Red Hat Application Migration Toolkit
package ee.sk.digidoc.factory;
import ee.sk.digidoc.Base64Util;
import ee.sk.digidoc.CertID;
import ee.sk.digidoc.DigiDocException;
import ee.sk.digidoc.Notary;
import ee.sk.digidoc.Signature;
import ee.sk.digidoc.SignedDoc;
import ee.sk.digidoc.factory.DigiDocFactory;
import ee.sk.digidoc.factory.NotaryFactory;
import ee.sk.digidoc.factory.TrustServiceFactory;
import ee.sk.utils.ConfigManager;
import ee.sk.utils.ConvertUtils;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.URL;
import java.net.URLConnection;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPReq;
import org.bouncycastle.ocsp.OCSPReqGenerator;
import org.bouncycastle.ocsp.OCSPResp;
import org.bouncycastle.ocsp.RevokedStatus;
import org.bouncycastle.ocsp.SingleResp;
import org.bouncycastle.ocsp.UnknownStatus;
public class BouncyCastleNotaryFactory implements NotaryFactory {
public static final String nonceOid = "1.3.6.1.5.5.7.48.1.2";
private X509Certificate m_signCert = null;
private PrivateKey m_signKey = null;
private boolean m_bSignRequests = false;
private Logger m_logger = null;
private static final int V_ASN1_OCTET_STRING = 4;
public BouncyCastleNotaryFactory() {
this.m_logger = Logger.getLogger(BouncyCastleNotaryFactory.class);
}
public X509Certificate getNotaryCert(String responderCN, String specificCertNr) {
try {
TrustServiceFactory ex = ConfigManager.instance().getTslFactory();
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
return ex.findOcspByCN(responderCN, bUseLocal);
} catch (Exception var5) {
this.m_logger.error("Error searching responder cert for: " + responderCN + " - " + var5);
return null;
}
}
public X509Certificate[] getNotaryCerts(String responderCN, String specificCertNr) {
try {
TrustServiceFactory ex = ConfigManager.instance().getTslFactory();
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
return ex.findOcspsByCNAndNr(responderCN, bUseLocal, specificCertNr);
} catch (Exception var5) {
this.m_logger.error("Error searching responder cert for: " + responderCN + " - " + var5);
return null;
}
}
public X509Certificate getCACert(String responderCN) {
try {
TrustServiceFactory ex = ConfigManager.instance().getTslFactory();
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
X509Certificate cert = ex.findOcspByCN(responderCN, bUseLocal);
if(cert != null) {
return ex.findCaForCert(cert, bUseLocal, (Date)null);
}
} catch (Exception var5) {
this.m_logger.error("Error searching responder ca cert for: " + responderCN + " - " + var5);
}
return null;
}
/** @deprecated */
public Notary getConfirmation(byte[] nonce, X509Certificate signersCert, String notId, String httpFrom) throws DigiDocException {
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory();
X509Certificate caCert = tslFac.findCaForCert(signersCert, bUseLocal, (Date)null);
X509Certificate ocspCert = tslFac.findOcspByCN(ConvertUtils.getCommonName(ConvertUtils.convX509Name(signersCert.getIssuerX500Principal())), bUseLocal);
return this.getConfirmation(nonce, signersCert, caCert, ocspCert, notId, httpFrom);
}
public Notary getConfirmation(Signature sig, byte[] nonce, X509Certificate signersCert, X509Certificate caCert, X509Certificate notaryCert, String notId, String ocspUrl, String httpFrom, String format, String formatVer) throws DigiDocException {
Notary not = null;
OCSPReq req = null;
OCSPResp resp = null;
try {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("getConfirmation, nonce " + Base64Util.encode(nonce, 0) + " cert: " + (signersCert != null?signersCert.getSerialNumber().toString():"NULL") + " CA: " + (caCert != null?caCert.getSerialNumber().toString():"NULL") + " responder: " + (notaryCert != null?notaryCert.getSerialNumber().toString():"NULL") + " notId: " + notId + " signRequest: " + this.m_bSignRequests + " url: " + ocspUrl);
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Check cert: " + (signersCert != null?signersCert.getSubjectDN().getName():"NULL"));
this.m_logger.debug("Check CA cert: " + (caCert != null?caCert.getSubjectDN().getName():"NULL"));
}
req = this.createOCSPRequest(nonce, signersCert, caCert, this.m_bSignRequests, sig != null && sig.getSignedDoc().getFormat().equals("BDOC"));
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("REQUEST:\n" + Base64Util.encode(req.getEncoded(), 0));
}
resp = this.sendRequestToUrl(req, ocspUrl, httpFrom, format, formatVer);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(resp.getEncoded(), 0));
}
this.verifyRespStatus(resp);
not = this.parseAndVerifyResponse(sig, notId, signersCert, resp, nonce, notaryCert, caCert);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Confirmation OK!");
}
} catch (DigiDocException var17) {
this.m_logger.error("Error receiving OCSP confirmation: " + var17 + " nonce: " + ConvertUtils.bin2hex(nonce) + " len: " + nonce.length);
try {
byte[] ex2 = req.getEncoded();
this.m_logger.error("OCSP req: " + ConvertUtils.bin2hex(ex2) + " len: " + ex2.length);
ex2 = resp.getEncoded();
this.m_logger.error("OCSP req: " + ConvertUtils.bin2hex(ex2) + " len: " + ex2.length);
} catch (Exception var16) {
this.m_logger.error("Error converting OCSP info: " + var16);
}
throw var17;
} catch (Exception var18) {
DigiDocException.handleException(var18, 66);
}
return not;
}
/** @deprecated */
public Notary getConfirmation(byte[] nonce, X509Certificate signersCert, X509Certificate caCert, X509Certificate notaryCert, String notId, String httpFrom) throws DigiDocException {
