Package eu.europa.esig.dss.pki.x509.revocation.ocsp

Class PKIOCSPSource

java.lang.Object
eu.europa.esig.dss.pki.x509.revocation.ocsp.PKIOCSPSource
All Implemented Interfaces:
OCSPSource, RevocationSource<OCSP>, Serializable
Direct Known Subclasses:
PKIDelegatedOCSPSource
public class PKIOCSPSource extends Object implements OCSPSource
The PkiOCSPSource class implements the OCSPSource interface for obtaining revocation tokens. It retrieves OCSP responses for a given certificate by sending OCSP requests to a specified OCSP responder.
See Also:

  • Field Details

    • certEntityRepository

      protected final CertEntityRepository certEntityRepository
      The repository managing the PKI issuing the OCSP responses

  • Constructor Details

  • Method Details

    • getProducedAtTime

      protected Date getProducedAtTime()
      Returns a producedAt time of the generated OCSP Response. Returns producedAt if defined (see #setProducedAt). Otherwise, returns the current time.
      Returns:
      Date

    • setProducedAtTime

      public void setProducedAtTime(Date producedAt)
      Sets the production date for generating OCSP responses. NOTE: updates thisUpdate parameter as well, if the latest is not set.
      Parameters:
      producedAt - The production date for OCSP responses.

    • getThisUpdate

      protected Date getThisUpdate()
      Gets thisUpdate of revocation status information
      Returns:
      Date

    • setThisUpdate

      public void setThisUpdate(Date thisUpdate)
      Sets thisUpdate of the revocation status information
      Parameters:
      thisUpdate - Date

    • getNextUpdate

      protected Date getNextUpdate()
      Gets nextUpdate of revocation status information
      Returns:
      Date

    • setNextUpdate

      public void setNextUpdate(Date nextUpdate)
      Sets nextUpdate of the revocation status information
      Parameters:
      nextUpdate - Date

    • setDigestAlgorithm

      public void setDigestAlgorithm(DigestAlgorithm digestAlgorithm)
      Sets the digest algorithm to be used on OCSP response signature Default: SHA512 (DigestAlgorithm.SHA512)
      Parameters:
      digestAlgorithm - DigestAlgorithm

    • setEncryptionAlgorithm

      public void setEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm)
      Sets an encryption algorithm to be used on OCSP Response signing. If not defined, the encryption algorithm from the given CertEntity OCSP responder will be used. NOTE: It is important to ensure that the defined encryption algorithm is supported by the OCSP Responder.
      Parameters:
      encryptionAlgorithm - EncryptionAlgorithm

    • setResponderIdByKey

      public void setResponderIdByKey(boolean responderIdByKey)
      Sets whether the ResponderID property should be generated based on the certificate's key (SHA-1 of the OCSP responder's public key). When set to FALSE, the ResponderID property will be generated based on OCSP responder's subject name. Default: TRUE (the ResponderId is generated based on key)
      Parameters:
      responderIdByKey - whether the ResponderID property should be generated based on the certificate's key

    • getOcspResponder

      protected CertEntity getOcspResponder(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Returns a CertEntity to be used as an OCSP Response issuer.
      Parameters:
      certificateToken - CertificateToken to request OCSP Response for
      issuerCertificateToken - CertificateToken issued the certificateToken
      Returns:
      CertEntity representing the entry to be used as an issuer of the OCSP Response

    • setOcspResponder

      public void setOcspResponder(CertEntity ocspResponder)
      Sets the OCSP Responder CertEntity to sign the generated OCSP responses. If not defined (or set to NULL), will use the certificate's issuer certificate as the OCSP responder.
      Parameters:
      ocspResponder - CertEntity to issue OCSP responses

    • getRevocationToken

      public OCSPToken getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Retrieves the OCSP token for the revocation status of the given certificate.
      Specified by:
      getRevocationToken in interface OCSPSource
      Specified by:
      getRevocationToken in interface RevocationSource<OCSP>
      Parameters:
      certificateToken - The CertificateToken representing the certificate for which the revocation status is to be checked.
      issuerCertificateToken - The CertificateToken representing the issuer certificate of the certificate to be verified.
      Returns:
      An OCSPToken representing the OCSP response containing the revocation status of the certificate.

