/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.synapse.transport.certificatevalidation.ocsp;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.*;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
import org.bouncycastle.asn1.x509.*;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.*;
import org.apache.synapse.transport.certificatevalidation.*;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import java.io.*;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
/**
* Used to check if a Certificate is revoked or not by its CA using Online Certificate Status Protocol (OCSP).
*/
public class OCSPVerifier implements RevocationVerifier {
private OCSPCache cache;
private static final Log log = LogFactory.getLog(OCSPVerifier.class);
private static final String BC = "BC";
public OCSPVerifier(OCSPCache cache) {
this.cache = cache;
}
/**
* Gets the revocation status (Good, Revoked or Unknown) of the given peer certificate.
*
* @param peerCert The certificate we want to check if revoked.
* @param issuerCert Needed to create OCSP request.
* @return revocation status of the peer certificate.
* @throws CertificateVerificationException
*
*/
public RevocationStatus checkRevocationStatus(X509Certificate peerCert, X509Certificate issuerCert)
throws CertificateVerificationException {
//check cache
if (cache != null) {
SingleResp resp = cache.getCacheValue(peerCert.getSerialNumber());
if (resp != null) {
//If cant be casted, we have used the wrong cache.
RevocationStatus status = getRevocationStatus(resp);
log.info("OCSP response taken from cache....");
return status;
}
}
OCSPReq request = generateOCSPRequest(issuerCert, peerCert.getSerialNumber());
//This list will sometimes have non ocsp urls as well.
List<String> locations = getAIALocations(peerCert);
for (String serviceUrl : locations) {
SingleResp[] responses;
try {
OCSPResp ocspResponse = getOCSPResponce(serviceUrl, request);
if (OCSPResponseStatus.SUCCESSFUL != ocspResponse.getStatus()) {
continue; // Server didn't give the response right.
}
BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
responses = (basicResponse == null) ? null : basicResponse.getResponses();
//todo use the super exception
} catch (Exception e) {
continue;
}
if (responses != null && responses.length == 1) {
SingleResp resp = responses[0];
RevocationStatus status = getRevocationStatus(resp);
if (cache != null)
cache.setCacheValue(peerCert.getSerialNumber(), resp, request, serviceUrl);
return status;
}
}
throw new CertificateVerificationException("Cant get Revocation Status from OCSP.");
}
private RevocationStatus getRevocationStatus(SingleResp resp) throws CertificateVerificationException {
Object status = resp.getCertStatus();
if (status == CertificateStatus.GOOD) {
return RevocationStatus.GOOD;
} else if (status instanceof org.bouncycastle.cert.ocsp.RevokedStatus) {
return RevocationStatus.REVOKED;
} else if (status instanceof org.bouncycastle.cert.ocsp.UnknownStatus) {
return RevocationStatus.UNKNOWN;
}
throw new CertificateVerificationException("Cant recognize Certificate Status");
}
/**
* Gets an ASN.1 encoded OCSP response (as defined in RFC 2560) from the given service URL. Currently supports
* only HTTP.
*
* @param serviceUrl URL of the OCSP endpoint.
* @param request an OCSP request object.
* @return OCSP response encoded in ASN.1 structure.
* @throws CertificateVerificationException
*
*/
protected OCSPResp getOCSPResponce(String serviceUrl, OCSPReq request) throws CertificateVerificationException {
try {
//Todo: Use http client.
byte[] array = request.getEncoded();
if (serviceUrl.startsWith("http")) {
HttpURLConnection con;
URL url = new URL(serviceUrl);
con = (HttpURLConnection) url.openConnection();
con.setRequestProperty("Content-Type", "application/ocsp-request");
con.setRequestProperty("Accept", "application/ocsp-response");
con.setDoOutput(true);
OutputStream out = con.getOutputStream();
DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
dataOut.write(array);
dataOut.flush();
dataOut.close();
//Check errors in response:
if (con.getResponseCode() / 100 != 2) {
throw new CertificateVerificationException("Error getting ocsp response." +
"Response code is " + con.getResponseCode());
}
//Get Response
InputStream in = (InputStream) con.getContent();
return new OCSPResp(in);
} else {
throw new CertificateVerificationException("Only http is supported for ocsp calls");
}
} catch (IOException e) {
throw new CertificateVerificationException("Cannot get ocspResponse from url: " + serviceUrl, e);
}
}
/**
* This method generates an OCSP Request to be sent to an OCSP endpoint.
*
* @param issuerCert is the Certificate of the Issuer of the peer certificate we are interested in.
* @param serialNumber of the peer certificate.
* @return generated OCSP request.
* @throws CertificateVerificationException
*
*/
private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
throws CertificateVerificationException {
//TODO: Have to check if this is OK with synapse implementation.
//Add provider BC
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
try {
byte[] issuerCertEnc = issuerCert.getEncoded();
X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
// CertID structure is used to uniquely identify certificates that are the subject of
// an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560
CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, serialNumber);
// basic request generation with nonce
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(id);
// create details for nonce extension. The nonce extension is used to bind
// a request to a response to prevent replay attacks. As the name implies,
// the nonce value is something that the client should only use once within a reasonably small period.
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
//to create the request Extension
builder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce,false, new DEROctetString(nonce.toByteArray()))));
return builder.build();
} catch (Exception e) {
throw new CertificateVerificationException("Cannot generate OSCP Request with the given certificate", e);
}
}
/**
* Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the
* URL of the OCSP endpoint if one is available.
* TODO: This might contain non OCSP urls as well. Handle this.
*
* @param cert is the certificate
* @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint.
* @throws CertificateVerificationException
*
*/
private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException {
//Gets the DER-encoded OCTET string for the extension value for Authority information access Points
byte[] aiaExtensionValue = cert.getExtensionValue(Extension.authorityInfoAccess.getId());
if (aiaExtensionValue == null)
throw new CertificateVerificationException("Certificate Doesn't have Authority Information Access points");
AuthorityInformationAccess authorityInformationAccess;
try {
DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(aiaExtensionValue)).readObject());
authorityInformationAccess = AuthorityInformationAccess.getInstance(new ASN1InputStream(oct.getOctets()).readObject());
} catch (IOException e) {
throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e);
}
List<String> ocspUrlList = new ArrayList<String>();
AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
for (AccessDescription accessDescription : accessDescriptions) {
GeneralName gn = accessDescription.getAccessLocation();
if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
DERIA5String str = DERIA5String.getInstance(gn.getName());
String accessLocation = str.getString();
ocspUrlList.add(accessLocation);
}
}
if(ocspUrlList.isEmpty())
throw new CertificateVerificationException("Cant get OCSP urls from certificate");
return ocspUrlList;
}
}