return this.getConfirmation((Signature)null, nonce, signersCert, caCert, notaryCert, notId, ConfigManager.instance().getProperty("DIGIDOC_OCSP_RESPONDER_URL"), httpFrom, (String)null, (String)null);
}
/** @deprecated */
public Notary getConfirmation(Signature sig, X509Certificate signersCert, X509Certificate caCert) throws DigiDocException {
Notary not = null;
try {
String ex = sig.getId().replace('S', 'N');
byte[] nonce = SignedDoc.digestOfType(sig.getSignatureValue().getValue(), sig.getSignedDoc().getFormat().equals("BDOC")?"SHA-256":"SHA-1");
X509Certificate notaryCert = null;
if(sig.getUnsignedProperties() != null) {
notaryCert = sig.getUnsignedProperties().getRespondersCertificate();
}
not = this.getConfirmation(sig, nonce, signersCert, caCert, notaryCert, ex, ConfigManager.instance().getProperty("DIGIDOC_OCSP_RESPONDER_URL"), sig.getHttpFrom(), sig.getSignedDoc().getFormat(), sig.getSignedDoc().getVersion());
if(notaryCert == null && sig != null && sig.getUnsignedProperties() != null) {
OCSPResp resp = new OCSPResp(not.getOcspResponseData());
if(resp != null && resp.getResponseObject() != null) {
String respId = this.responderIDtoString((BasicOCSPResp)resp.getResponseObject());
TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory();
notaryCert = tslFac.findOcspByCN(SignedDoc.getCommonName(respId), true);
if(notaryCert != null) {
sig.getUnsignedProperties().setRespondersCertificate(notaryCert);
}
CertID cid = new CertID(sig, notaryCert, 2);
sig.addCertID(cid);
cid.setUri("#" + sig.getId() + "-RESPONDER_CERT");
}
}
} catch (DigiDocException var12) {
throw var12;
} catch (Exception var13) {
DigiDocException.handleException(var13, 66);
}
return not;
}
public Notary getConfirmation(Signature sig, X509Certificate signersCert, X509Certificate caCert, X509Certificate notaryCert, String ocspUrl) throws DigiDocException {
Notary not = null;
try {
String ex = sig.getId().replace('S', 'N');
byte[] nonce = SignedDoc.digestOfType(sig.getSignatureValue().getValue(), sig.getSignedDoc().getFormat().equals("BDOC")?"SHA-256":"SHA-1");
if(notaryCert == null && sig.getUnsignedProperties() != null) {
notaryCert = sig.getUnsignedProperties().getRespondersCertificate();
}
not = this.getConfirmation(sig, nonce, signersCert, caCert, notaryCert, ex, ocspUrl, sig.getHttpFrom(), sig.getSignedDoc().getFormat(), sig.getSignedDoc().getVersion());
if(sig != null && not != null && sig.getUnsignedProperties() != null) {
sig.getUnsignedProperties().setNotary(not);
}
if(notaryCert == null && sig != null && sig.getUnsignedProperties() != null && sig.getUnsignedProperties().getNotary() != null) {
OCSPResp resp = new OCSPResp(sig.getUnsignedProperties().getNotary().getOcspResponseData());
if(resp != null && resp.getResponseObject() != null && notaryCert == null) {
String respId = this.responderIDtoString((BasicOCSPResp)resp.getResponseObject());
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory();
notaryCert = tslFac.findOcspByCN(ConvertUtils.getCommonName(respId), bUseLocal);
if(notaryCert != null) {
sig.getUnsignedProperties().setRespondersCertificate(notaryCert);
CertID cid = new CertID(sig, notaryCert, 2);
sig.addCertID(cid);
cid.setUri("#" + sig.getId() + "-RESPONDER_CERT");
}
}
}
} catch (DigiDocException var14) {
throw var14;
} catch (Exception var15) {
DigiDocException.handleException(var15, 66);
}
return not;
}
/** @deprecated */
public Notary getConfirmation(Signature sig, X509Certificate signersCert) throws DigiDocException {
String notId = sig.getId().replace('S', 'N');
byte[] nonce = SignedDoc.digestOfType(sig.getSignatureValue().getValue(), sig.getSignedDoc().getFormat().equals("BDOC")?"SHA-256":"SHA-1");
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory();
X509Certificate caCert = tslFac.findCaForCert(signersCert, bUseLocal, (Date)null);
X509Certificate ocspCert = tslFac.findOcspByCN(ConvertUtils.getCommonName(ConvertUtils.convX509Name(signersCert.getIssuerX500Principal())), bUseLocal);
return this.getConfirmation(nonce, signersCert, caCert, ocspCert, notId, sig.getHttpFrom());
}
private String composeHttpFrom() {
String sFrom = null;
try {
NetworkInterface ex2 = null;
Enumeration eNi = NetworkInterface.getNetworkInterfaces();
if(eNi != null && eNi.hasMoreElements()) {
ex2 = (NetworkInterface)eNi.nextElement();
}
if(ex2 != null) {
InetAddress ia = null;
Enumeration eA = ex2.getInetAddresses();
if(eA != null && eA.hasMoreElements()) {
ia = (InetAddress)eA.nextElement();
}
if(ia != null) {
sFrom = ia.getHostAddress();
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("FROM: " + sFrom);
}
}
} catch (Exception var6) {
this.m_logger.error("Error finding ip-adr: " + var6);
}
return sFrom;
}
/** @deprecated */
public OCSPResp checkCertificate(X509Certificate cert) throws DigiDocException {
return this.checkCertificate(cert, this.composeHttpFrom());
}
/** @deprecated */
public OCSPResp checkCertificate(X509Certificate cert, String httpFrom) throws DigiDocException {
OCSPResp resp = null;
try {
DigiDocFactory ex = ConfigManager.instance().getDigiDocFactory();
TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory();
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
X509Certificate caCert = tslFac.findCaForCert(cert, bUseLocal, (Date)null);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Find CA for: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(cert.getIssuerX500Principal())));
this.m_logger.debug("Check cert: " + cert.getSubjectDN().getName());
this.m_logger.debug("Check CA cert: " + caCert.getSubjectDN().getName());
}
String strTime = (new Date()).toString();
byte[] nonce1 = SignedDoc.digest(strTime.getBytes());
OCSPReq req = this.createOCSPRequest(nonce1, cert, caCert, this.m_bSignRequests, false);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Sending ocsp request: " + req.getEncoded().length + " bytes");
this.m_logger.debug("REQUEST:\n" + Base64Util.encode(req.getEncoded(), 0));
}
String ocspUrl = tslFac.findOcspUrlForCert(cert, 0, bUseLocal);
resp = this.sendRequestToUrl(req, ocspUrl, httpFrom, (String)null, (String)null);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Got ocsp response: " + resp.getEncoded().length + " bytes");
this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(resp.getEncoded(), 0));
}
this.verifyRespStatus(resp);
BasicOCSPResp basResp = (BasicOCSPResp)resp.getResponseObject();
byte[] nonce2 = this.getNonce(basResp, (SignedDoc)null);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Nonce1: " + (nonce1 != null?ConvertUtils.bin2hex(nonce1) + " len: " + nonce1.length:"NULL") + " nonce2: " + (nonce2 != null?ConvertUtils.bin2hex(nonce2) + " len: " + nonce2.length:"NULL"));
}
if(!SignedDoc.compareDigests(nonce1, nonce2)) {
throw new DigiDocException(69, "Invalid nonce value! Possible replay attack!", (Throwable)null);
}
try {
String ex1 = this.responderIDtoString(basResp);
X509Certificate notaryCert = this.getNotaryCert(ConvertUtils.getCommonName(ex1), (String)null);
boolean bOk = false;
if(notaryCert == null) {
throw new DigiDocException(70, "Responder cert not found for: " + ex1, (Throwable)null);
}
bOk = basResp.verify(notaryCert.getPublicKey(), "BC");
if(!bOk) {
throw new DigiDocException(70, "OCSP verification error!", (Throwable)null);
}
} catch (Exception var17) {
this.m_logger.error("OCSP Signature verification error!!!", var17);
DigiDocException.handleException(var17, 70);
}
this.checkCertStatus(cert, basResp, caCert);
} catch (DigiDocException var18) {
throw var18;
} catch (Exception var19) {
DigiDocException.handleException(var19, 66);
}
return resp;
}
/** @deprecated */
public OCSPResp sendCertOcsp(X509Certificate cert, X509Certificate caCert, String url, ByteArrayOutputStream bosNonce, StringBuffer sbRespId, ByteArrayOutputStream bosReq, String httpFrom) throws DigiDocException {
try {
OCSPResp ex = null;
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Find CA for: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(cert.getIssuerX500Principal())));
this.m_logger.debug("Check cert: " + cert.getSubjectDN().getName());
this.m_logger.debug("Check CA cert: " + caCert.getSubjectDN().getName());
}
String strTime = (new Date()).toString();
byte[] nonce1 = SignedDoc.digest(strTime.getBytes());
bosNonce.write(nonce1);
OCSPReq req = this.createOCSPRequest(nonce1, cert, caCert, false, false);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Sending ocsp request: " + req.getEncoded().length + " bytes");
this.m_logger.debug("REQUEST:\n" + Base64Util.encode(req.getEncoded(), 0));
}
if(req != null && bosReq != null) {
bosReq.write(req.getEncoded());
}
ex = this.sendRequestToUrl(req, url, httpFrom, (String)null, (String)null);
if(ex != null) {
BasicOCSPResp basResp = (BasicOCSPResp)ex.getResponseObject();
String sRespId = this.responderIDtoString(basResp);
if(sRespId != null) {
sbRespId.append(sRespId);
}
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Got ocsp response: " + (ex != null?ex.getEncoded().length:0) + " bytes");
if(ex != null) {
this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(ex.getEncoded(), 0));
}
}
return ex;
} catch (DigiDocException var14) {
throw var14;
} catch (Exception var15) {
DigiDocException.handleException(var15, 66);
return null;
}
}
/** @deprecated */
public boolean checkCertOcsp(OCSPResp resp, X509Certificate cert, X509Certificate ocspCert, byte[] nonce1, X509Certificate caCert) throws DigiDocException {
try {
this.verifyRespStatus(resp);
BasicOCSPResp ex = (BasicOCSPResp)resp.getResponseObject();
byte[] nonce2 = this.getNonce(ex, (SignedDoc)null);
if(!SignedDoc.compareDigests(nonce1, nonce2)) {
throw new DigiDocException(69, "Invalid nonce value! Possible replay attack!", (Throwable)null);
} else {
boolean bOk = false;
try {
this.responderIDtoString(ex);
bOk = ex.verify(ocspCert.getPublicKey(), "BC");
} catch (Exception var10) {
this.m_logger.error("OCSP Signature verification error!!!", var10);
DigiDocException.handleException(var10, 70);
}
this.checkCertStatusWithCa(cert, ex, caCert);
return bOk;
}
} catch (DigiDocException var11) {
throw var11;
} catch (Exception var12) {
DigiDocException.handleException(var12, 66);
return false;
}
}
/** @deprecated */
public void checkCertificateOcspOrCrl(X509Certificate cert, boolean bUseOcsp) throws DigiDocException {
try {
boolean ex = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory();
X509Certificate caCert = tslFac.findCaForCert(cert, ex, (Date)null);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Find CA for: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(cert.getIssuerX500Principal())));
this.m_logger.debug("Check cert: " + cert.getSubjectDN().getName());
this.m_logger.debug("Check CA cert: " + caCert.getSubjectDN().getName());
}
String strTime = (new Date()).toString();
byte[] nonce1 = SignedDoc.digest(strTime.getBytes());
OCSPReq req = this.createOCSPRequest(nonce1, cert, caCert, this.m_bSignRequests, false);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Sending ocsp request: " + req.getEncoded().length + " bytes");
this.m_logger.debug("REQUEST:\n" + Base64Util.encode(req.getEncoded(), 0));
}