    • canGenerate

      protected boolean canGenerate(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Returns whether the current implementation is able to produce an OCSP response for the given certificateToken
      Parameters:
      certificateToken - CertificateToken to produce an OCSP response for
      issuerCertificateToken - CertificateToken representing an issuer of the certificateToken
      Returns:
      TRUE if the current implementation is able to produce an OCSP response for the given pair, FALSE otherwise

    • buildOCSPResponse

      protected org.bouncycastle.cert.ocsp.OCSPResp buildOCSPResponse(CertificateToken certificateToken, CertificateToken issuerCertificateToken, org.bouncycastle.cert.ocsp.OCSPReq ocspReq)
      Builds an OCSP Response
      Parameters:
      certificateToken - CertificateToken to get OCSP response for
      issuerCertificateToken - CertificateToken issuer of the certificateToken
      ocspReq - OCSPReq generated earlier
      Returns:
      OCSPResp

    • getCertificateTokenRevocation

      protected CertEntityRevocation getCertificateTokenRevocation(CertificateToken certificateToken, org.bouncycastle.cert.ocsp.OCSPReq ocspReq)
      Returns a revocation status for the given CertificateToken or a certificate within OCSPReq
      Parameters:
      certificateToken - CertificateToken to get revocation status for
      ocspReq - OCSPReq
      Returns:
      CertEntityRevocation

    • addRevocationStatusToOCSPResponse

      protected void addRevocationStatusToOCSPResponse(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder builder, org.bouncycastle.cert.ocsp.OCSPReq ocspReq, CertEntityRevocation certEntityRevocation)
      This method adds certificate revocation information to BasicOCSPRespBuilder
      Parameters:
      builder - BasicOCSPRespBuilder to enrich with revocation status information
      ocspReq - OCSPReq containing the generated OCSP request
      certEntityRevocation - CertEntityRevocation containing revocation status information about the certificate

    • getSignatureAlgorithm

      protected SignatureAlgorithm getSignatureAlgorithm(CertEntity ocspResponder)
      Returns a signature algorithm to be used on OCSP response creation
      Parameters:
      ocspResponder - CertEntity to sign the OCSP response
      Returns:
      SignatureAlgorithm

    • initBuilder

      protected org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder initBuilder(CertificateToken ocspResponderCertificate) throws org.bouncycastle.operator.OperatorCreationException, org.bouncycastle.cert.ocsp.OCSPException
      Initializes a BasicOCSPRespBuilder
      Parameters:
      ocspResponderCertificate - CertificateToken OCSP issuer certificate
      Returns:
      BasicOCSPRespBuilder
      Throws:
      org.bouncycastle.operator.OperatorCreationException - if an error on SKI computation occurs
      org.bouncycastle.cert.ocsp.OCSPException - if an error on RespId building occurs

    • getRespID

      protected org.bouncycastle.cert.ocsp.RespID getRespID(CertificateToken ocspResponderCertificate) throws org.bouncycastle.operator.OperatorCreationException, org.bouncycastle.cert.ocsp.OCSPException
      Builds a org.bouncycastle.cert.ocsp.RespID
      Parameters:
      ocspResponderCertificate - CertificateToken OCSP issuer certificate
      Returns:
      RespID
      Throws:
      org.bouncycastle.operator.OperatorCreationException - if an error on SKI computation occurs
      org.bouncycastle.cert.ocsp.OCSPException - if an error on RespId building occurs

    • buildOCSPRequest

      protected org.bouncycastle.cert.ocsp.OCSPReq buildOCSPRequest(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Builds an OCSP request for the given CertificateToken
      Parameters:
      certificateToken - CertificateToken to get OCSP request for
      issuerCertificateToken - CertificateToken issued the certificateToken
      Returns:
      OCSPReq