAlg,
        java.security.PrivateKey issuerPK)
          throws OCSPException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the BasicOCSPResponse with the private key of the issuer.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

issuerPK - the private key of the issuer

Throws:

OCSPException - if the response could not be signed

java.security.InvalidKeyException - if the format of the key is wrong

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

sign

public void sign(AlgorithmID signatureAlg,
        java.security.PrivateKey issuerPK,
        java.lang.String providerName)
          throws OCSPException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the BasicOCSPResponse with the private key of the issuer.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

issuerPK - the private key of the issuer

providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

OCSPException - if the response could not be signed

java.security.InvalidKeyException - if the format of the key is wrong

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

sign

public void sign(AlgorithmID signatureAlg,
        java.security.PrivateKey issuerPK,
        java.security.spec.AlgorithmParameterSpec signatureParams,
        java.lang.String providerName)
          throws OCSPException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidAlgorithmParameterException

Signs the BasicOCSPResponse with the private key of the issuer.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

issuerPK - the private key of the issuer

signatureParams - any signature parameters to -- if not null -- be used for initializing the Signature engine; if applicable the parameters are also set for the signatureAlg AlgorithmID (if it does not contain any parameters yet)

providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

OCSPException - if the response could not be signed

java.security.InvalidKeyException - if the format of the key is wrong

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

java.security.InvalidAlgorithmParameterException - if an error occurs when trying to set the signature parameters

sign

public void sign(AlgorithmID signatureAlg,
        java.security.PrivateKey issuerPK,
        java.security.Provider provider)
          throws OCSPException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the BasicOCSPResponse with the private key of the issuer.
This method uses a Signature engine from the given provider for signing the response.
If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

issuerPK - the private key of the issuer

provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

OCSPException - if the response could not be signed

java.security.InvalidKeyException - if the format of the key is wrong

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

sign

public void sign(AlgorithmID signatureAlg,
        java.security.PrivateKey issuerPK,
        java.security.spec.AlgorithmParameterSpec signatureParams,
        java.security.Provider provider)
          throws OCSPException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidAlgorithmParameterException

Signs the BasicOCSPResponse with the private key of the issuer.
This method uses a Signature engine from the given provider for signing the response.
If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

issuerPK - the private key of the issuer

signatureParams - any signature parameters to -- if not null -- be used for initializing the Signature engine; if applicable the parameters are also set for the signatureAlg AlgorithmID (if it does not contain any parameters yet)

provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

OCSPException - if the response could not be signed

java.security.InvalidKeyException - if the format of the key is wrong

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

java.security.InvalidAlgorithmParameterException - if an error occurs when trying to set the signature parameters

setSignature

public void setSignature(AlgorithmID signatureAlg,
                byte[] signature)
                  throws OCSPException

Sets the signature value of this BasicOCSPResponse.

This method provides an alternative way to method sign for "signing" this basic OCSP response with a precalculated signature value. If using this method please make sure that the signature value provided actually has beeb calculated over the TBS responseData.

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm

signature - the (precalculated) signature value

Throws:

OCSPException - if the response could not be signed

getEncoded

public byte[] getEncoded()

Returns this BasicOCSPResponse as DER encoded ASN.1 data structure

Specified by:

getEncoded in class Response

Returns:

a byte array holding the DER encoded BasicOCSPResponse as ASN.1 data structure

getVersion

public int getVersion()

Returns the version number of this BasicOCSPResponse as int. Default version: v1.

ASN.1 definition:

 Version  ::=  INTEGER  {  v1(0), v2(1) }
 

Returns:

version number of the response as int, 1 for v1, 2 for v2.

getResponseType

public ObjectID getResponseType()

Returns the response type identifying this BasicOCSPResponse The corresponding OID string is "1.3.6.1.5.5.7.1.11.1".

Specified by:

getResponseType in class Response

Returns:

the response type identifying this BasicOCSPResponse

getResponderID

public ResponderID getResponderID()

Returns the responderID.

Returns:

the responderID identifying the responder by name or key

getSingleResponses

public SingleResponse[] getSingleResponses()

Returns all single responses included in this BasicOCSPResponse.

Returns:

an Enumeration holding all the single responses included in this BasicOCSPResponse; the list may be null

countSingleResponses

public int countSingleResponses()

Returns the number of single responses included.

Returns:

the number of single responses included

getSingleResponse

public SingleResponse getSingleResponse(X509Certificate targetCert,
                               X509Certificate issuerCert,
                               GeneralName generalName)
                                 throws OCSPException

Searches this BasicOCSPResponse for status information about the certificate identified by the given certificate information.