OCSPResp resp = this.sendRequest(req, (String)null, (String)null, (String)null);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Got ocsp response: " + resp.getEncoded().length + " bytes");
this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(resp.getEncoded(), 0));
}
this.verifyRespStatus(resp);
BasicOCSPResp basResp = (BasicOCSPResp)resp.getResponseObject();
byte[] nonce2 = this.getNonce(basResp, (SignedDoc)null);
if(!SignedDoc.compareDigests(nonce1, nonce2)) {
throw new DigiDocException(69, "Invalid nonce value! Possible replay attack!", (Throwable)null);
}
try {
String ex1 = this.responderIDtoString(basResp);
X509Certificate notaryCert = this.getNotaryCert(SignedDoc.getCommonName(ex1), (String)null);
boolean bOk = basResp.verify(notaryCert.getPublicKey(), "BC");
if(!bOk) {
this.m_logger.error("OCSP Signature verification error!!!");
throw new DigiDocException(70, "OCSP Signature verification error!!!", (Throwable)null);
}
} catch (Exception var15) {
this.m_logger.error("OCSP Signature verification error!!!", var15);
DigiDocException.handleException(var15, 70);
}
this.checkCertStatus(cert, basResp, caCert);
} catch (DigiDocException var16) {
throw var16;
} catch (Exception var17) {
DigiDocException.handleException(var17, 66);
}
}
private Notary parseAndVerifyResponse(Signature sig, OCSPResp resp, byte[] nonce1) throws DigiDocException {
String notId = sig.getId().replace('S', 'N');
X509Certificate sigCert = sig.getKeyInfo().getSignersCertificate();
return this.parseAndVerifyResponse(sig, notId, sigCert, resp, nonce1, (X509Certificate)null, (X509Certificate)null);
}
private Notary parseAndVerifyResponse(Signature sig, String notId, X509Certificate signersCert, OCSPResp resp, byte[] nonce1, X509Certificate notaryCert, X509Certificate caCert) throws DigiDocException {
Notary not = null;
if(resp != null && resp.getStatus() == 0) {
try {
BasicOCSPResp ex = (BasicOCSPResp)resp.getResponseObject();
String respId = this.responderIDtoString(ex);
if(notaryCert == null) {
String bOk = ConvertUtils.getCommonName(respId);
notaryCert = this.getNotaryCert(bOk, (String)null);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Find notary cert: " + bOk + " found: " + (notaryCert != null?"OK":"NULL"));
}
}
if(notaryCert == null) {
throw new DigiDocException(70, "Notary cert not found for: " + respId, (Throwable)null);
}
boolean var18 = false;
try {
var18 = ex.verify(notaryCert.getPublicKey(), "BC");
} catch (Exception var15) {
this.m_logger.error("OCSP Signature verification error!!!", var15);
DigiDocException.handleException(var15, 70);
}
if(!var18) {
this.m_logger.error("OCSP Signature verification error!!!");
throw new DigiDocException(70, "OCSP Signature verification error!!!", (Throwable)null);
}
if(this.m_logger.isDebugEnabled() && notaryCert != null) {
this.m_logger.debug("Using responder cert: " + notaryCert.getSerialNumber().toString());
}
byte[] nonce2 = this.getNonce(ex, sig != null?sig.getSignedDoc():null);
boolean ok = true;
if(nonce1 == null || nonce2 == null || nonce1.length != nonce2.length) {
ok = false;
}
for(int i = 0; nonce1 != null && nonce2 != null && i < nonce1.length; ++i) {
if(nonce1[i] != nonce2[i]) {
ok = false;
}
}
if(this.m_logger.isDebugEnabled() && notaryCert != null) {
this.m_logger.debug("NONCE ddoc: " + (sig != null?sig.getSignedDoc().getFormat():"NULL") + " ok: " + ok);
}
if(!ok && sig != null) {
this.m_logger.error("DDOC ver: " + sig.getSignedDoc().getVersion() + " SIG: " + sig.getId() + " Real nonce: " + Base64Util.encode(nonce2, 0) + " SigVal hash: " + Base64Util.encode(nonce1, 0) + " SigVal hash hex: " + ConvertUtils.bin2hex(nonce1));
throw new DigiDocException(71, "OCSP response\'s nonce doesn\'t match the requests nonce!", (Throwable)null);
}
this.checkCertStatus(signersCert, ex, caCert);
not = new Notary(notId, resp.getEncoded(), respId, ex.getResponseData().getProducedAt());
if(notaryCert != null) {
not.setCertNr(notaryCert.getSerialNumber().toString());
}
} catch (DigiDocException var16) {
throw var16;
} catch (Exception var17) {
DigiDocException.handleException(var17, 72);
}
return not;
} else if(resp.getStatus() == 6) {
throw new DigiDocException(163, "OCSP response unauthorized! ", (Throwable)null);
} else {
throw new DigiDocException(69, "OCSP response unsuccessfull!", (Throwable)null);
}
}
private void checkCertStatus(Signature sig, BasicOCSPResp basResp) throws DigiDocException {
this.checkCertStatus(sig.getKeyInfo().getSignersCertificate(), basResp, (X509Certificate)null);
}
private void checkCertStatus(X509Certificate cert, BasicOCSPResp basResp, X509Certificate caCert) throws DigiDocException {
try {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Checking response status, CERT: " + (cert != null?cert.getSubjectDN().getName():"NULL") + " SEARCH: " + (cert != null?SignedDoc.getCommonName(ConvertUtils.convX509Name(cert.getIssuerX500Principal())):"NULL"));
}
if(cert == null) {
throw new DigiDocException(92, "No certificate to check! Error reading certificate from file?", (Throwable)null);
} else {
TrustServiceFactory ex = ConfigManager.instance().getTslFactory();
boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false);
if(caCert == null) {
caCert = ex.findCaForCert(cert, bUseLocal, (Date)null);
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("CA cert: " + (caCert != null?caCert.getSubjectDN().getName():"NULL"));
this.m_logger.debug("RESP: " + basResp);
this.m_logger.debug("CERT: " + (cert != null?cert.getSubjectDN().getName():"NULL") + " ISSUER: " + ConvertUtils.convX509Name(cert.getIssuerX500Principal()) + " nr: " + (caCert != null?ConvertUtils.bin2hex(caCert.getSerialNumber().toByteArray()):"NULL"));
