com.entrust.toolkit.x509.revocation

Class OCSPConfiguration

java.lang.Object

com.entrust.toolkit.x509.revocation.OCSPConfiguration

public class OCSPConfiguration
extends java.lang.Object

Each OCSPConfiguration object represents a single OCSP configuration (Online Certificate Status Protocol). If no settings are configured, the following configuration is used:

• OCSP Requests will not be signed
• The requestorName is included in the request
• The OCSP responder's verification certificate is not configured
• The OCSP Responder's Access Location is not set.
• No Certificate Authority DN list is set
• No Single Request or Request Extensions are set
• The ASN.1 CertID Hashing Algorithm is set to SHA256
• AIA extension checking is turned on
• Use of the Nonce is not enabled
• Connection and Read timeouts are not set
• An OCSP request will be retried 2 times

To ensure efficient and reliable configuration of OCSP, the following items should be configured:

1. Any OCSP responder who is trusted is configured by setting the responder's verification certificate using addResponderCertificates(X509Certificate[]). Multiple Responders can be trusted by this configuration. For example, if AIA mode is enabled setAIAChecking(boolean) then the certificate which signed the OCSP response may need to be authorized. If that is the case, then having this certificate listed as a trusted certificate will enable the certificate to be authorized, and the revocation check will be able to succeed. If this certificate were not trusted, then the certificate which signed the OCSP request must be contained in the OCSP response, must be issued by the CA certificate that issued the cerificate being check for revocation, and must contain the id-ad-ocspSigning in an extendedKeyUsage extension. See RFC 2560 section 4.2.2.2 for how this process works

2. The Certificate Authority Distinguished Name list (CADN list) is used to determine whether this OCSPConfiguration should be used to send an OCSP request to the configured responder. Essentially the issuer DN of the certificate being checked for revocation is matched against this list.

• If the DN is present, then this OCSPConfiguration can be used to contact the configured responder.
• If the DN is not present, and the list of CADN's is empty, then this OCSPConfiguration can be used to check the revocation status of any certificate.
• If the DN is not present, and the list of CADN's is populated, then this OCSPConfiguration should not be used to check the revocation status of the certificate in question.

3. Either the setAIAChecking(boolean) should be enabled, or the OCSP AccessLocation should be set. The AccessLocation is set with either the setAccessLocation(GeneralName) or setURLLocation(URL) methods. The AuthorityInfoAccess certificate extension stores the AccessLocation of the OCSP responder in the certificate being checked for revocation. However, there may be environments where this setting should be ignored. If neither setting is enabled, then no revocation checking can be done for this OCSP configuration. A default OCSP configuration will enable AIA checking.

4. It may be desirable to set the ConnectionTimeout. When the OCSP responder is contacted to determine revocation status, a timeout can be specified to determine the maximum length of time the client will wait for a reply. The default value is 0, which means the Java toolkit will wait forever. To avoid the possibility of the toolkit waiting forever, it is therefore recommended that the client application set a ConnectionTimeout. Under a Java 1.4.x environment, the ConnectTimeout is the maximum length of time in milliseconds which the Java toolkit will allow for connecting and reading data from the OCSP responder. Under Java 1.4.x there is no distinction between the ConnectTimeout and ReadTimeout values. Under a Java 1.5.x or later environment, the ConnectTimeout is the maximum length of time in milliseonds which the Java toolkit will allow for connection to the OCSP responder.

5. It may be desirable to set the ReadTimeout. Under a Java 1.4.x environment, setting the ReadTimeout value has no effect on the behaviour of the toolkit. Under a Java 1.5.x or later environment, the ReadTimeout is the maximum length of time in milliseconds which the Java toolkit will allow for reading data from the OCSP responder. The default timeout value is 0, which means there is no limit.

Since:

7.2

Field Summary

Fields

Modifier and Type	Field and Description
static int	INCLUDE_ALL_CERTS
static int	INCLUDE_NONE
static int	INCLUDE_VERIFICATION_CERT
static int	MAX_RETRIES Limit amout of retries, as a very large number would cause the toolkit to hang, and could be used for a denial of service attack.

Constructor Summary

Constructors

Constructor and Description
OCSPConfiguration() The default constructor.
OCSPConfiguration(GeneralName accessLocation) Creates a Default OCSP Configuration with the specified accessLocation.
OCSPConfiguration(java.net.URL urlLocation) Creates a Default OCSP Configuration with the specified URL.

