iaik.security.ssl
Class OCSPCertStatusKeyAndCert

java.lang.Object
  extended by iaik.security.ssl.KeyAndCert
      extended by iaik.security.ssl.OCSPCertStatusKeyAndCert
All Implemented Interfaces:
java.lang.Cloneable

public class OCSPCertStatusKeyAndCert
extends KeyAndCert

This class represents server credentials to may be used for sending OCSP certificate status information about the server certificate when the client has sent a status_request extension.

Since OCSP cannot be handled in a crypto-provider independent way, using this class requires that you have IAIK-JCE (iaik_jce(_full).jar)) in your classpath.

When creating an OCSPCertStatusKeyAndCert object, specify server certificate chain (server certificate at index 0) and server private key. Additionally you may specify the url (only "http" is supported) of the OCSP responder to be contacted for getting status information about the server certificate, e.g.:

  // the server certificate chain
  X509Certificate[] serverCerts = ...;
  // the private key of the server
  PrivateKey serverPrivateKey = ...;
  // the url of the OCSP responder
  String responderUrl = "http://...";
  // create server credentials
  OCSPCertStatusKeyAndCert kac = new OCSPCertStatusKeyAndCert(serverCerts,
                                                              serverPrivateKey,
                                                              responderUrl);
 
Additionally/alternatively to specifying the resonder url via thec constructor you may register responder url(s) by means of their responder ids, e.g.:
  // the public key of the responder
  PublicKey responderPublicKey = ...;
  // create responder id
  ResponderID byKeyID = new ResponderID(serverPublicKey);
  String responderUrl = "http://...";
  kac.addOCSPResponder(byKeyID, responderUrl);
  // the Name of the responder
  Name responderName = ...;
  // create responder id
  ResponderID byNameID = new ResponderID(responderName);
  responderUrl = "http://...";
  kac.addOCSPResponder(byNameID, responderUrl);
 
Registering OCSP responder urls in this way will help iSaSiLk to search for a responder url for a particular responder id that may be sent by the client within the status_request extension. If no responder urls are registered and no (default) responder url has been set when creating the OCSPCertStatusKeyAndCert iSaSiLk looks if the server certificate does contain an AuthorityInfoAccess extension from which to get the url of the OCSP responder.

See Also:
CertificateStatusRequest

Constructor Summary
OCSPCertStatusKeyAndCert(java.security.cert.X509Certificate[] chain, java.security.PrivateKey privateKey, java.lang.String responderUrl)
          Creates a new OCSPCertStatusKeyAndCert object.
 
Method Summary
 void addOCSPResponder(ResponderID responderId, java.lang.String responderUrl)
          Registers the given (http) url for the given responder id.
 java.lang.Object clone()
          Gets a clone of this object.
 boolean equals(java.lang.Object obj)
          Tests if the given object is equal to this OCSPCertStatusKeyAndCert.
 byte[] getCertificateStatus(int statusType, byte[] statusRequest, SSLTransport transport)
          Gets information about the (revocation) status of the certificates of this KeyAndCertificate.
 int hashCode()
          Gets a hashcode for this object.
 java.lang.String toString()
          Gets a string representation of this object.
 
Methods inherited from class iaik.security.ssl.KeyAndCert
getCertificateChain, getCertificateType, getPrivateKey, getTLSServerNames, isTrustedBy, setTLSServerNames, setTrustedAuthorities
 
Methods inherited from class java.lang.Object
finalize, getClass, notify, notifyAll, wait, wait, wait
 

Constructor Detail

OCSPCertStatusKeyAndCert

public OCSPCertStatusKeyAndCert(java.security.cert.X509Certificate[] chain,
                                java.security.PrivateKey privateKey,
                                java.lang.String responderUrl)
Creates a new OCSPCertStatusKeyAndCert object. The given server certificate chain and the given server private key must be non-null and the chain has to consist of at least one element.