This method only calls method getCertificateResponse and casts the result to SingleResponse.

Each particular single response included is expected to be identified by its reqCert identifying the corresponding certificate by one of the following id types:

 ReqCert  ::= CHOICE {
   certID            CertID,
   issuerSerial      [0] IssuerandSerialNumber,
   pKCert            [1] Certificate,
   name              [2] GeneralName,
   certHash          [3] OCTET STRING}
 

When searching an OCSP response for a SingleResponse the search has to be done by checking the ReqCert identifiers of the single responses included.

Since OCSP v2-01 (see draft-ietf-pkix-ocspv2-01) uses not less than five alternatives (certID, issuerSerial, pKCert, name, certHash) to identify the target cert for which status information shall be obtained, it might be the -- hopefully not very probable -- case that an OCSP server responds by using a different reqCert type (namely when maintaining precomputed responses) as the one sent with the client request.
If method getSingleResponse does not find a single response for a given ReqCert thereby throwing an OCSPException there maybe single responses included having a different ReqCert type (or -- in the case of certIDs -- using different hash algorithms} as the one queried for. In this case this method can be used for stepping through the single responses included and using their ReqCert types for searching for a single response for the cert identified by the given certificate data. For each certificate response included the given certificate information is tried to be "translated" in a ReqCert of appropriate type according to the following rules:

• If a single response uses a reqCert of type certID, both targetCert and issuerCert are required; generalName is ignored. From the given certs, a certID is created and checked for equality with the certID of the reqCert of the particular single response.
• If a single response uses a reqCert of type issuerSerial, the targetCert is required; issuerCert and generalName are ignored. From the given target cert, an IssuerAndSerialNumber object is created and checked for equality with the issuerSerial of the reqCert of the particular single response.
• If a single response uses a reqCert of type pKCert, the targetCert is required; issuerCert and generalName are ignored. The given target cert is checked for equality with the pKCert of the reqCert of the particular single response.
• If a single response uses a reqCert of type name, targetCert or generalName are required; issuerCert is ignored. If generalName is present, it is compared with the GeneralName of the reqCert of the particular response. If generalName is null, but targetCert is present, a GeneralName of type directoryName is created from the target cert's SubjectDN and checked for equality with the generalName of the reqCert of the particular single response.
• If a single response uses a reqCert of type certHash, the targetCert is required; issuerCert and generalName are ignored. From the given target cert a SHA-1 hash is computed and compared with the certHash of the reqCert of the particular single response.

Note that any reqCert type can be created if target cert and issuer cert a set.

Assuming, for instance, that you have used method getSingleResponse for asking if a response for your request is included. The search has stopped by throwing an OCSPException indicating that no single response for your ReqCert is included, but there are single responses present having a different ReqCert type. Now you may start a second search using the ReqCert types of the single responses included, e.g.:

 // the target cert chain
 X509Certificate[] targetCerts = ...;
 // the ReqCert used in the request:
 ReqCert reqCert ...;
 ...
 // search the response by ReqCert ID:
 SingleResponse singleResponse = null;
 try {
   singleResponse = basicOCSPResponse.getSingleResponse(reqCert);
 } catch (OCSPException ex) {
   // not found, but cert responses with different types are present
   System.out.println("Not found: " + ex.getMessage());
   System.out.println("Searching again...");
   singleResponse = basicOCSPResponse.getSingleResponse(targetCerts[0],
                                                        targetCerts[1],
                                                        null);
 }
 if (singleResponse != null) {
  ...
 } else {
   System.out.println("Got no response!");
 }
 

Parameters:

targetCert - the target cert, if required

issuerCert - the cert of the target cert issuer, if required

generalName - a general name (if required for reqCert type "name")

Returns:

a single response giving status information about the certificate identified by the given certificate information; or null if no single response for the certificate in mind is included

Throws:

OCSPException - if some processing error occurs, e.g. if the ReqCert of some response represents a CertID but the certID's hash algorithm is not supported by the installed providers

getSingleResponse

public SingleResponse getSingleResponse(ReqCert reqCert)
                                 throws OCSPException

Searches for the single response corresponding to the certificate identified by the given reqCert.

This method only calls method getCertificateResponse and casts the result to SingleResponse.

Each single response included in this BasicOCSPResponse is identified by its reqCert ID. This method steps through all the single responses included in this BasicOCSPResponse and compares their reqCert IDs with the given reqCert.

