iaik.security.ssl

Class OCSPStatusRequest

java.lang.Object

iaik.security.ssl.OCSPStatusRequest

public class OCSPStatusRequest
extends java.lang.Object

Implements the OCSPStatusRequest structure to may be sent within a status_request extension of type ocsp.
An OCSPStatusRequest may contain a list of ocsp responder ids and a list of request extensions (see RFC 4366):

 struct {
      ResponderID responder_id_list<0..2^16-1>;
      Extensions  request_extensions;
 } OCSPStatusRequest;

 opaque ResponderID<1..2^16-1>;
 opaque Extensions<0..2^16-1>;
 

When creating an OCSPStatusRequest specify the responder ids and extensions to be included (both may be null if you do not want to send responder ids or extensions):

  // responder ids
  ResponderID[] responderIDs = ...;
  // request extensions
  OCSPExtensions requestExtensions = ...;
  // create OCSPStatusRequest
  OCSPStatusRequest ocspStatusRequest = new OCSPStatusRequest(responderIDs, requestExtensions);
  // create CertificateStatusRequest extension of type ocsp:
  CertificateStatusRequest certStatusRequest = 
    new CertificateStatusRequest(OCSPStatusRequest.STATUS_TYPE, ocspStatusRequest.getEncoded());
  // add to ExtensionList
  ExtensionList extensions = new ExtensionList();
  ...
  extensions.addExtension(certStatusRequest);
  ...
  // set extensions for the SSLClientContext configuration:
  SSLClientContext clientContext = new SSLClientContext();
  ...
  clientContext.setExtensions(extensions);
  ...
 

Attention: If your request extensions contain a Nonce extension please note that the same nonce shall be only used once! Thus do not use the same SSLClientContext with the same CertificateStatusRequest extension repeatedly if the status request contains a Nonce extension!
Alternatively you do not may specify an ocsp status request at all when creating the CertificateStatusRequest extension. In this case iSaSiLk will use the SecurityProvider method createCertStatusRequest to create an OCSP status request with a fresh nonce anytime a new status request is sent:

  // create CertificateStatusRequest extension of type ocsp:
  CertificateStatusRequest certStatusRequest = 
    new CertificateStatusRequest(OCSPStatusRequest.STATUS_TYPE, null);
  // add to ExtensionList
  ExtensionList extensions = new ExtensionList();
  ...
  extensions.addExtension(certStatusRequest);
  ...
  // set extensions for the SSLClientContext configuration:
  SSLClientContext clientContext = new SSLClientContext();
  ...
  clientContext.setExtensions(extensions);
  ...
 

See Also:

CertificateStatusRequest, OCSPCertStatusChainVerifier

Field Summary

Fields

Modifier and Type	Field and Description
static int	STATUS_TYPE Status type ocsp (1).

Constructor Summary

Constructors

Constructor and Description
OCSPStatusRequest() Creates an OCSPStatusRequest.
OCSPStatusRequest(byte[] encodedOCSPStatusRequest) Creates and decodes an OCSPStatusRequest from a TLS encoded byte array.
OCSPStatusRequest(iaik.x509.ocsp.ResponderID[] responderIds) Creates an OCSPStatusRequest for the given responder ids.
OCSPStatusRequest(iaik.x509.ocsp.ResponderID[] responderIds, byte[] nonce) Creates an OCSPStatusRequest for the given responder id and nonce value.
OCSPStatusRequest(iaik.x509.ocsp.ResponderID[] responderIds, iaik.x509.ocsp.OCSPExtensions extensions) Creates an OCSPStatusRequest for the given responder id and extension lists.

Method Summary

Modifier and Type	Method and Description
byte[]	getEncoded() TLS encodes this OCSPStatusRequest.
iaik.x509.ocsp.OCSPExtensions	getExtensions() Gets the list of request extensions.
byte[]	getNonce() Gets the nonce value, if request extensions are included in this OCSPStatusRequest and a Nonce extension is contained in the request extensions.
iaik.x509.ocsp.ResponderID[]	getResponderIDs() Gets the list of ocsp responder ids.
byte[]	getWrappedNonce() Gets the wrapped nonce value, if request extensions are included in this OCSPStatusRequest and a Nonce extension is contained in the request extensions.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

STATUS_TYPE

public static final int STATUS_TYPE

Status type ocsp (1).

See Also:

Constant Field Values

Constructor Detail

OCSPStatusRequest

public OCSPStatusRequest()

Creates an OCSPStatusRequest.

OCSPStatusRequest

public OCSPStatusRequest(iaik.x509.ocsp.ResponderID[] responderIds)

Creates an OCSPStatusRequest for the given responder ids.

Parameters:

responderIds - the list of OCSP responders (the responderIds array is not cloned or copied by this method)

OCSPStatusRequest

public OCSPStatusRequest(iaik.x509.ocsp.ResponderID[] responderIds,
                         iaik.x509.ocsp.OCSPExtensions extensions)

Creates an OCSPStatusRequest for the given responder id and extension lists.

