diff --git a/jams-ca/src/main/java/net/jami/jams/ca/JamsCA.java b/jams-ca/src/main/java/net/jami/jams/ca/JamsCA.java
index 787efaf5ea3da6e0f0eb59894ea418911d14edeb..cdcae2f231f07df61124d6817a65f91f8f1bfb00 100644
--- a/jams-ca/src/main/java/net/jami/jams/ca/JamsCA.java
+++ b/jams-ca/src/main/java/net/jami/jams/ca/JamsCA.java
@@ -35,6 +35,7 @@ import net.jami.jams.common.objects.system.SystemAccount;
import net.jami.jams.common.objects.user.User;
import net.jami.jams.common.serialization.JsoniterRegistry;
import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.jcajce.provider.asymmetric.X509;
@@ -129,8 +130,8 @@ public class JamsCA implements CertificateAuthority {
}
}
- public static OCSPResp getOCSPResponse(OCSPReq ocspRequest, X509Certificate cert) {
- return ocspWorker.getOCSPResponse(ocspRequest, cert);
+ public static OCSPResp getOCSPResponse(OCSPReq ocspRequest) throws OCSPException {
+ return ocspWorker.getOCSPResponse(ocspRequest);
}
@Override
diff --git a/jams-ca/src/main/java/net/jami/jams/ca/workers/ocsp/OCSPWorker.java b/jams-ca/src/main/java/net/jami/jams/ca/workers/ocsp/OCSPWorker.java
index 416f24bd04f697f55370f8cc9a6858f542604cd2..0b407e0df6ca5dcac60887fa8061acf71d725cdb 100644
--- a/jams-ca/src/main/java/net/jami/jams/ca/workers/ocsp/OCSPWorker.java
+++ b/jams-ca/src/main/java/net/jami/jams/ca/workers/ocsp/OCSPWorker.java
@@ -23,6 +23,7 @@
package net.jami.jams.ca.workers.ocsp;
import lombok.extern.slf4j.Slf4j;
+import net.jami.jams.ca.JamsCA;
import net.jami.jams.ca.workers.X509Worker;
import net.jami.jams.ca.workers.crl.CRLWorker;
import net.jami.jams.common.cryptoengineapi.ocsp.CertificateStatus;
@@ -54,6 +55,7 @@ import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.ArrayList;
@@ -83,19 +85,20 @@ public class OCSPWorker extends X509Worker<String> {
log.info("Instantiated OCSP Worker...");
}
- public OCSPResp getOCSPResponse(OCSPReq ocspRequest, X509Certificate cert) {
- try{
- OCSPResp resp = validateRequest(ocspRequest);
- if(resp != null) return resp; //this means the request is invalid and we should notify the client.
+ public OCSPResp getOCSPResponse(OCSPReq ocspRequest) throws OCSPException {
+ try {
+ if(validateRequest(ocspRequest) != null) throw new OCSPException("Request is not valid"); //this means the request is invalid and we should notify the client.
//If the request was valid, we move on to other things.
BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder(responderID);
+ // Add appropriate extensions
Collection<Extension> responseExtensions = new ArrayList<>();
+ // nonce
Extension nonceExtension = ocspRequest.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
if (nonceExtension != null) responseExtensions.add(nonceExtension);
Extension[] extensions = responseExtensions.toArray(new Extension[responseExtensions.size()]);
responseBuilder.setResponseExtensions(new Extensions(extensions));
for (Req request : ocspRequest.getRequestList()) {
- addResponse(responseBuilder, request, cert);
+ addResponse(responseBuilder, request);
}
BasicOCSPResp basicResponse = responseBuilder.build(
contentSigner,
@@ -119,31 +122,22 @@ public class OCSPWorker extends X509Worker<String> {
}
- private CertificateSummary getCertificateSummary(BigInteger serial, X509Certificate cert) {
+ private CertificateSummary getCertificateSummary(BigInteger serial) {
X509CRLEntryHolder x509CRLEntryHolder = crlWorker.getExistingCRL().get().getRevokedCertificate(serial);
- LocalDateTime expirationTime = LocalDateTime.ofInstant(cert.getNotAfter().toInstant(), ZoneId.systemDefault());
-
if(x509CRLEntryHolder != null) return CertificateSummary.newBuilder()
.withStatus(CertificateStatus.REVOKED)
.withSerialNumber(serial)
.withRevocationTime(LocalDateTime.ofInstant(x509CRLEntryHolder.getRevocationDate().toInstant(), ZoneId.systemDefault()))
.build();
- else if (expirationTime.isBefore(LocalDateTime.now())) {
- return CertificateSummary.newBuilder()
- .withStatus(CertificateStatus.EXPIRED)
- .withSerialNumber(serial)
- .withExpirationTime(expirationTime)
- .build();
- }
- else return CertificateSummary.newBuilder()
+ return CertificateSummary.newBuilder()
.withStatus(CertificateStatus.VALID)
.withSerialNumber(serial)
.build();
}
- private void addResponse(BasicOCSPRespBuilder responseBuilder, Req request, X509Certificate cert) throws OCSPException{
+ private void addResponse(BasicOCSPRespBuilder responseBuilder, Req request) throws OCSPException{
CertificateID certificateID = request.getCertID();
// Build Extensions
Extensions extensions = new Extensions(new Extension[]{});
@@ -153,7 +147,7 @@ public class OCSPWorker extends X509Worker<String> {
if (nonceExtension != null) extensions = new Extensions(nonceExtension);
}
responseBuilder.addResponse(certificateID,
- OCSPCertificateStatusMapper.getStatus(getCertificateSummary(request.getCertID().getSerialNumber(), cert)),
+ OCSPCertificateStatusMapper.getStatus(getCertificateSummary(request.getCertID().getSerialNumber())),
new Date(),
new Date(new Date().getTime() + crlLifetime),
extensions);
diff --git a/jams-server/src/main/java/net/jami/jams/server/servlets/x509/OCSPServlet.java b/jams-server/src/main/java/net/jami/jams/server/servlets/x509/OCSPServlet.java
index 0b17f4069b80b291957f16b61804b4d8760c60ed..2037afc6e7b857edbabe2eea1e559519ebf31595 100644
--- a/jams-server/src/main/java/net/jami/jams/server/servlets/x509/OCSPServlet.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/x509/OCSPServlet.java
@@ -32,6 +32,7 @@ import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
@@ -52,35 +53,16 @@ public class OCSPServlet extends HttpServlet {
resp.setContentType("application/ocsp-response");
byte[] content = new byte[Integer.parseInt(req.getHeader("Content-Length"))];
try {
- for(int i=0;i<content.length;i++){
+ for(int i=0;i<content.length;i++)
req.getInputStream().read(content);
- }
- JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
- DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
- DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
- // Generate the id for the certificate we are looking for
- X509Certificate targetCert = X509Utils.getCertificateFromPEMString(new String(content));
- if (targetCert != null) {
- CertificateID id = new CertificateID(digestCalculator,
- new JcaX509CertificateHolder(JamsCA.CA.getCertificate()), targetCert.getSerialNumber());
+ OCSPReq ocspReq = new OCSPReq(content);
+ OCSPResp response = JamsCA.getOCSPResponse(ocspReq);
+ if (response != null) {
+ byte[] respBytes = response.getEncoded();
+ resp.getOutputStream().write(respBytes);
+ } else resp.setStatus(404);
- // basic request generation with nonce
- OCSPReqBuilder gen = new OCSPReqBuilder();
- gen.addRequest(id);
-
- // create details for nonce extension
- String nonce = String.valueOf(System.nanoTime());
- Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(nonce.getBytes()).getEncoded()));
- gen.setRequestExtensions(new Extensions(new Extension[]{ext}));
- OCSPReq ocspReq = gen.build();
- OCSPResp response = JamsCA.getOCSPResponse(ocspReq, targetCert);
-
- if (response != null) {
- byte[] respBytes = response.getEncoded();
- resp.getOutputStream().write(respBytes);
- } else resp.setStatus(404);
- }
}
catch (Exception e) {
resp.sendError(404, "Could not find the requested certificate!");