Parameters:

reqCert - the reqCert of the certificate for which status information shall be obtained

Returns:

a single response giving status information about the certificate identified by the given reqCert; or null if no single response for the certificate in mind is included

Throws:

OCSPException - if a single response for the given reqCert cannot be found, but single responses included having a different reqCert type or -- in the case of certIDs -- using a hash algorithms different to the given certID's one; in this case you may try method getSingleResponse to use the reqCert types of the single responses included

getCertificateResponse

public CertificateResponse getCertificateResponse(X509Certificate targetCert,
                                         X509Certificate issuerCert,
                                         GeneralName generalName)
                                           throws OCSPException

Searches this BasicOCSPResponse for status information about the certificate identified by the given certificate information.

This method overrides the corresponding method of the parent Response class.

Each particular certificate response included is expected to be identified by its reqCert identifying the corresponding certificate by one of the following id types:

 ReqCert  ::= CHOICE {
   certID            CertID,
   issuerSerial      [0] IssuerandSerialNumber,
   pKCert            [1] Certificate,
   name              [2] GeneralName,
   certHash          [3] OCTET STRING}
 

When searching an OCSP response for a CertificateResponse the search has to be done by checking the ReqCert identifiers of the certificate responses included.

Since OCSP v2-01 (see draft-ietf-pkix-ocspv2-01) uses not less than five alternatives (certID, issuerSerial, pKCert, name, certHash) to identify the target cert for which status information shall be obtained, it might be the -- hopefully not very probable -- case that an OCSP server responds by using a different reqCert type (namely when maintaining precomputed responses) as the one sent with the client request.
If method getCertificateResponse does not find a certificate response for a given ReqCert thereby throwing an OCSPException there maybe certificate responses included having a different ReqCert type (or -- in the case of certIDs -- using different hash algorithms} as the one queried for. In this case this method can be used for stepping through the certificate responses included and using their ReqCert types for searching for a certificate response for the cert identified by the given certificate data. For each certificate response included the given certificate information is tried to be "translated" in a ReqCert of appropriate type according to the following rules:

• If a certificate response uses a reqCert of type certID, both targetCert and issuerCert are required; generalName is ignored. From the given certs, a certID is created and checked for equality with the certID of the reqCert of the particular certificate response.
• If a certificate response uses a reqCert of type issuerSerial, the targetCert is required; issuerCert and generalName are ignored. From the given target cert, an IssuerAndSerialNumber object is created and checked for equality with the issuerSerial of the reqCert of the particular certificate response.
• If a certificate response uses a reqCert of type pKCert, the targetCert is required; issuerCert and generalName are ignored. The given target cert is checked for equality with the pKCert of the reqCert of the particular certificate response.
• If a certificate response uses a reqCert of type name, targetCert or generalName are required; issuerCert is ignored. If generalName is present, it is compared with the GeneralName of the reqCert of the particular response. If generalName is null, but targetCert is present, a GeneralName of type directoryName is created from the target cert's SubjectDN and checked for equality with the generalName of the reqCert of the particular certificate response.
• If a certificate response uses a reqCert of type certHash, the targetCert is required; issuerCert and generalName are ignored. From the given target cert a SHA-1 hash is computed and compared with the certHash of the reqCert of the particular certificate response.

Note that any reqCert type can be created if target cert and issuer cert a set.

Assuming, for instance, that you have used method getCertificateResponse for asking if a response for your request is included. The search has stopped by throwing an OCSPException indicating that no certificate response for your ReqCert is included, but there are certificate responses present having a different ReqCert type. Now you may start a second search using the ReqCert types of the certificate responses included, e.g.:

 // the target cert chain
 X509Certificate[] targetCerts = ...;
 // the ReqCert used in the request:
 ReqCert reqCert ...;
 ...
 // search the response by ReqCert ID:
 CertificateResponse certificateResponse = null;
 try {
   certificateResponse = basicOCSPResponse.getCertificateResponse(reqCert);
 } catch (OCSPException ex) {
   // not found, but cert responses with different types are present
   System.out.println("Not found: " + ex.getMessage());
   System.out.println("Seraching again...");
   certificateResponse = basicOCSPResponse.getCertificateResponse(targetCerts[0],
                                                         targetCerts[1],
                                                         null);
 }
 if (certificateResponse != null) {
  ...
 } else {
   System.out.println("Got no response!");
 }
 

Specified by:

getCertificateResponse in class Response

Parameters:

targetCert - the target cert, if required

issuerCert - the cert of the target cert issuer, if required

generalName - a general name (if required for reqCert type "name")

Returns:

a certificate response giving status information about the certificate identified by the given certificate information; or null if no certificate response for the certificate in mind is included

Throws:

OCSPException - if some processing error occurs, e.g. if the ReqCert of some response represents a CertID but the certID's hash algorithm is not supported by the installed providers

getCertificateResponse

public CertificateResponse getCertificateResponse(ReqCert reqCert)
                                           throws OCSPException

Searches for the certificate response corresponding to the certificate identified by the given reqCert.

