OCSP response does not give Certificate Status

2019-04-06 10:52发布

问题:

I created an OCSP client using Bouncy castle API. I am having a trouble in finding the Certificate Status (Saying whether its revoked or not) from the OCSP response I get. The value returned from resp.getCertStatus() is always null. This is how I create the OCSP request.

    private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
        throws CertificateVerificationException {

    //Add provider BC
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    try {
        //  CertID structure is used to uniquely identify certificates that are the subject of
        // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560
        CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber);

        // basic request generation with nonce
        OCSPReqGenerator generator = new OCSPReqGenerator();
        generator.addRequest(id);

        // create details for nonce extension. The nonce extension is used to bind
        // a request to a response to prevent replay attacks. As the name implies,
        // the nonce value is something that the client should only use once within a reasonably small period.
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        Vector objectIdentifiers = new Vector();
        Vector values = new Vector();

        //to create the request Extension
        objectIdentifiers.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray())));
        generator.setRequestExtensions(new X509Extensions(objectIdentifiers, values));

        return generator.generate();
    }
    catch (OCSPException e) {
        e.printStackTrace();
        throw new CertificateVerificationException("Cannot generate OSCP Request with the given certificate",e);
    }
}

I get the OCSP response from the service URL as follows.

    private OCSPResp getOCSPResponce(String serviceUrl, OCSPReq request) throws CertificateVerificationException {

    try {
        byte[] array = request.getEncoded();
        if (serviceUrl.startsWith("http")) {
            HttpURLConnection con;
            URL url = new URL(serviceUrl);
            con = (HttpURLConnection) url.openConnection();
            con.setRequestProperty("Content-Type", "application/ocsp-request");
            con.setRequestProperty("Accept", "application/ocsp-response");
            con.setDoOutput(true);
            OutputStream out = con.getOutputStream();
            DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
            dataOut.write(array);

            dataOut.flush();
            dataOut.close();

            //Get Response
            InputStream in = (InputStream) con.getContent();
            OCSPResp ocspResponse = new OCSPResp(in);
            return ocspResponse;
        }
        else {
            throw new CertificateVerificationException("Only http is supported for ocsp calls");
        }
    } catch (IOException e) {
        e.printStackTrace();
        throw new CertificateVerificationException("Cannot get ocspResponse from url: "+ serviceUrl, e);
    }
}

Revocation status is checked as follows. Here the SingleResp object (resp) taken from the BasicOCSPResp object (basicResponse) should have the status of the Certificate (good,revoked or unknown). But here status is always null.

public void checkRevocationStatus(X509Certificate peerCert, X509Certificate issuerCert) 
throws CertificateVerificationException {

    try {

        OCSPReq request = generateOCSPRequest(issuerCert, peerCert.getSerialNumber());
        List<String> locations = getAIALocations(peerCert);
        Iterator it = locations.iterator();

        if (it.hasNext()) {

            String serviceUrl = (String) it.next();   
            OCSPResp ocspResponse = getOCSPResponce(serviceUrl, request);
            if(OCSPRespStatus.SUCCESSFUL==ocspResponse.getStatus())
                System.out.println("server gave response fine");

            BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
            SingleResp[] responses = (basicResponse==null) ? null : basicResponse.getResponses();

            if (responses!=null && responses.length == 1) {
                SingleResp resp = responses[0];
                Object status = resp.getCertStatus();
                if(status!=null) {
                    if (status == CertificateStatus.GOOD) {
                        System.out.println("OCSP Status is good!");
                    } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) {
                        System.out.println("OCSP Status is revoked!");
                    }  else if (status instanceof org.bouncycastle.ocsp.UnknownStatus) {
                        System.out.println("OCSP Status is unknown!");
                    }
                }
            }
        }
    }
    catch (Exception e) {
        System.out.println(e);
    }
}

I really appreciate your help. Thanks a lot.

回答1:

Actually, if you take a look at the actual value of CertificateStatus.GOOD, you will see that it is, in fact, null. In other words, resp.getCertStatus() returns null meaning GOOD.

So you probably just need to take out that (status != null) check.