org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.ocsp

Class OCSPVerifier

java.lang.Object

org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier

All Implemented Interfaces:

RevocationVerifier

public class OCSPVerifier
extends Object
implements RevocationVerifier

Used to check if a Certificate is revoked or not by its CA using Online Certificate Status Protocol (OCSP).

Constructor Summary

Constructors

Constructor and Description
OCSPVerifier(OCSPCache cache)

Method Summary

Modifier and Type	Method and Description
RevocationStatus	checkRevocationStatus(X509Certificate peerCert, X509Certificate issuerCert) Gets the revocation status (Good, Revoked or Unknown) of the given peer certificate.
static org.bouncycastle.cert.ocsp.OCSPReq	generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) This method generates an OCSP Request to be sent to an OCSP authority access endpoint.
static List<String>	getAIALocations(X509Certificate cert) Authority Information Access (AIA) is a non-critical extension in an X509 Certificate.
static org.bouncycastle.cert.ocsp.OCSPResp	getOCSPResponce(String serviceUrl, org.bouncycastle.cert.ocsp.OCSPReq request) Gets an ASN.1 encoded OCSP response (as defined in RFC 2560) from the given service URL.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OCSPVerifier

public OCSPVerifier(OCSPCache cache)

Method Detail

checkRevocationStatus

public RevocationStatus checkRevocationStatus(X509Certificate peerCert,
                                              X509Certificate issuerCert)
                                       throws CertificateVerificationException

Gets the revocation status (Good, Revoked or Unknown) of the given peer certificate.

Specified by:

checkRevocationStatus in interface RevocationVerifier

Parameters:

peerCert - The certificate that needs to be validated.

issuerCert - Needs to create OCSP request.

Returns:

Revocation status of the peer certificate.

Throws:

CertificateVerificationException - Occurs when it fails to verify the ocsp status of certificate.

getOCSPResponce

public static org.bouncycastle.cert.ocsp.OCSPResp getOCSPResponce(String serviceUrl,
                                                                  org.bouncycastle.cert.ocsp.OCSPReq request)
                                                           throws CertificateVerificationException

Gets an ASN.1 encoded OCSP response (as defined in RFC 2560) from the given service URL. Currently supports only HTTP.

Parameters:

serviceUrl - URL of the OCSP endpoint.

request - An OCSP request object.

Returns:

OCSP response encoded in ASN.1 structure.

Throws:

CertificateVerificationException - if any error occurs while trying to get a response from the CA.

generateOCSPRequest

public static org.bouncycastle.cert.ocsp.OCSPReq generateOCSPRequest(X509Certificate issuerCert,
                                                                     BigInteger serialNumber)
                                                              throws CertificateVerificationException

This method generates an OCSP Request to be sent to an OCSP authority access endpoint.

Parameters:

issuerCert - the Issuer's certificate of the peer certificate we are interested in.

serialNumber - of the peer certificate.

Returns:

generated OCSP request.

Throws:

CertificateVerificationException - if any error occurs while generating ocsp request.

getAIALocations

public static List<String> getAIALocations(X509Certificate cert)
                                    throws CertificateVerificationException

Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the URL of the OCSP endpoint if one is available.

Parameters:

cert - is the certificate

Returns:

a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint.

Throws:

CertificateVerificationException - if any error occurs while retrieving authority access points from the certificate.