}
if(caCert == null) {
throw new DigiDocException(92, "Unknown CA cert: " + cert.getIssuerDN().getName(), (Throwable)null);
} else {
SingleResp[] sresp = basResp.getResponseData().getResponses();
CertificateID rc = this.creatCertReq(cert, caCert);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Search alg: " + rc.getHashAlgOID() + " cert ser: " + cert.getSerialNumber().toString() + " serial: " + rc.getSerialNumber() + " issuer: " + Base64Util.encode(rc.getIssuerKeyHash()) + " subject: " + Base64Util.encode(rc.getIssuerNameHash()));
}
boolean ok = false;
for(int i = 0; i < sresp.length; ++i) {
CertificateID id = sresp[i].getCertID();
if(id != null) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Got alg: " + id.getHashAlgOID() + " serial: " + id.getSerialNumber() + " issuer: " + Base64Util.encode(id.getIssuerKeyHash()) + " subject: " + Base64Util.encode(id.getIssuerNameHash()));
}
if(rc.getHashAlgOID().equals(id.getHashAlgOID()) && rc.getSerialNumber().equals(id.getSerialNumber()) && SignedDoc.compareDigests(rc.getIssuerKeyHash(), id.getIssuerKeyHash()) && SignedDoc.compareDigests(rc.getIssuerNameHash(), id.getIssuerNameHash())) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Found it!");
}
ok = true;
Object status = sresp[i].getCertStatus();
if(status != null) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("CertStatus: " + status.getClass().getName());
}
if(status instanceof RevokedStatus) {
this.m_logger.error("Certificate has been revoked!");
throw new DigiDocException(91, "Certificate has been revoked!", (Throwable)null);
}
if(status instanceof UnknownStatus) {
this.m_logger.error("Certificate status is unknown!");
throw new DigiDocException(92, "Certificate status is unknown!", (Throwable)null);
}
}
break;
}
}
}
if(!ok) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Error checkCertStatus - not found ");
}
throw new DigiDocException(88, "Bad OCSP response status!", (Throwable)null);
}
}
}
} catch (DigiDocException var12) {
throw var12;
} catch (Exception var13) {
this.m_logger.error("Error checkCertStatus: " + var13);
var13.printStackTrace();
throw new DigiDocException(88, "Error checking OCSP response status!", (Throwable)null);
}
}
private void checkCertStatusWithCa(X509Certificate cert, BasicOCSPResp basResp, X509Certificate caCert) throws DigiDocException {
try {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Checking response status, CERT: " + cert.getSubjectDN().getName() + " SEARCH: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(cert.getIssuerX500Principal())));
}
DigiDocFactory ex = ConfigManager.instance().getDigiDocFactory();
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("CA cert: " + (caCert == null?"NULL":"OK"));
this.m_logger.debug("RESP: " + basResp);
this.m_logger.debug("CERT: " + cert.getSubjectDN().getName() + " ISSUER: " + ConvertUtils.convX509Name(cert.getIssuerX500Principal()));
if(caCert != null) {
this.m_logger.debug("CA CERT: " + caCert.getSubjectDN().getName());
}
}
SingleResp[] sresp = basResp.getResponseData().getResponses();
CertificateID rc = this.creatCertReq(cert, caCert);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Search alg: " + rc.getHashAlgOID() + " serial: " + rc.getSerialNumber() + " issuer: " + Base64Util.encode(rc.getIssuerKeyHash()) + " subject: " + Base64Util.encode(rc.getIssuerNameHash()));
}
boolean ok = false;
for(int i = 0; i < sresp.length; ++i) {
CertificateID id = sresp[i].getCertID();
if(id != null) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Got alg: " + id.getHashAlgOID() + " serial: " + id.getSerialNumber() + " issuer: " + Base64Util.encode(id.getIssuerKeyHash()) + " subject: " + Base64Util.encode(id.getIssuerNameHash()));
}
if(rc.getHashAlgOID().equals(id.getHashAlgOID()) && rc.getSerialNumber().equals(id.getSerialNumber()) && SignedDoc.compareDigests(rc.getIssuerKeyHash(), id.getIssuerKeyHash()) && SignedDoc.compareDigests(rc.getIssuerNameHash(), id.getIssuerNameHash())) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Found it!");
}
ok = true;
Object status = sresp[i].getCertStatus();
if(status != null) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("CertStatus: " + status.getClass().getName());
}
if(status instanceof RevokedStatus) {
this.m_logger.error("Certificate has been revoked!");
throw new DigiDocException(88, "Certificate has been revoked!", (Throwable)null);
}
if(status instanceof UnknownStatus) {
this.m_logger.error("Certificate status is unknown!");
throw new DigiDocException(88, "Certificate status is unknown!", (Throwable)null);
}
}
break;
}
}
}
if(!ok) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Error checkCertStatus - not found ");
}
throw new DigiDocException(88, "Bad OCSP response status!", (Throwable)null);
}
} catch (DigiDocException var11) {
throw var11;
} catch (Exception var12) {
this.m_logger.error("Error checkCertStatus: " + var12);
var12.printStackTrace();
throw new DigiDocException(88, "Error checking OCSP response status!", (Throwable)null);
}
}
public Notary parseAndVerifyResponse(Signature sig, Notary not) throws DigiDocException {
try {
OCSPResp ex = new OCSPResp(not.getOcspResponseData());
BasicOCSPResp basResp = (BasicOCSPResp)ex.getResponseObject();
X509Certificate[] lNotCerts = null;
if(sig != null && sig.getUnsignedProperties() != null && sig.getUnsignedProperties().getRespondersCertificate() == null) {
throw new DigiDocException(53, "OCSP responders certificate is required!", (Throwable)null);
}
int i;
try {
