Problem: \u00dcberpr\u00fcfung eines X509-Zertifikates per OCSP-Abfrage, ob dieses gesperrt wurde:<\/strong><\/p>\n
L\u00f6sung:<\/strong><\/p>\n Der OCSP-Client:<\/p>\n In Spring verdrahten und die getOCSPStatus()-Methode aufrufen. Vorher nat\u00fcrlich noch die Zertifikate sowie die URL f\u00fcr die \u00dcberpr\u00fcfung \u00fcbergeben. Diese steht im Zertifikat!<\/p>\n","protected":false},"excerpt":{"rendered":" Problem: \u00dcberpr\u00fcfung eines X509-Zertifikates per OCSP-Abfrage, ob dieses gesperrt wurde: L\u00f6sung: Der OCSP-Client: public class OcspClientBouncyCastle { \/** root certificate *\/ private X509Certificate rootCert; \/** check certificate *\/ private X509Certificate checkCert; \/** OCSP URL *\/ private String url; private static final Logger logger = Logger.getLogger(OcspClientBouncyCastle.class); \/** * Creates an instance of an OcspClient that will… <\/p>\n\r\npublic class OcspClientBouncyCastle\r\n{\r\n \/** root certificate *\/\r\n private X509Certificate rootCert;\r\n \/** check certificate *\/\r\n private X509Certificate checkCert;\r\n \/** OCSP<\/b> URL *\/\r\n private String url;\r\n\r\n\tprivate static final Logger logger = Logger.getLogger(OcspClientBouncyCastle.class);\r\n\r\n \/**\r\n * Creates an instance of an OcspClient that will be using BouncyCastle\r\n *\/\r\n public OcspClientBouncyCastle()\r\n {\r\n\r\n }\r\n\r\n \/**\r\n * Generates an OCSP<\/b> request using BouncyCastle.\r\n * @param issuerCert - certificate of the issues.\r\n * @param serialNumber - serial number.\r\n * @return\tan OCSP<\/b> request\r\n * @throws OCSPException\r\n * @throws IOException\r\n *\/\r\n private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException\r\n {\r\n \/\/ Generate the id for the certificate we are looking for\r\n CertificateID id \t\t= new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber);\r\n\r\n \/\/ basic request generation with nonce\r\n OCSPReqGenerator gen \t= new OCSPReqGenerator();\r\n\r\n gen.addRequest(id);\r\n\r\n \/\/ create details for nonce extension\r\n \/\/ to prevent Replay-Attacks\r\n Vector oids \t= new Vector();\r\n Vector values \t= new Vector();\r\n\r\n oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);\r\n values.add(new X509Extension(false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded())));\r\n\r\n gen.setRequestExtensions(new X509Extensions(oids, values));\r\n\r\n return gen.generate();\r\n }\r\n\r\n \/**\r\n * Generates a {@link ErrorStatus}.\r\n * @return the statuscode.\r\n * @throws OCSPException\r\n *\/\r\n public int getOCSPStatus() throws OCSPException\r\n {\r\n try\r\n {\r\n\r\n OCSPReq request \t\t= generateOCSPRequest(rootCert, checkCert.getSerialNumber());\r\n byte[] array \t\t\t= request.getEncoded();\r\n URL urlt \t\t\t\t= new URL(url);\r\n HttpURLConnection con \t= (HttpURLConnection)urlt.openConnection();\r\n con.setRequestProperty(\"Content-Type\", \"application\/ocsp<\/b>-request\");\r\n con.setRequestProperty(\"Accept\", \"application\/ocsp<\/b>-response\");\r\n con.setDoOutput(true);\r\n\r\n OutputStream out \t\t\t= con.getOutputStream();\r\n DataOutputStream dataOut \t= new DataOutputStream(new BufferedOutputStream(out));\r\n dataOut.write(array);\r\n dataOut.flush();\r\n dataOut.close();\r\n\r\n if (con.getResponseCode() \/ 100 != 2)\r\n throw new OCSPException(\"Invalid HTTP response\");\r\n\r\n \/\/Get Response\r\n InputStream in \t\t\t= (InputStream) con.getContent();\r\n OCSPResp ocspResponse \t\t= new OCSPResp(in);\r\n\r\n if (ocspResponse.getStatus() != OCSPResponseStatus.SUCCESSFUL)\r\n throw new OCSPException(ocspResponse.getStatus(),\"Error in OCSPRequest\/Response\");\r\n\r\n BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();\r\n if (basicResponse != null)\r\n {\r\n SingleResp[] responses = basicResponse.getResponses();\r\n if (responses.length == 1)\r\n {\r\n SingleResp resp = responses[0];\r\n logger.info(\" certificate number \" + resp.getCertID().getSerialNumber());\r\n Object status \t= resp.getCertStatus();\r\n\r\n \/\/ Check the status of the response and adjust certificate\r\n if (status == CertificateStatus.GOOD)\r\n {\r\n \tlogger.info(\"OCSP<\/b>-Response-Status: OK!\");\r\n\/\/ \tDie Antwort good muss aber nicht bedeuten, dass ein Zertifikat g\u00fcltig exis-\r\n\/\/ \ttiert und nicht widerrufen worden ist. Diese Aussage k\u00f6nnte nur formuliert werden,\r\n\/\/ \twenn der OCSP<\/b>-Responder direkten Zugriff auf die Datenbank der Zertifizierungsstelle\r\n\/\/ \th\u00e4tte. Ist nur der Zugriff auf eine CRL vorhanden, kann der Responder lediglich sagen,\r\n\/\/ \tdass ein Zertifkat nicht widerrufen worden ist\r\n\r\n return ErrorStatus.CERTIFICATE_OK;\r\n }\r\n else if (status instanceof org.bouncycastle.ocsp<\/b>.RevokedStatus)\r\n {\r\n logger.info(\"Status Revoked\");\r\n \/\/ergebnis:fehlgeschlagen\r\n return ErrorStatus.CERTIFICATE_REVOKED;\r\n\r\n } else if (status instanceof org.bouncycastle.ocsp<\/b>.UnknownStatus)\r\n {\r\n logger.info(\"Status Unknown!\");\r\n \/\/ergebnis:unbekannt\r\n return ErrorStatus.CERTIFICATE_UNKNOWN;\r\n }\r\n }\r\n }\r\n\r\n }\r\n catch (Exception ex)\r\n {\r\n logger.error(ex.getMessage());\r\n }\r\n return ErrorStatus.CERTIFICATE_UNKNOWN;\r\n }\r\n\r\n\tpublic X509Certificate getRootCert()\r\n\t{\r\n\t\treturn rootCert;\r\n\t}\r\n\r\n\tpublic void setRootCert(X509Certificate rootCert)\r\n\t{\r\n\t\tthis.rootCert = rootCert;\r\n\t}\r\n\r\n\tpublic X509Certificate getCheckCert()\r\n\t{\r\n\t\treturn checkCert;\r\n\t}\r\n\r\n\tpublic void setCheckCert(X509Certificate checkCert)\r\n\t{\r\n\t\tthis.checkCert = checkCert;\r\n\t}\r\n\r\n\tpublic String getUrl()\r\n\t{\r\n\t\treturn url;\r\n\t}\r\n\r\n\tpublic void setUrl(String url)\r\n\t{\r\n\t\tthis.url = url;\r\n\t}\r\n\r\n}\r\n<\/pre>\n