OCSP request

wil · May 22nd, 2006, 09:03 AM

hi,

After reading parts of chapter 7 of the book (and buying it first Smile :)), i think i know by now how to built an OCSPRequest and (probably) also how to implement an PKIXCertPathChecker (which has to fire off and handle the OCSPResponse in it's check() method). But what i still don't get is 'when' and 'how' the actual OCSP call gets/is done ?

(the example use a request and prepared response, which is logical because they don't want to set up an actual OCSP responder for the sake of an example)

Can someone help me

wil · May 23rd, 2006, 06:17 AM

hello again,

What i meant was: do i have to setup the http communication (HttpURLConnection e.a.), or are there some helper classes (within Bouncyc or elsewhere) ?

Thanks for any help !

wil · May 23rd, 2006, 09:47 AM

Via openSSL it works fine, but i really would like to use an java-JCE approach.

dgh · May 23rd, 2006, 05:53 PM

Yes, you just need to create a HTTP connection to the OCSP server send a request and process the response.

There aren't currently any helper classes in BC for creating the HTTP messages. It should just be a matter of Base64 encoding the the results of calling getEncoded() on the various OCSP and sending it off, you'll need to use the MIME library as well.

Regards,

David

wil · May 24th, 2006, 01:31 AM

he,
thanks !

Any sample/example code somewhere to get me jumpstarted ?
If not, thanks anyway.

cu

dgh · May 28th, 2006, 08:09 PM

Sorry, nothing available at the moment.

Apologies,

David

wil · May 29th, 2006, 01:17 AM

Hi David,

No worries. Thanks anyway !

David-DiSiD Technologies · October 24th, 2006, 03:34 AM

Hi Wil.

Perhaps this code is useful for you:

Code:

    /**       
    ... CONSTRUCT REQUEST STRUCTURE [1]...
    */

    // Coding the request:
    byte[] array = ocspRequest.getEncoded();

    // Sending the Request:
    // serviceAddr is the HTTP location (URL) of OCSP service
    if (serviceAddr != null) {
      hostAddr = serviceAddr;
      try {
        if (serviceAddr.startsWith("https")) {
          HttpsURLConnection con = null;
          URL url = new URL((String) serviceAddr);
          con = (HttpsURLConnection) url.openConnection();
          con.setRequestProperty("Content-Type", "application/ocsp-request");
          con.setRequestProperty("Accept", "application/ocsp-response");
          con.setDoOutput(true);
          OutputStream out = con.getOutputStream();
          DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
          dataOut.write(array);
          dataOut.flush();
          dataOut.close();

          // Looking for errors in the response:
          if (con.getResponseCode() / 100 != 2) {
            throw new Exception(...);
          }

          InputStream in = (InputStream) con.getContent();
          ocspResponse = new OCSPResp(in);

          /**
          ... DECODING THE RESPONSE [2] ...
          */

        }
        else {
          ...
        }
      }
      catch (Exception e) {
        ...
      }
    }

[1] For construct OCSP request you can use class "OCSPClientExample" of chapter 7 of the book (or similar request generator).
[2] When decoding OCSP response you must verify signature of response, you can get status, you must manage single response/s (class SingleResp of BouncyCastle OCSP Package), etc.

Regards.

---------------------

David Cervera-PÃ©rez
DiSiD Technologies
Valencia - Spain
www.disid.com

ovasquez · February 6th, 2007, 05:49 PM

I have a OCSPClient, base on BouncyCastle, the CertUser is OK and CertCA is OK, but why Response Status is 6(No autorization)..?

import java.math.BigInteger;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import java.io.*;
import java.net.*;

import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPException;
import org.bouncycastle.ocsp.OCSPReq;
import org.bouncycastle.ocsp.OCSPReqGenerator;
import org.bouncycastle.ocsp.OCSPResp;

public class OCSPClient
{
    public static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
        throws OCSPException
    {
        //Add provider BC
        Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider ());

        // Generate the id for the certificate we are looking for
        CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber);

        // basic request generation with nonce
        OCSPReqGenerator gen = new OCSPReqGenerator();

        gen.addRequest(id);

        // create details for nonce extension
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        Vector oids = new Vector();
        Vector values = new Vector();

        oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce) ;
        values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray())));

        gen.setRequestExtensions(new X509Extensions(oids, values));

        return gen.generate();
    }

    public static void main(
        String[] args)
        throws Exception
    {

        //Read user Certificate
        InputStream inStream = new FileInputStream("C:/oscar/Proyectos/OCSP/veri_viabcp.cer");
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509Certificate interCert = (X509Certificate)cf.generateCertificate(inStream);
        inStream.close();

        //Read CA Certificate
        InputStream inStreamRoot = new FileInputStream("C:/oscar/Proyectos/OCSP/veri_root.cer");
        X509Certificate rootCert = (X509Certificate)cf.generateCertificate(inStreamRo ot);
        inStreamRoot.close();

        OCSPReq request = generateOCSPRequest(rootCert, interCert.getSerialNumber());

        //Codificate request:
        byte[] array = request.getEncoded();

        //Send request:
        //serviceAddr URL OCSP service
        //String serviceAddr="http://ocsp.digsigtrust.com:80/";
        //String serviceAddr="http://ocsp.verisign.com";
        String serviceAddr="http://onsite-ocsp.verisign.com";

        String hostAddr="";
        if (serviceAddr != null) {
          hostAddr = serviceAddr;
          try {
            if (serviceAddr.startsWith("http")) {
              HttpURLConnection con = null;
              URL url = new URL((String) serviceAddr);
              con = (HttpURLConnection) url.openConnection();
              con.setRequestProperty("Content-Type", "application/ocsp-request");
              con.setRequestProperty("Accept", "application/ocsp-response");
              con.setDoOutput(true);
              OutputStream out = con.getOutputStream();
              DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
              //Escribo el request
              dataOut.write(array);

              dataOut.flush();
              dataOut.close();

              //Check errors in response:
              if (con.getResponseCode() / 100 != 2) {
                throw new Exception("***Error***");
              }

              //Get Response
              InputStream in = (InputStream) con.getContent();
              OCSPResp ocspResponse = new OCSPResp(in);

              /**
              ... DECODING THE RESPONSE [2] ...
              */
              System.out.println(ocspResponse.getStatus());
              System.out.println("...");
            }
            else {
                //HTTPS
                //HttpsURLConnection
                //...
            }
          }
          catch (Exception e) {
            System.out.println(e);
          }
        }

    }
}

dgh · February 6th, 2007, 07:39 PM

A response code of 6 indicates that the client is not authorized to make the query to the server. Exception cases are detailed in RFC 2560 section 2.3

Regards,

David