This method overrides the corresponding method of the parent Response class.

Each single response included in this BasicOCSPResponse is identified by its reqCert ID. This method steps through all the single responses included in this BasicOCSPResponse and compares their reqCert IDs with the given reqCert.

Specified by:

getCertificateResponse in class Response

Parameters:

reqCert - the reqCert of the certificate for which status information shall be obtained

Returns:

a certificate response giving status information about the certificate identified by the given reqCert; or null if no certificate response for the certificate in mind is included

Throws:

OCSPException - if a certificate response for the given reqCert cannot be found, but certificate responses included having a different reqCert type or -- in the case of certIDs -- using a hash algorithms different to the given certID's one; in this case you may try method getCertificateResponse to use the reqCert types of the certificate responses included

getProducedAt

public java.util.Date getProducedAt()

Returns the producedAt date of this BasicOCSPResponse.

The producedAt value denotes the time at which the response was produced and can be set using the setProducedAt method.

Returns:

the date at which the response was produced, or null if the producedAt date has yet not been set

getTBSResponseData

public byte[] getTBSResponseData()
                          throws CodingException

Returns the DER encoded TBSResponseData ASN.1 data structure specifying response data to be signed.

 ResponseData ::= SEQUENCE {
   version            [0] EXPLICIT Version DEFAULT v1,
   responderID            ResponderID,
   producedAt             GeneralizedTime,
   responses              SEQUENCE OF SingleResponse,
   responseExtensions [1] EXPLICIT Extensions OPTIONAL }
 

Returns:

the inherent TBSResponseData as DER encoded ASN.1 structure

Throws:

CodingException - if an encoding error occurs

getSignature

public byte[] getSignature()

Returns the signature of this BasicOCSPResponse. The signature is defined as an ASN.1 BIT STRING structure. This method returns the inherent signature value as byte array.

Returns:

the signature value as byte array

getSignatureAlgorithm

public AlgorithmID getSignatureAlgorithm()

Returns the signature algorithm of this BasicOCSPResponse.

Returns:

the AlgorithmID of the algorithm used for signing this response

See Also:

AlgorithmID

verify

public void verify(java.security.PublicKey key)
            throws java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException

Uses the given public key to verify this BasicOCSPResponse.

Parameters:

key - the public key (of the issuer) to verify the response

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm that has been used to sign this response

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.PublicKey key,
          java.lang.String providerName)
            throws java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException

Uses the given public key to verify this BasicOCSPResponse.

Parameters:

key - the public key (of the issuer) to verify the response

providerName - the name of the crypto provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm that has been used to sign this response

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.PublicKey key,
          java.security.Provider provider)
            throws java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException

Uses the given public key to verify this BasicOCSPResponse.

This method uses a Signature engine from the given provider for verifying the response.
If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.

Parameters:

key - the public key (of the issuer) to verify the response

providerName - the name of the crypto provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm that has been used to sign this response

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.SignatureException - if the signature does not verify

verify

public X509Certificate verify()
                       throws java.security.NoSuchAlgorithmException,
                              java.security.InvalidKeyException,
                              java.security.SignatureException,
                              OCSPException

Verifies this BasicOCSPResponse using the included signer certificates.

This method only can be used for verifying this response if signer certificates are included. If so, this method assumes that all certificates included belong to same chain. It tries to sort the chain to get the signer certificate public key for verifying the response. If no certificates are included or the chain cannot be sorted, an OCSPException is thrown. In this case you may use method verify for verifying the response with the right public key supplied by other means.

Returns:

the certificate of the signer; if included and verification is successful

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm that has been used to sign this response

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.SignatureException - if the signature does not verify

OCSPException - if no certs are included or the signer cert cannot be found in the certificate list included

containsCertificates

public boolean containsCertificates()

Checks if certificates are included.

Returns:

true if certificates are included, false otherwise

toASN1Object

public ASN1Object toASN1Object()

Returns the BasicOCSPResponse as an ASN1Object.

Returns:

this response as ASN1Object

writeTo

public void writeTo(java.io.OutputStream os)
             throws java.io.IOException

Writes this BasicOCSPResponse DER encoded to the given output stream.

Parameters:

os - the output stream where the response shall be written to

Throws:

java.io.IOException - if an I/O error occurs

setResponderID

public void setResponderID(ResponderID responderID)

Sets the responderID.

