Package eu.europa.esig.dss.service.ocsp

Class OnlineOCSPSource

java.lang.Object
eu.europa.esig.dss.service.ocsp.OnlineOCSPSource
All Implemented Interfaces:
OCSPSource, RevocationSource<OCSP>, RevocationSourceAlternateUrlsSupport<OCSP>, Serializable
public class OnlineOCSPSource extends Object implements OCSPSource, RevocationSourceAlternateUrlsSupport<OCSP>
Online OCSP repository. This implementation will contact the OCSP Responder to retrieve the OCSP response.
See Also:

  • Constructor Details

    • OnlineOCSPSource

      public OnlineOCSPSource()
      Create an OCSP source The default constructor for OnlineOCSPSource. The default OCSPDataLoader is set. It is possible to change it with #setDataLoader(dataLoader).

    • OnlineOCSPSource

      public OnlineOCSPSource(DataLoader dataLoader)
      Creates an Online OCSP Source with the provided DataLoader instance. It is still possible to change the defined instance with #setDataLoader(dataLoader).
      Parameters:
      dataLoader - DataLoader to use

  • Method Details

    • setDataLoader

      public void setDataLoader(DataLoader dataLoader)
      Set the DataLoader to use for querying a revocation server.
      Parameters:
      dataLoader - the component that allows to retrieve an OCSP response using HTTP.

    • setNonceSource

      public void setNonceSource(NonceSource nonceSource)
      Set the NonceSource to use for querying the OCSP server.
      Parameters:
      nonceSource - the component that prevents the replay attack.

    • setCertIDDigestAlgorithm

      public void setCertIDDigestAlgorithm(DigestAlgorithm certIDDigestAlgorithm)
      This method allows setting of DigestAlgorithm to be used in hash calculation for CertID element in an OCSP request building
      Parameters:
      certIDDigestAlgorithm - DigestAlgorithm

    • setAlertOnInvalidNonce

      public void setAlertOnInvalidNonce(StatusAlert alertOnInvalidNonce)
      Sets a behavior when the nonce of the OCSP Response does not match the nonce sent within the request Default : ExceptionOnStatusAlert (throws an exception if nonce does not match)
      Parameters:
      alertOnInvalidNonce - StatusAlert

    • setAlertOnNonexistentNonce

      public void setAlertOnNonexistentNonce(StatusAlert alertOnNonexistentNonce)
      Sets a behavior when the obtained OCSP Response does not contain the nonce even that the nonce has been enforced (i.e. nonceSource is specified). Default : LogOnStatusAlert (logs a warning in case the OCSP Response does not contain the nonce)
      Parameters:
      alertOnNonexistentNonce - StatusAlert

    • setAlertOnInvalidUpdateTime

      public void setAlertOnInvalidUpdateTime(StatusAlert alertOnInvalidUpdateTime)
      Sets a behavior when the current time is out of the range of thisUpdate and nextUpdate fields extracted from the OCSP Response. The check is executed only when nonce is not checked. Default : SilentOnStatusAlert (skips the check validation)
      Parameters:
      alertOnInvalidUpdateTime - StatusAlert

    • setNextUpdateTolerancePeriod

      public void setNextUpdateTolerancePeriod(long nextUpdateTolerancePeriod)
      Clients MAY allow configuration of a small tolerance period for acceptance of responses after nextUpdate to handle minor clock differences relative to responders and caches. I.e. currentTime shall not be after nextUpdate + nextUpdateTolerancePeriod. The setting is applicable only when checkOCSPResponseUpdateTime is enabled and no nonce is checked. Default : 0
      Parameters:
      nextUpdateTolerancePeriod - the tolerance period in milliseconds

    • getRevocationToken

      public OCSPToken getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Description copied from interface: RevocationSource
      This method retrieves a RevocationToken for the certificateToken
      Specified by:
      getRevocationToken in interface OCSPSource
      Specified by:
      getRevocationToken in interface RevocationSource<OCSP>
      Parameters:
      certificateToken - The CertificateToken for which the request is made
      issuerCertificateToken - The CertificateToken which is the issuer of the certificateToken
      Returns:
      an instance of RevocationToken

    • getRevocationToken

      public OCSPToken getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken, List<String> alternativeUrls)
      Description copied from interface: RevocationSourceAlternateUrlsSupport
      Gets an RevocationToken for the given certificate / issuer's certificate couple. The coherence between the response and the request is checked.
      Specified by:
      getRevocationToken in interface RevocationSourceAlternateUrlsSupport<OCSP>
      Parameters:
      certificateToken - The CertificateToken for which the request is made
      issuerCertificateToken - The CertificateToken which is the issuer of the certificateToken
      alternativeUrls - The list of alternative urls to call
      Returns:
      RevocationToken containing information about the validity of the cert

    • getOCSPAccessURLs

      protected List<String> getOCSPAccessURLs(CertificateToken certificateToken, List<String> alternativeUrls)
      Extracts a list of OCSP access URLs to be used in the provided order to retrieve an OCSP response
      Parameters:
      certificateToken - CertificateToken to retrieve OCSP response for
      alternativeUrls - a list of String representing alternative URL sources
      Returns:
      a list of String urls

    • buildOCSPRequest

      protected byte[] buildOCSPRequest(CertificateToken certificateToken, CertificateToken issuerToken, byte[] nonce)
      Builds an OCSP request for certificateToken
      Parameters:
      certificateToken - CertificateToken to retrieve an OCSP token for
      issuerToken - CertificateToken representing an issuer certificate of certificateToken
      nonce - byte array containing a unique nonce
      Returns:
      byte array representing an OCSP request

    • executeOCSPRequest

      protected org.bouncycastle.cert.ocsp.BasicOCSPResp executeOCSPRequest(String ocspAccessLocation, byte[] request) throws IOException, org.bouncycastle.cert.ocsp.OCSPException
      Executes a request to the given ocspAccessLocation and returns an OCSP basic response, when applicable
      Parameters:
      ocspAccessLocation - String representing a URL to execute request
      request - byte array containing OCSP request
      Returns:
      BasicOCSPResp
      Throws:
      IOException - if an error occurs on OCSP request execution
      org.bouncycastle.cert.ocsp.OCSPException - if an error occurs on OCSP response reading

    • assertOCSPResponseValid

      protected void assertOCSPResponseValid(org.bouncycastle.cert.ocsp.BasicOCSPResp basicOCSPResp, org.bouncycastle.cert.ocsp.SingleResp latestSingleResponse, byte[] expectedNonce)
      Verifies whether an OCSP response is valid
      Parameters:
      basicOCSPResp - BasicOCSPResp
      latestSingleResponse - SingleResp
      expectedNonce - byte array