1
/*
2
 * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.provider.certpath;
27

28
import java.io.IOException;
29
import java.security.cert.Extension;
30
import java.util.Collections;
31
import java.util.List;
32

33
import sun.security.util.HexDumpEncoder;
34
import sun.security.util.*;
35
import sun.security.x509.PKIXExtensions;
36

37
/**
38
 * This class can be used to generate an OCSP request and send it over
39
 * an output stream. Currently we do not support signing requests.
40
 * The OCSP Request is specified in RFC 2560 and
41
 * the ASN.1 definition is as follows:
42
 * <pre>
43
 *
44
 * OCSPRequest     ::=     SEQUENCE {
45
 *      tbsRequest                  TBSRequest,
46
 *      optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
47
 *
48
 *   TBSRequest      ::=     SEQUENCE {
49
 *      version             [0]     EXPLICIT Version DEFAULT v1,
50
 *      requestorName       [1]     EXPLICIT GeneralName OPTIONAL,
51
 *      requestList                 SEQUENCE OF Request,
52
 *      requestExtensions   [2]     EXPLICIT Extensions OPTIONAL }
53
 *
54
 *  Signature       ::=     SEQUENCE {
55
 *      signatureAlgorithm      AlgorithmIdentifier,
56
 *      signature               BIT STRING,
57
 *      certs               [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
58
 *   }
59
 *
60
 *  Version         ::=             INTEGER  {  v1(0) }
61
 *
62
 *  Request         ::=     SEQUENCE {
63
 *      reqCert                     CertID,
64
 *      singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL }
65
 *
66
 *  CertID          ::= SEQUENCE {
67
 *       hashAlgorithm  AlgorithmIdentifier,
68
 *       issuerNameHash OCTET STRING, -- Hash of Issuer's DN
69
 *       issuerKeyHash  OCTET STRING, -- Hash of Issuers public key
70
 *       serialNumber   CertificateSerialNumber
71
 * }
72
 *
73
 * </pre>
74
 *
75
 * @author      Ram Marti
76
 */
77

78
class OCSPRequest {
79

80
    private static final Debug debug = Debug.getInstance("certpath");
81
    private static final boolean dump = debug != null && Debug.isOn("ocsp");
82

83
    // List of request CertIds
84
    private final List<CertId> certIds;
85
    private final List<Extension> extensions;
86
    private byte[] nonce;
87

88
    /*
89
     * Constructs an OCSPRequest. This constructor is used
90
     * to construct an unsigned OCSP Request for a single user cert.
91
     */
92
    OCSPRequest(CertId certId) {
93
        this(Collections.singletonList(certId));
94
    }
95

96
    OCSPRequest(List<CertId> certIds) {
97
        this.certIds = certIds;
98
        this.extensions = Collections.<Extension>emptyList();
99
    }
100

101
    OCSPRequest(List<CertId> certIds, List<Extension> extensions) {
102
        this.certIds = certIds;
103
        this.extensions = extensions;
104
    }
105

106
    byte[] encodeBytes() throws IOException {
107

108
        // encode tbsRequest
109
        DerOutputStream tmp = new DerOutputStream();
110
        DerOutputStream requestsOut = new DerOutputStream();
111
        for (CertId certId : certIds) {
112
            DerOutputStream certIdOut = new DerOutputStream();
113
            certId.encode(certIdOut);
114
            requestsOut.write(DerValue.tag_Sequence, certIdOut);
115
        }
116

117
        tmp.write(DerValue.tag_Sequence, requestsOut);
118
        if (!extensions.isEmpty()) {
119
            DerOutputStream extOut = new DerOutputStream();
120
            for (Extension ext : extensions) {
121
                ext.encode(extOut);
122
                if (ext.getId().equals(
123
                        PKIXExtensions.OCSPNonce_Id.toString())) {
124
                    nonce = ext.getValue();
125
                }
126
            }
127
            DerOutputStream extsOut = new DerOutputStream();
128
            extsOut.write(DerValue.tag_Sequence, extOut);
129
            tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT,
130
                                         true, (byte)2), extsOut);
131
        }
132

133
        DerOutputStream tbsRequest = new DerOutputStream();
134
        tbsRequest.write(DerValue.tag_Sequence, tmp);
135

136
        // OCSPRequest without the signature
137
        DerOutputStream ocspRequest = new DerOutputStream();
138
        ocspRequest.write(DerValue.tag_Sequence, tbsRequest);
139

140
        byte[] bytes = ocspRequest.toByteArray();
141

142
        if (dump) {
143
            HexDumpEncoder hexEnc = new HexDumpEncoder();
144
            debug.println("OCSPRequest bytes...\n\n" +
145
                hexEnc.encode(bytes) + "\n");
146
        }
147

148
        return bytes;
149
    }
150

151
    List<CertId> getCertIds() {
152
        return certIds;
153
    }
154

155
    byte[] getNonce() {
156
        return nonce;
157
    }
158
}
159

160