1. 技术文章
  2. OCSP response does not give Certificate Status

OCSP response does not give Certificate Status

孤街浪徒 提交于 2019-12-21 09:25:25

问题


I created an OCSP client using Bouncy castle API. I am having a trouble in finding the Certificate Status (Saying whether its revoked or not) from the OCSP response I get. The value returned from resp.getCertStatus() is always null. This is how I create the OCSP request.

    private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
        throws CertificateVerificationException {

    //Add provider BC
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    try {
        //  CertID structure is used to uniquely identify certificates that are the subject of
        // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560
        CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber);

        // basic request generation with nonce
        OCSPReqGenerator generator = new OCSPReqGenerator();
        generator.addRequest(id);

        // create details for nonce extension. The nonce extension is used to bind
        // a request to a response to prevent replay attacks. As the name implies,
        // the nonce value is something that the client should only use once within a reasonably small period.
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        Vector objectIdentifiers = new Vector();
        Vector values = new Vector();

        //to create the request Extension
        objectIdentifiers.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray())));
        generator.setRequestExtensions(new X509Extensions(objectIdentifiers, values));

        return generator.generate();
    }
    catch (OCSPException e) {
        e.printStackTrace();
        throw new CertificateVerificationException("Cannot generate OSCP Request with the given certificate",e);
    }
}

I get the OCSP response from the service URL as follows.

    private OCSPResp getOCSPResponce(String serviceUrl, OCSPReq request) throws CertificateVerificationException {

    try {
        byte[] array = request.getEncoded();
        if (serviceUrl.startsWith("http")) {
            HttpURLConnection con;
            URL url = new URL(serviceUrl);
            con = (HttpURLConnection) url.openConnection();
            con.setRequestProperty("Content-Type", "application/ocsp-request");
            con.setRequestProperty("Accept", "application/ocsp-response");
            con.setDoOutput(true);
            OutputStream out = con.getOutputStream();
            DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
            dataOut.write(array);

            dataOut.flush();
            dataOut.close();

            //Get Response
            InputStream in = (InputStream) con.getContent();
            OCSPResp ocspResponse = new OCSPResp(in);
            return ocspResponse;
        }
        else {
            throw new CertificateVerificationException("Only http is supported for ocsp calls");
        }
    } catch (IOException e) {
        e.printStackTrace();
        throw new CertificateVerificationException("Cannot get ocspResponse from url: "+ serviceUrl, e);
    }
}

Revocation status is checked as follows. Here the SingleResp object (resp) taken from the BasicOCSPResp object (basicResponse) should have the status of the Certificate (good,revoked or unknown). But here status is always null. 

public void checkRevocationStatus(X509Certificate peerCert, X509Certificate issuerCert) 
throws CertificateVerificationException {

    try {

        OCSPReq request = generateOCSPRequest(issuerCert, peerCert.getSerialNumber());
        List<String> locations = getAIALocations(peerCert);
        Iterator it = locations.iterator();

        if (it.hasNext()) {

            String serviceUrl = (String) it.next();   
            OCSPResp ocspResponse = getOCSPResponce(serviceUrl, request);
            if(OCSPRespStatus.SUCCESSFUL==ocspResponse.getStatus())
                System.out.println("server gave response fine");

            BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
            SingleResp[] responses = (basicResponse==null) ? null : basicResponse.getResponses();

            if (responses!=null && responses.length == 1) {
                SingleResp resp = responses[0];
                Object status = resp.getCertStatus();
                if(status!=null) {
                    if (status == CertificateStatus.GOOD) {
                        System.out.println("OCSP Status is good!");
                    } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) {
                        System.out.println("OCSP Status is revoked!");
                    }  else if (status instanceof org.bouncycastle.ocsp.UnknownStatus) {
                        System.out.println("OCSP Status is unknown!");
                    }
                }
            }
        }
    }
    catch (Exception e) {
        System.out.println(e);
    }
}

I really appreciate your help. Thanks a lot.


回答1:


Actually, if you take a look at the actual value of CertificateStatus.GOOD, you will see that it is, in fact, null. In other words, resp.getCertStatus() returns null meaning GOOD.

So you probably just need to take out that (status != null) check.



来源:https://stackoverflow.com/questions/15083181/ocsp-response-does-not-give-certificate-status

标签
bouncycastle
ocsp
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!