|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.rsa.certj.Provider | +--com.rsa.certj.provider.revocation.ocsp.OCSP
This class implements a certificate status provider that uses the Online Certificate Status Protocol (OCSP) defined in RFC 2560.
The Cert-J OCSP Revocation Status service provider is used to check the validity of certificates, as an alternative or supplement to using CRLs. This service provider uses the Online Certificate Status Protocol (OCSP), and is suitable for client applications that require a method for getting more timely certificate revocation status information than a CRL can usually provide.
One benefit of OCSP is that the burden of certificate revocation status checking is placed onto the server. However, an application should still do some filtering or validation prior to sending a request to an OCSP responder. For example, if an application expects to receive a significant number of authentication requests with forged certificates, then the application should locally validate the signature on the certificate before issuing a status request. This procedure can provide better overall performance than relying only on an OCSP network service as the only source of information regarding the status and content of a certificate. Additionally, some pre-verification or pre-validation of end-entity certificates might simplify the OCSP configuration of the application.
An OCSP responder is usually maintained by a CA. Some OCSP responders accept requests on behalf of more than one CA. The OCSP protocol allows for signed or unsigned requests to be made to OCSP responders. However, a particular OCSP responder might require a request to be signed as proof of authorization and authentication to use the OCSP responder service. OCSP requires that all responses from an OCSP responder must be signed. Unless the CA or an authority to which OCSP responsibilities have been delegated signs the OCSP response, it is up to the application to choose which OCSP responders to trust to sign the responses.
The validity period of OCSP responses are often on the order of hours; therefore, it is imperative that you set the client application's local clock to the correct time and time zone. Incorrect time and time zone settings could cause OCSP responses to be interpreted incorrectly, allowing incorrect status to be returned to the calling application.
Applications need to supply OCSP configuration information, in
the form of one or more OCSPResponder
objects,
to the OCSP Revocation
Status service provider at initialization time. The service provider
determines which OCSP responder to contact from the configuration
information passed in as an array of OCSPResponder
objects.
Information encoded within the certificate,
combined with this initialization information,
is used to construct a request, and to interpret the response.
The service provider will not issue more than one request for each certificate. None of the following can occur:
OCSPResponder
objects provided during initialization can
be matched by certificate and initialization information combinations
The service provider performs the following process to select an OCSPResponder object:
OCSPResponder.destList
)
as the AIA's URL is selected.
Note: The only exception to this rule is when
CertPathCtx.pathOptions
contains PF_IGNORE_AIA
.
transport.destList
contains
the matching URL, then that object is selected.
transport.destList
contains the
matching URL, then the first object found whose responderCA
's
certificate's subjectName
matches the issuerName
of the certificate is selected.
responderCA
's certificate
subjectName
matches the issuerName
in
the certificate to be checked.
subjectName
matches
the issuerName
in the certificate to be checked, then that object is selected.
subjectName
,
then the first object that specifies
signatureAlgorithm != null
is selected.
CertRevocationInfo
having
CERT_REVOCATION_UNKNOWN
status and an evidence of type
CRE_NONE
.
This indicates that no request was generated.
Once an object is selected, the OCSP protocol request data is
constructed. Depending on how the object's flags field is set,
zero or more certificates are included in the request to help
the OCSP responder verify the signature of the request signer.
These certificates must be included in the CertPathCtx.database
included as a parameter to checkCertRevocation
.
The Cert-C OCSP Revocation Status service provider can use certificates and certificate identifiers for the following purposes:
OCSPResponder
object to use,
These certificates can come from OCSPResponder
objects,
or from CertPathCtx.database
or
CertPathCtx.trustedCerts
,
that are passed to
checkCertRevocation
. If certificates are needed to
perform signature verification and certificate path building, then
the certificates are extracted from the CertPathCtx
.
Otherwise, they are to be taken from the one or more
OCSPResponder
objects supplied at
service provider initialization time.
CertPathCtx.PF_IGNORE_VALIDATION_TIME
because the status
information handled by this provider is valid only over a specific
time period, and to ignore this information is an invalid use of the
protocol.
Copyright © RSA Security Inc., 2001. All rights reserved.
Constructor Summary |
|
OCSP(String name,
OCSPResponder responder)
Constructs an |
|
OCSP(String name,
OCSPResponder[] responders)
Constructs an |
Method Summary |
|
instantiate(CertJ certJ)
Creates a |
|
void |
setDebugWriteDERs(boolean debugOn)
Sets the option to write out the DERs being transported, for debugging and support purposes. |
Methods inherited from class com.rsa.certj.Provider |
getName, getType |
Methods inherited from class java.lang.Object |
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
public OCSP(String name, OCSPResponder responder) throws InvalidParameterException, CertificateException, NameException
OCSP
object for the OCSP
responder described in responder.
Parameters
name | A | ||
responder | A |
Throws
InvalidParameterException
- If any
argument is invalid.CertificateException
- If any
certificates contained within are invalid.NameException
- If any
certificates contained within are invalid.public OCSP(String name, OCSPResponder[] responders) throws InvalidParameterException, CertificateException, NameException
OCSP
object for the OCSP
responders described in responder.
Parameters
name | A | ||
responders | A |
Throws
InvalidParameterException
- If any
argument is invalid.CertificateException
- If any
certificates contained within are invalid.NameException
- If any
certificates contained within are invalid.Method Detail |
public final void setDebugWriteDERs(boolean debugOn)
Parameters
|
|
public ProviderImplementation instantiate(CertJ certJ) throws ProviderManagementException
TransportImplementation
object that
handles OCSP certificate status SPI methods.
This method is called by CertJ.registerService
when an object of the OCSP
class is
registered. Applications do not have to call this method.
Overrides
instantiate
in class Provider
Parameters
certJ | A |
Returns
TransportImplementation
object that
provides the SPI implementations for OCSP certificate status
providers.
Throws
ProviderManagementException
- If
instantiation of the OCSP certificate status provider fails.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |