Package eu.europa.esig.dss.service.ocsp

Class OnlineOCSPSource

java.lang.Object

eu.europa.esig.dss.service.ocsp.OnlineOCSPSource

All Implemented Interfaces:

OCSPSource, RevocationSource<OCSP>, RevocationSourceAlternateUrlsSupport<OCSP>, Serializable

public class OnlineOCSPSource
extends Object
implements OCSPSource, RevocationSourceAlternateUrlsSupport<OCSP>

Online OCSP repository. This implementation will contact the OCSP Responder to retrieve the OCSP response.

See Also:

• Serialized Form

Constructor Summary

Constructors

Constructor	Description
OnlineOCSPSource()	Create an OCSP source The default constructor for OnlineOCSPSource.
OnlineOCSPSource(DataLoader dataLoader)	Creates an Online OCSP Source with the provided DataLoader instance.

Method Summary

Modifier and Type	Method	Description
protected void	assertOCSPResponseValid(org.bouncycastle.cert.ocsp.BasicOCSPResp basicOCSPResp, org.bouncycastle.cert.ocsp.SingleResp latestSingleResponse, byte[] expectedNonce)	Verifies whether an OCSP response is valid
protected byte[]	buildOCSPRequest(CertificateToken certificateToken, CertificateToken issuerToken, byte[] nonce)	Builds an OCSP request for certificateToken
protected org.bouncycastle.cert.ocsp.BasicOCSPResp	executeOCSPRequest(String ocspAccessLocation, byte[] request)	Executes a request to the given ocspAccessLocation and returns an OCSP basic response, when applicable
protected List<String>	getOCSPAccessURLs(CertificateToken certificateToken, List<String> alternativeUrls)	Extracts a list of OCSP access URLs to be used in the provided order to retrieve an OCSP response
OCSPToken	getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken)	This method retrieves a RevocationToken for the certificateToken
OCSPToken	getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken, List<String> alternativeUrls)	Gets an RevocationToken for the given certificate / issuer's certificate couple.
void	setAlertOnInvalidNonce(StatusAlert alertOnInvalidNonce)	Sets a behavior when the nonce of the OCSP Response does not match the nonce sent within the request Default : ExceptionOnStatusAlert (throws an exception if nonce does not match)
void	setAlertOnInvalidUpdateTime(StatusAlert alertOnInvalidUpdateTime)	Sets a behavior when the current time is out of the range of thisUpdate and nextUpdate fields extracted from the OCSP Response.
void	setAlertOnNonexistentNonce(StatusAlert alertOnNonexistentNonce)	Sets a behavior when the obtained OCSP Response does not contain the nonce even that the nonce has been enforced (i.e.
void	setCertIDDigestAlgorithm(DigestAlgorithm certIDDigestAlgorithm)	This method allows setting of DigestAlgorithm to be used in hash calculation for CertID element in an OCSP request building
void	setDataLoader(DataLoader dataLoader)	Set the DataLoader to use for querying a revocation server.
void	setNextUpdateTolerancePeriod(long nextUpdateTolerancePeriod)	Clients MAY allow configuration of a small tolerance period for acceptance of responses after nextUpdate to handle minor clock differences relative to responders and caches.
void	setNonceSource(NonceSource nonceSource)	Set the NonceSource to use for querying the OCSP server.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OnlineOCSPSource

public OnlineOCSPSource()

Create an OCSP source The default constructor for OnlineOCSPSource. The default OCSPDataLoader is set. It is possible to change it with #setDataLoader(dataLoader).

OnlineOCSPSource

public OnlineOCSPSource(DataLoader dataLoader)

Creates an Online OCSP Source with the provided DataLoader instance. It is still possible to change the defined instance with #setDataLoader(dataLoader).

Parameters:

dataLoader - DataLoader to use

Method Details

setDataLoader

public void setDataLoader(DataLoader dataLoader)

Set the DataLoader to use for querying a revocation server.

Parameters:

dataLoader - the component that allows to retrieve an OCSP response using HTTP.

setNonceSource

public void setNonceSource(NonceSource nonceSource)

Set the NonceSource to use for querying the OCSP server.

Parameters:

nonceSource - the component that prevents the replay attack.

setCertIDDigestAlgorithm

public void setCertIDDigestAlgorithm(DigestAlgorithm certIDDigestAlgorithm)

This method allows setting of DigestAlgorithm to be used in hash calculation for CertID element in an OCSP request building

Parameters:

certIDDigestAlgorithm - DigestAlgorithm

setAlertOnInvalidNonce

public void setAlertOnInvalidNonce(StatusAlert alertOnInvalidNonce)

Sets a behavior when the nonce of the OCSP Response does not match the nonce sent within the request Default : ExceptionOnStatusAlert (throws an exception if nonce does not match)

Parameters:

alertOnInvalidNonce - StatusAlert

setAlertOnNonexistentNonce

public void setAlertOnNonexistentNonce(StatusAlert alertOnNonexistentNonce)

Sets a behavior when the obtained OCSP Response does not contain the nonce even that the nonce has been enforced (i.e. nonceSource is specified). Default : LogOnStatusAlert (logs a warning in case the OCSP Response does not contain the nonce)

Parameters:

alertOnNonexistentNonce - StatusAlert

setAlertOnInvalidUpdateTime

public void setAlertOnInvalidUpdateTime(StatusAlert alertOnInvalidUpdateTime)

Sets a behavior when the current time is out of the range of thisUpdate and nextUpdate fields extracted from the OCSP Response. The check is executed only when nonce is not checked. Default : SilentOnStatusAlert (skips the check validation)

Parameters:

alertOnInvalidUpdateTime - StatusAlert

setNextUpdateTolerancePeriod

public void setNextUpdateTolerancePeriod(long nextUpdateTolerancePeriod)

Clients MAY allow configuration of a small tolerance period for acceptance of responses after nextUpdate to handle minor clock differences relative to responders and caches. I.e. currentTime shall not be after nextUpdate + nextUpdateTolerancePeriod. The setting is applicable only when checkOCSPResponseUpdateTime is enabled and no nonce is checked. Default : 0

Parameters:

nextUpdateTolerancePeriod - the tolerance period in milliseconds

getRevocationToken

public OCSPToken getRevocationToken(CertificateToken certificateToken,
 CertificateToken issuerCertificateToken)

Description copied from interface: RevocationSource

This method retrieves a RevocationToken for the certificateToken

Specified by:

getRevocationToken in interface OCSPSource

Specified by:

getRevocationToken in interface RevocationSource<OCSP>

Parameters:

certificateToken - The CertificateToken for which the request is made

issuerCertificateToken - The CertificateToken which is the issuer of the certificateToken

Returns:

an instance of RevocationToken

getRevocationToken

public OCSPToken getRevocationToken(CertificateToken certificateToken,
 CertificateToken issuerCertificateToken,
 List<String> alternativeUrls)

Description copied from interface: RevocationSourceAlternateUrlsSupport

Gets an RevocationToken for the given certificate / issuer's certificate couple. The coherence between the response and the request is checked.

Specified by:

getRevocationToken in interface RevocationSourceAlternateUrlsSupport<OCSP>

Parameters:

certificateToken - The CertificateToken for which the request is made

issuerCertificateToken - The CertificateToken which is the issuer of the certificateToken

alternativeUrls - The list of alternative urls to call

Returns:

RevocationToken containing information about the validity of the cert

getOCSPAccessURLs

protected List<String> getOCSPAccessURLs(CertificateToken certificateToken,
 List<String> alternativeUrls)

Extracts a list of OCSP access URLs to be used in the provided order to retrieve an OCSP response

Parameters:

certificateToken - CertificateToken to retrieve OCSP response for

alternativeUrls - a list of String representing alternative URL sources

Returns:

a list of String urls

buildOCSPRequest

protected byte[] buildOCSPRequest(CertificateToken certificateToken,
 CertificateToken issuerToken,
 byte[] nonce)

Builds an OCSP request for certificateToken

Parameters:

certificateToken - CertificateToken to retrieve an OCSP token for

issuerToken - CertificateToken representing an issuer certificate of certificateToken

nonce - byte array containing a unique nonce

Returns:

byte array representing an OCSP request

executeOCSPRequest

protected org.bouncycastle.cert.ocsp.BasicOCSPResp executeOCSPRequest(String ocspAccessLocation,
 byte[] request)
                                                               throws IOException,
org.bouncycastle.cert.ocsp.OCSPException

Executes a request to the given ocspAccessLocation and returns an OCSP basic response, when applicable

Parameters:

ocspAccessLocation - String representing a URL to execute request

request - byte array containing OCSP request

Returns:

BasicOCSPResp

Throws:

IOException - if an error occurs on OCSP request execution

org.bouncycastle.cert.ocsp.OCSPException - if an error occurs on OCSP response reading

assertOCSPResponseValid

protected void assertOCSPResponseValid(org.bouncycastle.cert.ocsp.BasicOCSPResp basicOCSPResp,
 org.bouncycastle.cert.ocsp.SingleResp latestSingleResponse,
 byte[] expectedNonce)

Verifies whether an OCSP response is valid

Parameters:

basicOCSPResp - BasicOCSPResp

latestSingleResponse - SingleResp

expectedNonce - byte array