Class PKIOCSPSource
java.lang.Object
eu.europa.esig.dss.pki.x509.revocation.ocsp.PKIOCSPSource
- All Implemented Interfaces:
OCSPSource,RevocationSource<OCSP>,Serializable
- Direct Known Subclasses:
PKIDelegatedOCSPSource
The PkiOCSPSource class implements the OCSPSource interface for obtaining revocation tokens.
It retrieves OCSP responses for a given certificate by sending OCSP requests to a specified OCSP responder.
- See Also:
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected final CertEntityRepositoryThe repository managing the PKI issuing the OCSP responses -
Constructor Summary
ConstructorsConstructorDescriptionPKIOCSPSource(CertEntityRepository<? extends CertEntity> certEntityRepository) Creates a PKIOCSPSource instance with OCSP issuer being provided on request issuer of certificate token.PKIOCSPSource(CertEntityRepository<? extends CertEntity> certEntityRepository, CertEntity ocspResponder) Creates a PKIOCSPSource instance with a definedCertEntityOCSP issuer -
Method Summary
Modifier and TypeMethodDescriptionprotected voidaddRevocationStatusToOCSPResponse(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder builder, org.bouncycastle.cert.ocsp.OCSPReq ocspReq, CertEntityRevocation certEntityRevocation) This method adds certificate revocation information toBasicOCSPRespBuilderprotected org.bouncycastle.cert.ocsp.OCSPReqbuildOCSPRequest(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Builds an OCSP request for the givenCertificateTokenprotected org.bouncycastle.cert.ocsp.OCSPRespbuildOCSPResponse(CertificateToken certificateToken, CertificateToken issuerCertificateToken, org.bouncycastle.cert.ocsp.OCSPReq ocspReq) Builds an OCSP Responseprotected booleancanGenerate(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Returns whether the current implementation is able to produce an OCSP response for the givencertificateTokenprotected CertEntityRevocationgetCertificateTokenRevocation(CertificateToken certificateToken, org.bouncycastle.cert.ocsp.OCSPReq ocspReq) Returns a revocation status for the givenCertificateTokenor a certificate withinOCSPReqprotected DateGets nextUpdate of revocation status informationprotected CertEntitygetOcspResponder(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Returns aCertEntityto be used as an OCSP Response issuer.protected DateReturns a producedAt time of the generated OCSP Response.protected org.bouncycastle.cert.ocsp.RespIDgetRespID(CertificateToken ocspResponderCertificate) Builds aorg.bouncycastle.cert.ocsp.RespIDgetRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Retrieves the OCSP token for the revocation status of the given certificate.protected SignatureAlgorithmgetSignatureAlgorithm(CertEntity ocspResponder) Returns a signature algorithm to be used on OCSP response creationprotected DateGets thisUpdate of revocation status informationprotected org.bouncycastle.cert.ocsp.BasicOCSPRespBuilderinitBuilder(CertificateToken ocspResponderCertificate) Initializes aBasicOCSPRespBuildervoidsetDigestAlgorithm(DigestAlgorithm digestAlgorithm) Sets the digest algorithm to be used on OCSP response signature Default: SHA512 (DigestAlgorithm.SHA512)voidsetEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm) Sets an encryption algorithm to be used on OCSP Response signing.voidsetMaskGenerationFunction(MaskGenerationFunction maskGenerationFunction) Deprecated.since DSS 6.1.voidsetNextUpdate(Date nextUpdate) Sets nextUpdate of the revocation status informationvoidsetOcspResponder(CertEntity ocspResponder) Sets the OCSP ResponderCertEntityto sign the generated OCSP responses.voidsetProducedAtTime(Date producedAt) Sets the production date for generating OCSP responses.voidsetResponderIdByKey(boolean responderIdByKey) Sets whether the ResponderID property should be generated based on the certificate's key (SHA-1 of the OCSP responder's public key).voidsetThisUpdate(Date thisUpdate) Sets thisUpdate of the revocation status information
-
Field Details
-
certEntityRepository
The repository managing the PKI issuing the OCSP responses
-
-
Constructor Details
-
PKIOCSPSource
Creates a PKIOCSPSource instance with OCSP issuer being provided on request issuer of certificate token.- Parameters:
certEntityRepository-CertEntityRepository
-
PKIOCSPSource
public PKIOCSPSource(CertEntityRepository<? extends CertEntity> certEntityRepository, CertEntity ocspResponder) Creates a PKIOCSPSource instance with a definedCertEntityOCSP issuer- Parameters:
certEntityRepository-CertEntityRepositoryocspResponder-CertEntityissuing OCSP responses.
-
-
Method Details
-
getProducedAtTime
-
setProducedAtTime
Sets the production date for generating OCSP responses. NOTE: updates thisUpdate parameter as well, if the latest is not set.- Parameters:
producedAt- The production date for OCSP responses.