Parameters:

responderIds - the list of OCSP responders (the responderIds array is not cloned or copied by this method)

extensions - the list of request extensions (the extensions array is not cloned or copied by this method)

OCSPStatusRequest

public OCSPStatusRequest(iaik.x509.ocsp.ResponderID[] responderIds,
                         byte[] nonce)
                  throws iaik.x509.ocsp.OCSPException

Creates an OCSPStatusRequest for the given responder id and nonce value.

When using this constructor the ocsp status request sent to the server will contain the given responder id list (which may be null) and the Nonce extension as only extension. The Nonce extension is calculated from the given nonce value. Note that TLS (RFC 4366) encodes the Nonce extension as separate ASN.1 OCTET_STRING to be then wrapped into the second OCTET_STRING of the OCSP extension value. OCSP (RFC 2560), however, encodes the nonce value immediately into the OCSP extension value (without wrapping it into a seperate OCTET_STRING).

The nonce value given to this constructor has to represent the raw nonce (not weapped into an OCTET_STRING). The required OCTET_STRING wrapping is done inside this constructor.

Note that a nonce shall be used only once. Thus, do not use the same instance of this class repeatedly!

Parameters:

responderIds - the list of OCSP responders (the responderIds array is not cloned or copied by this method)

nonce - the nonce value (the nonce byte array is not cloned or copied by this method)

Throws:

iaik.x509.ocsp.OCSPException

OCSPStatusRequest

public OCSPStatusRequest(byte[] encodedOCSPStatusRequest)
                  throws java.io.IOException

Creates and decodes an OCSPStatusRequest from a TLS encoded byte array.

The encoding represents the TLS encoding of the OCSPStatusRequest structure according to RFC 4366:

 struct {
    ResponderID responder_id_list<0..2^16-1>;
    Extensions  request_extensions;
 } OCSPStatusRequest;

 opaque ResponderID<1..2^16-1>;
 opaque Extensions<0..2^16-1>;
 

Parameters:

encodedOCSPStatusRequest - the TLS encoded ocsp status request as byte array

Throws:

java.io.IOException - if an error occurs while parsing the ocsp status request

Method Detail

getResponderIDs

public iaik.x509.ocsp.ResponderID[] getResponderIDs()

Gets the list of ocsp responder ids. The list may be empty if no ocsp reponder ids are included.

Returns:

the list of ocsp responder ids as an array of ResponderID; the array maybe null or empty if no ocsp reponder ids are included (the returned ResponderID array is not cloned or copied by this method)

getExtensions

public iaik.x509.ocsp.OCSPExtensions getExtensions()

Gets the list of request extensions. The list may be empty if no extensions are included.

Returns:

the request extensions as OCSPExtensions object; the OCSPExtensions object maybe null or empty if no extensions are included

getNonce

public byte[] getNonce()

Gets the nonce value, if request extensions are included in this OCSPStatusRequest and a Nonce extension is contained in the request extensions.

Note that TLS (RFC 4366) encodes the Nonce extension as separate ASN.1 OCTET_STRING to be then wrapped into the second OCTET_STRING of the OCSP extension value. OCSP (RFC 2560), however, encodes the nonce value immediately into the OCSP extension value (without wrapping it into a seperate OCTET_STRING).

The nonce value return by this method represents the raw nonce (not weapped into an OCTET_STRING). The required OCTET_STRING unwrapping is done inside this method.

Returns:

the nonce value, or null if no Nonce extension is included in this ocsp status request

getWrappedNonce

public byte[] getWrappedNonce()

Gets the wrapped nonce value, if request extensions are included in this OCSPStatusRequest and a Nonce extension is contained in the request extensions.

Note that TLS (RFC 4366) encodes the Nonce extension as separate ASN.1 OCTET_STRING to be then wrapped into the second OCTET_STRING of the OCSP extension value. OCSP (RFC 2560), however, encodes the nonce value immediately into the OCSP extension value (without wrapping it into a seperate OCTET_STRING).

The nonce value return by this method represents the nonce weapped into an OCTET_STRING.

Returns:

the wrapped nonce value, or null if no Nonce extension is included in this ocsp status request

getEncoded

public byte[] getEncoded()
                  throws java.io.IOException

TLS encodes this OCSPStatusRequest.

The encoding may contain responder ids and/or request extensions, if set. It represents the TLS encoding of the OCSPStatusRequest structure according to RFC 4366:

 struct {
    ResponderID responder_id_list<0..2^16-1>;
    Extensions  request_extensions;
 } OCSPStatusRequest;

 opaque ResponderID<1..2^16-1>;
 opaque Extensions<0..2^16-1>;
 

Returns:

the TLS encoded OCSPStatusRequest as byte array

Throws:

java.io.IOException - if an error occurs when encoding the status request