String ok = this.responderIDtoString(basResp);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("SIG: " + (sig == null?"NULL":sig.getId()));
this.m_logger.debug("UP: " + (sig.getUnsignedProperties() == null?"NULL":"OK: " + sig.getUnsignedProperties().getNotary().getId()));
this.m_logger.debug("RESP-CERT: " + (sig.getUnsignedProperties().getRespondersCertificate() == null?"NULL":"OK"));
this.m_logger.debug("RESP-ID: " + ok);
CertID nonce1 = sig.getCertID(2);
if(nonce1 != null) {
this.m_logger.debug("CID: " + nonce1.getType() + " id: " + nonce1.getId() + ", " + nonce1.getSerial() + " issuer: " + nonce1.getIssuer());
}
this.m_logger.debug("RESP: " + Base64Util.encode(ex.getEncoded()));
}
if(lNotCerts == null && sig != null) {
String var14 = sig.getUnsignedProperties().getRespondersCertificate().getSerialNumber().toString();
String nonce2 = ok;
if(ok.indexOf("CN") != -1) {
nonce2 = ConvertUtils.getCommonName(ok);
}
if(nonce2.startsWith("byKey: ")) {
nonce2 = nonce2.substring("byKey: ".length());
}
i = nonce2.indexOf(44);
if(i > 0) {
nonce2 = nonce2.substring(0, i);
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Search not cert by: " + nonce2 + " nr: " + var14);
}
lNotCerts = this.getNotaryCerts(nonce2, (String)null);
}
if(lNotCerts == null || lNotCerts.length == 0) {
throw new DigiDocException(117, "No certificate for responder: \'" + ok + "\' found in local certificate store!", (Throwable)null);
}
boolean var15 = false;
for(int var18 = 0; lNotCerts != null && var18 < lNotCerts.length && !var15; ++var18) {
Object var17 = lNotCerts[var18];
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Verify using responders cert: " + (var17 != null?ConvertUtils.getCommonName(((X509Certificate)var17).getSubjectDN().getName()) + " nr: " + ((X509Certificate)var17).getSerialNumber().toString():"NULL"));
}
var15 = basResp.verify(((X509Certificate)var17).getPublicKey(), "BC");
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("OCSP resp: " + (basResp != null?this.responderIDtoString(basResp):"NULL") + " verify using: " + (var17 != null?ConvertUtils.getCommonName(((X509Certificate)var17).getSubjectDN().getName()):"NULL") + " verify: " + var15);
}
}
if(!var15) {
throw new DigiDocException(70, "OCSP verification error!", (Throwable)null);
}
} catch (Exception var10) {
this.m_logger.error("Signature verification error: " + var10);
var10.printStackTrace();
DigiDocException.handleException(var10, 70);
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Verif sig: " + sig.getId() + " format: " + sig.getSignedDoc().getFormat() + " nonce policy: " + sig.hasBdoc2NoncePolicy());
}
boolean var13 = true;
if(sig.getSignedDoc().getFormat().equals("SK-XML") || sig.getSignedDoc().getFormat().equals("DIGIDOC-XML") || sig.getSignedDoc().getFormat().equals("BDOC") && sig.hasBdoc2NoncePolicy()) {
byte[] var16 = SignedDoc.digestOfType(sig.getSignatureValue().getValue(), sig.getSignedDoc().getFormat().equals("BDOC")?"SHA-256":"SHA-1");
byte[] var19 = this.getNonce(basResp, sig.getSignedDoc());
if(var16 == null || var19 == null || var16.length != var19.length) {
var13 = false;
}
for(i = 0; var16 != null && var19 != null && i < var16.length; ++i) {
if(var16[i] != var19[i]) {
var13 = false;
}
}
if(!var13 && sig.getSignedDoc() != null) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("SigVal\n---\n" + Base64Util.encode(sig.getSignatureValue().getValue()) + "\n---\nOCSP\n---\n" + Base64Util.encode(not.getOcspResponseData()) + "\n---\n");
this.m_logger.debug("DDOC ver: " + sig.getSignedDoc().getVersion() + " SIG: " + sig.getId() + " NOT: " + not.getId() + " Real nonce: " + (var19 != null?Base64Util.encode(var19, 0):"NULL") + " noncelen: " + (var19 != null?var19.length:0) + " SigVal hash: " + Base64Util.encode(var16, 0) + " SigVal hash hex: " + ConvertUtils.bin2hex(var16) + " svlen: " + (var16 != null?var16.length:0));
this.m_logger.debug("SIG:\n---\n" + sig.toString() + "\n--\n");
}
throw new DigiDocException(71, "OCSP response\'s nonce doesn\'t match the requests nonce!", (Throwable)null);
}
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Verify not: " + not.getId());
}
this.checkCertStatus(sig, basResp);
not.setProducedAt(basResp.getResponseData().getProducedAt());
not.setResponderId(this.responderIDtoString(basResp));
} catch (DigiDocException var11) {
throw var11;
} catch (Exception var12) {
DigiDocException.handleException(var12, 72);
}
return not;
}
private String responderIDtoString(BasicOCSPResp basResp) {
if(basResp != null) {
ResponderID respid = basResp.getResponseData().getResponderId().toASN1Object();
ASN1Primitive o = ((DERTaggedObject)respid.toASN1Object()).getObject();
if(o instanceof DEROctetString) {
DEROctetString name1 = (DEROctetString)o;
return "byKey: " + SignedDoc.bin2hex(name1.getOctets());
} else {
X509Name name = new X509Name((ASN1Sequence)o);
return "byName: " + name.toString();
}
} else {
return null;
}
}
private byte[] getNonce(BasicOCSPResp basResp, SignedDoc sdoc) {
if(basResp == null) {
return null;
} else {
try {
X509Extensions ex = basResp.getResponseData().getResponseExtensions();
X509Extension ex1 = ex.getExtension(new DERObjectIdentifier("1.3.6.1.5.5.7.48.1.2"));
byte[] nonce2 = null;
if(ex1 != null && ex1.getValue() != null) {
nonce2 = ex1.getValue().getOctets();
}
boolean bCheckOcspNonce = ConfigManager.instance().getBooleanProperty("CHECK_OCSP_NONCE", false);
if(sdoc != null && sdoc.getFormat() != null && sdoc.getFormat().equals("BDOC")) {
bCheckOcspNonce = true;
}
if(sdoc != null && sdoc.getFormat() != null && sdoc.getFormat().equals("SK-XML")) {