-
getThisUpdate
-
setThisUpdate
-
getNextUpdate
-
setNextUpdate
-
setDigestAlgorithm
Sets the digest algorithm to be used on OCSP response signature Default: SHA512 (DigestAlgorithm.SHA512)- Parameters:
digestAlgorithm-DigestAlgorithm
-
setEncryptionAlgorithm
Sets an encryption algorithm to be used on OCSP Response signing. If not defined, the encryption algorithm from the givenCertEntityOCSP responder will be used. NOTE: It is important to ensure that the defined encryption algorithm is supported by the OCSP Responder.- Parameters:
encryptionAlgorithm-EncryptionAlgorithm
-
setMaskGenerationFunction
Deprecated.since DSS 6.1. Please usesetEncryptionAlgorithmmethod to specify RSA (none MGF) or RSASSA-PSS (MGF1) algorithmThe mask generation function to be used on OCSP Response signing. If not defined, no mask generation function will be used.- Parameters:
maskGenerationFunction-MaskGenerationFunction
-
setResponderIdByKey
public void setResponderIdByKey(boolean responderIdByKey) Sets whether the ResponderID property should be generated based on the certificate's key (SHA-1 of the OCSP responder's public key). When set to FALSE, the ResponderID property will be generated based on OCSP responder's subject name. Default: TRUE (the ResponderId is generated based on key)- Parameters:
responderIdByKey- whether the ResponderID property should be generated based on the certificate's key
-
getOcspResponder
protected CertEntity getOcspResponder(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Returns aCertEntityto be used as an OCSP Response issuer.- Parameters:
certificateToken-CertificateTokento request OCSP Response forissuerCertificateToken-CertificateTokenissued thecertificateToken- Returns:
CertEntityrepresenting the entry to be used as an issuer of the OCSP Response
-
setOcspResponder
Sets the OCSP ResponderCertEntityto sign the generated OCSP responses. If not defined (or set to NULL), will use the certificate's issuer certificate as the OCSP responder.- Parameters:
ocspResponder-CertEntityto issue OCSP responses
-
getRevocationToken
public OCSPToken getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Retrieves the OCSP token for the revocation status of the given certificate.- Specified by:
getRevocationTokenin interfaceOCSPSource- Specified by:
getRevocationTokenin interfaceRevocationSource<OCSP>- Parameters:
certificateToken- The CertificateToken representing the certificate for which the revocation status is to be checked.issuerCertificateToken- The CertificateToken representing the issuer certificate of the certificate to be verified.- Returns:
- An OCSPToken representing the OCSP response containing the revocation status of the certificate.
-
canGenerate
protected boolean canGenerate(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Returns whether the current implementation is able to produce an OCSP response for the givencertificateToken- Parameters:
certificateToken-CertificateTokento produce an OCSP response forissuerCertificateToken-CertificateTokenrepresenting an issuer of thecertificateToken- Returns:
- TRUE if the current implementation is able to produce an OCSP response for the given pair, FALSE otherwise
-
buildOCSPResponse
protected org.bouncycastle.cert.ocsp.OCSPResp buildOCSPResponse(CertificateToken certificateToken, CertificateToken issuerCertificateToken, org.bouncycastle.cert.ocsp.OCSPReq ocspReq) Builds an OCSP Response- Parameters:
certificateToken-CertificateTokento get OCSP response forissuerCertificateToken-CertificateTokenissuer of thecertificateTokenocspReq-OCSPReqgenerated earlier- Returns:
OCSPResp
-
getCertificateTokenRevocation
protected CertEntityRevocation getCertificateTokenRevocation(CertificateToken certificateToken, org.bouncycastle.cert.ocsp.OCSPReq ocspReq) Returns a revocation status for the givenCertificateTokenor a certificate withinOCSPReq- Parameters:
certificateToken-CertificateTokento get revocation status forocspReq-OCSPReq- Returns:
CertEntityRevocation
-
addRevocationStatusToOCSPResponse
protected void addRevocationStatusToOCSPResponse(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder builder, org.bouncycastle.cert.ocsp.OCSPReq ocspReq, CertEntityRevocation certEntityRevocation) This method adds certificate revocation information toBasicOCSPRespBuilder- Parameters:
builder-BasicOCSPRespBuilderto enrich with revocation status informationocspReq-OCSPReqcontaining the generated OCSP requestcertEntityRevocation-CertEntityRevocationcontaining revocation status information about the certificate
-
getSignatureAlgorithm
Returns a signature algorithm to be used on OCSP response creation- Parameters:
ocspResponder-CertEntityto sign the OCSP response- Returns:
SignatureAlgorithm
-
initBuilder
protected org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder initBuilder(CertificateToken ocspResponderCertificate) throws org.bouncycastle.operator.OperatorCreationException, org.bouncycastle.cert.ocsp.OCSPException Initializes aBasicOCSPRespBuilder- Parameters:
ocspResponderCertificate-CertificateTokenOCSP issuer certificate- Returns:
BasicOCSPRespBuilder- Throws:
org.bouncycastle.operator.OperatorCreationException- if an error on SKI computation occursorg.bouncycastle.cert.ocsp.OCSPException- if an error on RespId building occurs
-
getRespID
protected org.bouncycastle.cert.ocsp.RespID getRespID(CertificateToken ocspResponderCertificate) throws org.bouncycastle.operator.OperatorCreationException, org.bouncycastle.cert.ocsp.OCSPException Builds aorg.bouncycastle.cert.ocsp.RespID- Parameters:
ocspResponderCertificate-CertificateTokenOCSP issuer certificate- Returns:
RespID- Throws:
org.bouncycastle.operator.OperatorCreationException- if an error on SKI computation occursorg.bouncycastle.cert.ocsp.OCSPException- if an error on RespId building occurs
-
buildOCSPRequest
protected org.bouncycastle.cert.ocsp.OCSPReq buildOCSPRequest(CertificateToken certificateToken, CertificateToken issuerCertificateToken) Builds an OCSP request for the givenCertificateToken- Parameters:
certificateToken-CertificateTokento get OCSP request forissuerCertificateToken-CertificateTokenissued thecertificateToken- Returns:
OCSPReq
-