com.rsa.certj.provider.revocation.ocsp

Class OCSP

java.lang.Object
  |
  +--com.rsa.certj.Provider
        |
        +--com.rsa.certj.provider.revocation.ocsp.OCSP

public final class OCSP

extends Provider

This class implements a certificate status provider that uses the Online Certificate Status Protocol (OCSP) defined in RFC 2560.

The Cert-J OCSP Revocation Status service provider is used to check the validity of certificates, as an alternative or supplement to using CRLs. This service provider uses the Online Certificate Status Protocol (OCSP), and is suitable for client applications that require a method for getting more timely certificate revocation status information than a CRL can usually provide.

One benefit of OCSP is that the burden of certificate revocation status checking is placed onto the server. However, an application should still do some filtering or validation prior to sending a request to an OCSP responder. For example, if an application expects to receive a significant number of authentication requests with forged certificates, then the application should locally validate the signature on the certificate before issuing a status request. This procedure can provide better overall performance than relying only on an OCSP network service as the only source of information regarding the status and content of a certificate. Additionally, some pre-verification or pre-validation of end-entity certificates might simplify the OCSP configuration of the application.

An OCSP responder is usually maintained by a CA. Some OCSP responders accept requests on behalf of more than one CA. The OCSP protocol allows for signed or unsigned requests to be made to OCSP responders. However, a particular OCSP responder might require a request to be signed as proof of authorization and authentication to use the OCSP responder service. OCSP requires that all responses from an OCSP responder must be signed. Unless the CA or an authority to which OCSP responsibilities have been delegated signs the OCSP response, it is up to the application to choose which OCSP responders to trust to sign the responses.

The validity period of OCSP responses are often on the order of hours; therefore, it is imperative that you set the client application's local clock to the correct time and time zone. Incorrect time and time zone settings could cause OCSP responses to be interpreted incorrectly, allowing incorrect status to be returned to the calling application.

Applications need to supply OCSP configuration information, in the form of one or more OCSPResponder objects, to the OCSP Revocation Status service provider at initialization time. The service provider determines which OCSP responder to contact from the configuration information passed in as an array of OCSPResponder objects. Information encoded within the certificate, combined with this initialization information, is used to construct a request, and to interpret the response.

The service provider will not issue more than one request for each certificate. None of the following can occur:

• Retrying a request to a non-working responder
• Retrying a request when multiple OCSPResponder objects provided during initialization can be matched by certificate and initialization information combinations
• retrying a request with a signed request, after an unsigned request was rejected.

The service provider performs the following process to select an OCSPResponder object:

• If the certificate to be checked contains an AIA, then the object that contains the same URL (in OCSPResponder.destList) as the AIA's URL is selected. Note: The only exception to this rule is when CertPathCtx.pathOptions contains PF_IGNORE_AIA.
  • If only one object's transport.destList contains the matching URL, then that object is selected.
  • If more than one transport.destList contains the matching URL, then the first object found whose responderCA's certificate's subjectName matches the issuerName of the certificate is selected.

• If the certificate to be checked contains no AIA, then an object is found whose responderCA's certificate subjectName matches the issuerName in the certificate to be checked.

  • If only one object's certificate subjectName matches the issuerName in the certificate to be checked, then that object is selected.
  • If more than one object contains the matching subjectName, then the first object that specifies signatureAlgorithm != null is selected.
  • If there are no matching object, then see the next step.

• If no object is matched at this point, then no request is generated. This is indicated by the CertRevocationInfo having CERT_REVOCATION_UNKNOWN status and an evidence of type CRE_NONE. This indicates that no request was generated.

Once an object is selected, the OCSP protocol request data is constructed. Depending on how the object's flags field is set, zero or more certificates are included in the request to help the OCSP responder verify the signature of the request signer. These certificates must be included in the CertPathCtx.database included as a parameter to checkCertRevocation.

The Cert-C OCSP Revocation Status service provider can use certificates and certificate identifiers for the following purposes:

• Identifying the OCSPResponder object to use,
• signing requests to be sent to an OCSP responder,
• including certificates as extra certificates to be sent in the request to an OCSP responder,
• identifying expected OCSP response signers,
• validating response signatures, and
• building certificate trust chains from response signers to trusted roots.

These certificates can come from OCSPResponder objects, or from CertPathCtx.database or CertPathCtx.trustedCerts, that are passed to checkCertRevocation. If certificates are needed to perform signature verification and certificate path building, then the certificates are extracted from the CertPathCtx. Otherwise, they are to be taken from the one or more OCSPResponder objects supplied at service provider initialization time.

This service provider ignores the value of CertPathCtx.PF_IGNORE_VALIDATION_TIME because the status information handled by this provider is valid only over a specific time period, and to ignore this information is an invalid use of the protocol.

Copyright © RSA Security Inc., 2001. All rights reserved.

Constructor Summary

OCSP(String name, OCSPResponder responder)

Constructs an OCSP object for the OCSP responder described in responder.

OCSP(String name, OCSPResponder[] responders)

Constructs an OCSP object for the OCSP responders described in responder.

Method Summary

ProviderImplementation	instantiate(CertJ certJ) Creates a TransportImplementation object that handles OCSP certificate status SPI methods.
void	setDebugWriteDERs(boolean debugOn) Sets the option to write out the DERs being transported, for debugging and support purposes.

Methods inherited from class com.rsa.certj.Provider

getName, getType

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OCSP

public OCSP(String name,
            OCSPResponder responder)
     throws InvalidParameterException,
            CertificateException,
            NameException

Constructs an OCSP object for the OCSP responder described in responder.

Parameters

	name		A String object indicating the name of the provider.
	responder		A OCSPResponder object holding information about the OCSP responder to use with this provider. The value of responder cannot be null.

Throws

InvalidParameterException - If any argument is invalid.

CertificateException - If any certificates contained within are invalid.

NameException - If any certificates contained within are invalid.

OCSP

public OCSP(String name,
            OCSPResponder[] responders)
     throws InvalidParameterException,
            CertificateException,
            NameException

Constructs an OCSP object for the OCSP responders described in responder.

Parameters

	name		A String object indicating the name of the provider. The value of responder cannot be null.
	responders		A OCSPResponder array holding information about a list of OCSP responders to use with this provider.

Throws

InvalidParameterException - If any argument is invalid.

CertificateException - If any certificates contained within are invalid.

NameException - If any certificates contained within are invalid.

Method Detail

setDebugWriteDERs

public final void setDebugWriteDERs(boolean debugOn)

Sets the option to write out the DERs being transported, for debugging and support purposes.

Parameters

debugOn

true if the debug option is to be turned on; false, otherwise.

instantiate

public ProviderImplementation instantiate(CertJ certJ)
                                   throws ProviderManagementException

Creates a TransportImplementation object that handles OCSP certificate status SPI methods. This method is called by CertJ.registerService when an object of the OCSP class is registered. Applications do not have to call this method.

Overrides

instantiate in class Provider

Parameters

certJ

A CertJ object for which the created provider is registered.

Returns

A TransportImplementation object that provides the SPI implementations for OCSP certificate status providers.

Throws

ProviderManagementException - If instantiation of the OCSP certificate status provider fails.