bCheckOcspNonce = false;
}
if(this.m_logger.isDebugEnabled() && nonce2 != null) {
this.m_logger.debug("Nonce hex: " + ConvertUtils.bin2hex(nonce2) + " b64: " + Base64Util.encode(nonce2) + " len: " + nonce2.length);
}
boolean bAsn1 = false;
String sType = null;
byte[] b;
if((sdoc != null && sdoc.getFormat() != null && sdoc.getFormat().equals("DIGIDOC-XML") || sdoc == null) && nonce2 != null && nonce2.length == 22) {
b = new byte[20];
System.arraycopy(nonce2, nonce2.length - 20, b, 0, 20);
nonce2 = b;
bAsn1 = true;
sType = "ASN1-NONCE";
}
if(sdoc != null && sdoc.getFormat() != null && sdoc.getFormat().equals("BDOC") && nonce2 != null) {
sType = ConvertUtils.findDigType(nonce2);
if(sType != null) {
b = ConvertUtils.removePrefix(nonce2);
nonce2 = b;
}
bAsn1 = sType != null;
}
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Nonce hex: " + ConvertUtils.bin2hex(nonce2) + " b64: " + Base64Util.encode(nonce2) + " len: " + nonce2.length + " type: " + sType);
}
if(!bAsn1 && bCheckOcspNonce) {
throw new DigiDocException(71, "Invalid nonce: " + (nonce2 != null?ConvertUtils.bin2hex(nonce2) + " length: " + nonce2.length:"NO-NONCE") + "!", (Throwable)null);
} else {
return nonce2;
}
} catch (Exception var10) {
this.m_logger.error("Error reading ocsp nonce: " + var10);
var10.printStackTrace();
return null;
}
}
}
private void verifyRespStatus(OCSPResp resp) throws DigiDocException {
int status = resp.getStatus();
switch(status) {
case 0:
break;
case 1:
this.m_logger.error("Your request did not fit the RFC 2560 syntax!");
break;
case 2:
this.m_logger.error("An internal error occured in the OCSP Server!");
break;
case 3:
this.m_logger.error("The server was too busy to answer you!");
break;
case 4:
default:
this.m_logger.error("Unknown OCSPResponse status code! " + status);
break;
case 5:
this.m_logger.error("Your request was not signed!");
break;
case 6:
this.m_logger.error("The server could not authenticate you!");
}
if(resp == null || resp.getStatus() != 0) {
throw new DigiDocException(69, "OCSP response unsuccessfull! ", (Throwable)null);
}
}
private CertificateID creatCertReq(X509Certificate signersCert, X509Certificate caCert) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, DigiDocException, Exception {
return new CertificateID("1.3.14.3.2.26", caCert, signersCert.getSerialNumber());
}
private OCSPReq createOCSPRequest(byte[] nonce, X509Certificate signersCert, X509Certificate caCert, boolean bSigned, boolean bBdoc) throws DigiDocException {
OCSPReq req = null;
OCSPReqGenerator ocspRequest = new OCSPReqGenerator();
try {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Request for: " + (signersCert != null?ConvertUtils.getCommonName(ConvertUtils.convX509Name(signersCert.getSubjectX500Principal())):"NULL") + " CA: " + (caCert != null?ConvertUtils.getCommonName(ConvertUtils.convX509Name(caCert.getSubjectX500Principal())):"NULL"));
}
if(signersCert == null) {
throw new DigiDocException(65, "Missing signers cert for ocsp request", (Throwable)null);
}
if(caCert == null) {
throw new DigiDocException(65, "Missing CA cert for ocsp request", (Throwable)null);
}
CertificateID ex = this.creatCertReq(signersCert, caCert);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Request for: " + ex.getHashAlgOID() + " serial: " + ex.getSerialNumber() + " issuer: " + ConvertUtils.bin2hex(ex.getIssuerKeyHash()) + " subject: " + ConvertUtils.bin2hex(ex.getIssuerNameHash()) + " nonce: " + ConvertUtils.bin2hex(nonce) + " len: " + nonce.length);
}
ocspRequest.addRequest(ex);
byte[] name;
if(nonce != null && nonce[0] != 4 && !bBdoc) {
name = new byte[nonce.length + 2];
name[0] = 4;
name[1] = (byte)nonce.length;
System.arraycopy(nonce, 0, name, 2, nonce.length);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Nonce in: " + ConvertUtils.bin2hex(nonce) + " with-asn1: " + ConvertUtils.bin2hex(name));
}
nonce = name;
}
if(nonce != null && ConvertUtils.findDigType(nonce) == null && bBdoc) {
name = ConvertUtils.addDigestAsn1Prefix(nonce);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Nonce in: " + ConvertUtils.bin2hex(nonce) + " in-len: " + (nonce != null?nonce.length:0) + " with-asn1: " + ConvertUtils.bin2hex(name) + " out-len: " + (name != null?name.length:0) + " out-pref: " + ConvertUtils.findDigType(name));
}
nonce = name;
}
Vector name1;
if(nonce != null) {
name1 = new Vector();
Vector chain = new Vector();
name1.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
chain.add(new X509Extension(false, new DEROctetString(nonce)));
X509Extensions ret = new X509Extensions(name1, chain);
ocspRequest.setRequestExtensions(ret);
}
name1 = null;
GeneralName name2;
if(bSigned) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("SignCert: " + (this.m_signCert != null?this.m_signCert.toString():"NULL"));
}
if(this.m_signCert == null) {
throw new DigiDocException(17, "Invalid config file! Attempting to sign ocsp request but PKCS#12 token not configured!", (Throwable)null);
}
name2 = new GeneralName(PrincipalUtil.getSubjectX509Principal(this.m_signCert));
} else {
if(signersCert == null) {
throw new DigiDocException(68, "Signature owners certificate is NULL!", (Throwable)null);
}
name2 = new GeneralName(PrincipalUtil.getSubjectX509Principal(signersCert));
}
ocspRequest.setRequestorName(name2);
if(bSigned) {
X509Certificate[] chain1 = new X509Certificate[]{this.m_signCert};
req = ocspRequest.generate("SHA1WITHRSA", this.m_signKey, chain1, "BC");
if(!req.verify(this.m_signCert.getPublicKey(), "BC")) {
this.m_logger.error("Verify failed");
}