Parameters:
chain - the ceritificate chain with the end entity (server) certificate at index 0
privateKey - the private server key
responderUrl - the URL of the default OCSP responder (to be used if no responder ids are configured and/or the server certificate(s) do not contain an AuthoritiyInfoAccess extension pointing to an OCSP responder). This implementation supports http responders only.
Throws:
java.lang.NullPointerException - if both certificate chain and private key are null
java.lang.IllegalArgumentException - if the given url is not an http url (does not start with "http"), or no OCSP CertID can be created for the server cert (because, for instance, the chain only contains one (the server) certificate which is not self-signed, or the chain is not ordered to have the server cert at index 0 and the server cert issuing ca cert at index 1,...)
Method Detail

addOCSPResponder

public void addOCSPResponder(ResponderID responderId,
                             java.lang.String responderUrl)
Registers the given (http) url for the given responder id.

This method can be used to tell iSaSiLk where to find an OCSP responder for a particular responder id. When sending the status_request extension the client may specify a list of accepted ocsp responders may including their responder ids. Since a responder id does not contain an url, iSaSiLk must be configured to know how to map responder id to reponder url from where to get an ocsp response.

Parameters:
responderId - the id of the ocsp responder
responderUrl - the url of the ocsp responder (only "http" urls are supported by this implementation)
Throws:
java.lang.NullPointerException - if responderId or responderUrl is null
java.lang.IllegalArgumentException - if the given responder url is not an http url (does not start with "http")

getCertificateStatus

public byte[] getCertificateStatus(int statusType,
                                   byte[] statusRequest,
                                   SSLTransport transport)
                            throws SSLException
Gets information about the (revocation) status of the certificates of this KeyAndCertificate. This method is used on the server side for asking for certficate status information when the client has sent a status_request extension within an extended client_hello message.

If the client has sent a status_request extension and the server has agreed to provide a status responce, he will send a certificate_status handshake message immediately after the certificate message. This method is called by iSaSiLk to ask for status information of the certificates included in this server credentials. The given statusType indicates the type of status response expected by the client (currently only "ocsp" is defined and supported by this class). The given statusRequest represents the (TLS) encoded request field of the CertificateStatusRequest structure sent by the client (see RFC 4366):

 struct {
    CertificateStatusType status_type;
        select (status_type) {
            case ocsp: OCSPStatusRequest;
        } request;
    } CertificateStatusRequest;

    enum { ocsp(1), (255) } CertificateStatusType;

    struct {
        ResponderID responder_id_list<0..2^16-1>;
        Extensions  request_extensions;
    } OCSPStatusRequest;

    opaque ResponderID<1..2^16-1>;
    opaque Extensions<0..2^16-1>;
 
The status response returned by this method must represent the (TLS) encoded response field of the CertificateStatus handshake message to be sent to the client (see RFC 4366):
 struct {
    CertificateStatusType status_type;
    select (status_type) {
        case ocsp: OCSPResponse;
    } response;
 } CertificateStatus;

 opaque OCSPResponse<1..2^24-1>;
 

Overrides:
getCertificateStatus in class KeyAndCert
Parameters:
statusType - the type of the certificate status request received from the client
statusRequest - the (TLS) encoded status request received from the client
transport - the current SSLTransport object (may be used for printing debug information)
Returns:
the (TLS) encoded status response of the the requested type containing (revocation) status information for the certificates contained in this server KeyAndCert
Throws:
SSLException - if an error occurs when processing the status request and/or creating the status response
See Also:
OCSPCertStatusKeyAndCert

clone

public java.lang.Object clone()
Gets a clone of this object.

Overrides:
clone in class KeyAndCert
Returns:
the cloned object

hashCode

public int hashCode()
Gets a hashcode for this object.

Overrides:
hashCode in class KeyAndCert
Returns:
the hashcode

equals

public boolean equals(java.lang.Object obj)
Tests if the given object is equal to this OCSPCertStatusKeyAndCert.

Overrides:
equals in class KeyAndCert
Parameters:
obj - the object to be compared with this OCSPCertStatusKeyAndCert
Returns:
true if the two objects are equal, false if they are not equal

toString

public java.lang.String toString()
Gets a string representation of this object.

Overrides:
toString in class KeyAndCert
Returns:
a string representation

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

iSaSiLk 5.104, (c) 2002 IAIK, (c) 2003 - 2015 SIC