Parameters:

responderID - the responderID identifying the responder by name or key

setProducedAt

public void setProducedAt(java.util.Date producedAtDate)

Sets the producedAt date of this certificate.

For instance:

 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 response.setProducedAt(date.getTime());
 

Parameters:

producedAtDate - the Date at which this response is produced

setSingleResponses

public void setSingleResponses(SingleResponse[] singleResponses)

Sets the single responses of this BasicOCSPResponse. Any response already included is cleared. If any of the given single responses has a ReqCert type other than CertID, version is set to 2.

Parameters:

singleResponses - the single responses to be set

setCertificates

public void setCertificates(X509Certificate[] signerCerts)

Sets the certificates to be included into this BasicOCSPResponse.

Parameters:

signerCerts - the certificates of the signer to be included

getCertificates

public X509Certificate[] getCertificates()

Returns the signer certificates that may be included in this response.

Returns:

the certificates of the signer, if included; null otherwise

getSignerCertificate

public X509Certificate getSignerCertificate()

Returns the response signer certificate or null if no certificates are included.
If certificates are included, this method searches for the response signer certificate based on the responder id of this BasicOCSPResponse. This method returns null if no appropriate certificate is found.

Returns:

the response signer certificate, if included; null otherwise

addExtension

public void addExtension(V3Extension e)
                  throws X509ExtensionException

Adds the given extension.

The extension to be added shall be an implemented V3Extension. If an extension with the same object ID already exists, it is replaced.

For reading back some extension use the getExtension(ObjectID) method.

Parameters:

e - the extension to be added

Throws:

X509ExtensionException - if the extension cannot be added

removeExtension

public boolean removeExtension(ObjectID oid)

Removes the extension specified by its object identifier.

Parameters:

oid - the object ID of the extension to remove

Returns:

true if the extension has been successfully removed, false otherwise

removeAllExtensions

public void removeAllExtensions()

Removes all extensions from this basic ocsp response.

listExtensions

public java.util.Enumeration listExtensions()

Returns an enumeration of all extensions included in this basic ocsp response.

The returned enumeration may contain unknown extensions (instances of UnknownExtension if there are any extensions included in basic response, for which there exists no registered implementation, and it may contain error extensions (instances of ErrorExtension) indicating extensions which cannot be parsed properly because of some kind of error.

Returns:

an enumeration of the extensions, or null if there are no extensions present at all

hasExtensions

public boolean hasExtensions()

Checks, if there are any extensions included in this basic ocsp response.

Returns:

true if there are extensions, false if not

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Returns true if there are unsupported critical extensions.

Returns:

true, if there are unsupported critical extensions

countExtensions

public int countExtensions()

Returns the number of extensions included in this basic ocsp response.

Returns:

the number of extensions

getExtension

public V3Extension getExtension(ObjectID oid)
                         throws X509ExtensionInitException

Returns a specific extension, identified by its object identifier.

If the extension cannot be initialized for some reason, an X509ExtensionInitException is thrown. If the requested extension is an unknown extension, which is not supported by a registered implementation, this method creates and returns an UnknownExtension which may be queried for obtaining as much information as possible about the unknown extension.

Parameters:

oid - the object ID of the extension

Returns:

the desired extension or null if the requested extension is not present

Throws:

X509ExtensionInitException - if the extension can not be initialized

setNonce

public void setNonce(byte[] nonce)
              throws X509ExtensionException

A convenience method for setting the value of the Nonce extension.

This method provides an convenient alternative to method addExtension for including the Nonce extension in this response. From the given nonce value a Nonce extension object is created an added to the list of response extensions as not critical extension.

The Nonce extension can be used for cryptographically binding a request and a response to prevent replay attacks.

Parameters:

nonce - the nonce value

Throws:

X509ExtensionException - if the Nonce extension cannot be created

getNonce

public byte[] getNonce()
                throws X509ExtensionInitException

A convenience method for getting the value of the Nonce extension, if included in this response.

This method provides an convenient alternative to method getExtension for getting the value of the Nonce extension, if included in this response.

The Nonce extension can be used for cryptographically binding a request and a response to prevent replay attacks.

Returns:

the value of the Nonce extension, if included in this response; otherwise null

Throws:

X509ExtensionInitException - if the Nonce extension cannot be initialized from its encoding

toString

public java.lang.String toString()

Returns a string that represents the contents of this BasicOCSPResponse.

Specified by:

toString in class Response

Returns:

the string representation

toString

public java.lang.String toString(boolean detailed)

Returns a string that represents the contents of this BasicOCSPResponse.

Parameters:

detailed - whether or not to give detailed information about the included single responses and extensions

Returns:

the string representation