} else {
req = ocspRequest.generate();
}
} catch (Exception var12) {
DigiDocException.handleException(var12, 65);
}
return req;
}
private OCSPResp sendRequest(OCSPReq req, String httpFrom, String format, String formatVer) throws DigiDocException {
String responderUrl = ConfigManager.instance().getProperty("DIGIDOC_OCSP_RESPONDER_URL");
return this.sendRequestToUrl(req, responderUrl, httpFrom, format, formatVer);
}
private String getUserInfo(String format, String formatVer) {
StringBuffer sb = null;
try {
sb = new StringBuffer("LIB ");
sb.append("JDigiDoc");
sb.append("/");
sb.append("3.9.0-726");
if(format != null && formatVer != null) {
sb.append(" format: ");
sb.append(format);
sb.append("/");
sb.append(formatVer);
}
sb.append(" Java: ");
sb.append(System.getProperty("java.version"));
sb.append("/");
sb.append(System.getProperty("java.vendor"));
sb.append(" OS: ");
sb.append(System.getProperty("os.name"));
sb.append("/");
sb.append(System.getProperty("os.arch"));
sb.append("/");
sb.append(System.getProperty("os.version"));
sb.append(" JVM: ");
sb.append(System.getProperty("java.vm.name"));
sb.append("/");
sb.append(System.getProperty("java.vm.vendor"));
sb.append("/");
sb.append(System.getProperty("java.vm.version"));
} catch (Throwable var5) {
this.m_logger.error("Error reading java system properties: " + var5);
}
return sb != null?sb.toString():null;
}
private OCSPResp sendRequestToUrl(OCSPReq req, String url, String httpFrom, String format, String formatVer) throws DigiDocException {
OCSPResp resp = null;
try {
byte[] ex = req.getEncoded();
URL uUrl = new URL(url);
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Connecting to ocsp url: " + url);
}
URLConnection con = uUrl.openConnection();
int nTmout = con.getConnectTimeout();
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Default connection timeout: " + nTmout + " [ms]");
}
int nConfTm = ConfigManager.instance().getIntProperty("OCSP_TIMEOUT", -1);
if(nConfTm >= 0) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("Setting connection timeout to: " + nConfTm + " [ms]");
}
con.setConnectTimeout(nConfTm);
}
con.setAllowUserInteraction(false);
con.setUseCaches(false);
con.setDoOutput(true);
con.setDoInput(true);
con.setRequestProperty("Content-Type", "application/ocsp-request");
String sUserInfo = this.getUserInfo(format, formatVer);
if(sUserInfo != null) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("User-Agent: " + sUserInfo);
}
con.setRequestProperty("User-Agent", sUserInfo);
}
if(httpFrom != null && httpFrom.trim().length() > 0) {
if(this.m_logger.isDebugEnabled()) {
this.m_logger.debug("X-Forwarded-For: " + httpFrom);
}
con.setRequestProperty("X-Forwarded-For", httpFrom);
}
OutputStream os = con.getOutputStream();
os.write(ex);
os.close();
InputStream is = con.getInputStream();
int cl = con.getContentLength();
byte[] bresp = null;
if(cl > 0) {
boolean avail = false;
do {
int avail1 = is.available();
byte[] data = new byte[avail1];
int rc = is.read(data);
if(bresp == null) {
bresp = new byte[rc];
System.arraycopy(data, 0, bresp, 0, rc);
} else {
byte[] tmp = new byte[bresp.length + rc];
System.arraycopy(bresp, 0, tmp, 0, bresp.length);
System.arraycopy(data, 0, tmp, bresp.length, rc);
bresp = tmp;
}
cl -= rc;
} while(cl > 0);
}
is.close();
if(bresp != null) {
resp = new OCSPResp(bresp);
}
} catch (Exception var21) {
DigiDocException.handleException(var21, 65);
}
return resp;
}
public void init() throws DigiDocException {
try {
String ex = ConfigManager.instance().getProperty("DIGIDOC_PROXY_HOST");
String proxyPort = ConfigManager.instance().getProperty("DIGIDOC_PROXY_PORT");
if(ex != null && proxyPort != null) {
System.setProperty("http.proxyHost", ex);
System.setProperty("http.proxyPort", proxyPort);
}
String sigFlag = ConfigManager.instance().getProperty("SIGN_OCSP_REQUESTS");
this.m_bSignRequests = sigFlag != null && sigFlag.equals("true");
Provider prv = (Provider)Class.forName(ConfigManager.instance().getProperty("DIGIDOC_SECURITY_PROVIDER")).newInstance();
Security.addProvider(prv);
if(this.m_bSignRequests) {
String p12file = ConfigManager.instance().getProperty("DIGIDOC_PKCS12_CONTAINER");
String p12paswd = ConfigManager.instance().getProperty("DIGIDOC_PKCS12_PASSWD");
String p12serial = ConfigManager.instance().getProperty("DIGIDOC_OCSP_SIGN_CERT_SERIAL");
if(p12file != null && p12paswd != null) {
FileInputStream fi = new FileInputStream(p12file);
KeyStore store = KeyStore.getInstance("PKCS12", "BC");
store.load(fi, p12paswd.toCharArray());
Enumeration en = store.aliases();
String pName = null;
while(en.hasMoreElements()) {
String certs = (String)en.nextElement();
if(store.isKeyEntry(certs)) {
pName = certs;
}
}
this.m_signKey = (PrivateKey)store.getKey(pName, (char[])null);
Certificate[] var16 = store.getCertificateChain(pName);
for(int i = 0; var16 != null && i < var16.length; ++i) {
X509Certificate cert = (X509Certificate)var16[i];
if(this.m_logger.isInfoEnabled()) {
this.m_logger.info("Cert " + i + " subject: " + ConvertUtils.convX509Name(cert.getSubjectX500Principal()));
this.m_logger.info("Cert " + i + " issuer: " + ConvertUtils.convX509Name(cert.getIssuerX500Principal()));
this.m_logger.info("Cert " + i + " serial: " + cert.getSerialNumber());
this.m_logger.info("Cert " + i + " is-ca: " + ConvertUtils.isCACert(cert));
}
if(p12serial != null && cert != null && cert.getSerialNumber().equals(new BigInteger(p12serial))) {
this.m_signCert = (X509Certificate)var16[i];
}
}
}
}
} catch (Exception var15) {
DigiDocException.handleException(var15, 67);
}
}
}