Method Summary

Methods

Modifier and Type	Method and Description
void	addCADN(Name name) When a certificate is checked for revocation status, a list of CA Names is checked against the issuer of the certificate being checked for revocation.
void	addCADNList(java.util.ArrayList names) When a a certificate is checked for revocation status, a list of CA Names is checked against the issuer of the certificate being checked for revocation.
void	addCADNList(Name[] names) A Convienance method for adding an Array of Name DNs to the internal list of CA Names.
void	addResponderCertificate(X509Certificate responderCert) Adds a trusted verficiation certificate of an OCSP responder to the list of trusted responder certificates for this OCSPConfiguration.
void	addResponderCertificates(java.util.ArrayList certificates) Adds a List of trusted verification certificates for each OCSP responder which should be trusted by this OCSPConfiguration.
void	addResponderCertificates(X509Certificate[] responderCerts) Adds an array of trusted verficiation certificates for each OCSP responder which should be trusted by this OCSPConfiguration.
static java.net.URL	convertAccessLocation(GeneralName accessLocation) Converts an AccessLocation specified as a General name into a URL object.
boolean	equals(java.lang.Object obj) Tests whether each parameter configured in this OCSPConfiguration object is equal to each parameter configured in the provided OCSPConfiguration object.
GeneralName	getAccessLocation()
boolean	getAIAChecking()
java.util.ArrayList	getCADNList()
Name[]	getCADNs()
AlgorithmID	getCertIDHashAlgorithm() Returns the Hashing algorithm used to identify the certificate in the ASN.1 CertID structure.
int	getConnectTimeout()
javax.net.ssl.HostnameVerifier	getHostnameVerifier() Return the HostnameVerifier to use when an OCSP request over HTTPS is used
boolean	getIncludeAcceptableResponses()
boolean	getIncludeRequestorName()
int	getIncludeVerificationChain()
int	getReadTimeout()
java.util.ArrayList	getResponderCertificateList() Returns the trusted responders verification certificate list if it was set.
X509Certificate[]	getResponderCertificates() Returns the trusted responders verfication certificate list if it was set.
int	getRetries()
AlgorithmID	getSigningAlgorithm()
boolean	getSignRequest() Convienance method which returns whether or not the request should be signed.
javax.net.ssl.SSLSocketFactory	getSSLSocketFactory() Return the SSLSocketFactory used when an OCSP request over HTTPS is used:
java.net.URLStreamHandler	getStreamHandler() Return the URLStreamHandler to use when an OCSP request over HTTPS is used
java.net.URL	getURLLocation()
boolean	getUseNonce()
int	hashCode() Returns a hash code value for the object.
void	removeCADN(Name cadn) Removes a CA DN from the list of CA DN's which this responder is trusted.
void	removeResponderCertificate(X509Certificate responderCert) Removes a trusted Responder verification certificate from the list of trusted responder verification certificates.
void	setAccessLocation(GeneralName accessLocation) Sets the Access location of the OCSP Responder.
void	setAIAChecking(boolean useAIA) This parameter will enable the OCSP configuration to use the Authority Information Access (AIA) Certificate extension id-ad-ocsp for checking revocation.
void	setCertIDHashAlgorithm(java.lang.String alg) Sets the Hashing algorithm used to identify the certificate in the ASN.1 CertID structure.
void	setConnectTimeout(int ConnectTimeout) Under a Java 1.4.x environment, the ConnectTimeout is the maximum length of time in milliseconds which the Java toolkit will allow for connecting and reading data from the OCSP responder.
void	setIncludeAcceptableResponses(boolean includeRequest) Allows inclusion of the AcceptableResponseTypes extension to be included in the message.
void	setIncludeRequestorName(boolean include) RFC 2560 section 4 states the requestorName is optional.
void	setReadTimeout(int ReadTimeout) Under a Java 1.4.x environment, setting the ReadTimeout value has no effect on the behaviour of the toolkit.
void	setRetries(int retry) Sets the number of times that an OCSP request will be attempted to be set The minimum is 0, maximum is defined by MAX_RETRIES
void	setSignRequest(boolean isSigned, int includeCerts, java.lang.String signaturealg) This method is used to set whether the OCSP Request is signed.
void	setSSLConfiguration(javax.net.ssl.SSLSocketFactory factory, javax.net.ssl.HostnameVerifier hostnameVerifier, java.net.URLStreamHandler streamHandler) Set the SSL Connection parameters to use when the OCSP access location is an HTTPS location
void	setURLLocation(java.net.URL url) Sets the Access location of the OCSP Responder.
void	setUseNonce(boolean useNonce) Allows sending of the Nonce OCSP request extension.
OCSPConfiguration	shallowCopy() Makes a shallow copy of this object.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Field Detail

MAX_RETRIES

public static final int MAX_RETRIES

Limit amout of retries, as a very large number would cause the toolkit to hang, and could be used for a denial of service attack.

See Also:

Constant Field Values

INCLUDE_VERIFICATION_CERT

public static final int INCLUDE_VERIFICATION_CERT

See Also:

Constant Field Values

INCLUDE_ALL_CERTS

public static final int INCLUDE_ALL_CERTS

See Also:

Constant Field Values

INCLUDE_NONE

public static final int INCLUDE_NONE

See Also:

Constant Field Values

Constructor Detail

OCSPConfiguration

public OCSPConfiguration()

The default constructor. When used, the default OCSP configuration parameters are set to the following:

• OCSP Requests will not be signed
• The requestorName is included in the request
• The OCSP Responder Access Location is not set.
• The OCSP responder's verification certificate chain is not configured
• The OCSP responder's DN is not configured
• No Certificate Authority DN list is set
• No Single Request or Request Extensions are set
• The ASN.1 CertID Hashing Algorithm is set to SHA256
• AIA extension checking is turned on
• Use of the Nonce is not enabled
• Connection and Read timeouts are not set
• An OCSP request will be retried 2 times

OCSPConfiguration

public OCSPConfiguration(GeneralName accessLocation)

Creates a Default OCSP Configuration with the specified accessLocation. The rest of the configuration will be set as follows:

• OCSP Requests will not be signed
• The requestorName is included in the request
• The OCSP responder's verification certificate is not configured
• No Certificate Authority DN list is set
• No Single Request or Request Extensions are set
• The ASN.1 CertID Hashing Algorithm is set to SHA256
• AIA extension checking is turned on
• Use of the Nonce is not enabled
• Connection and Read timeouts are not set
• An OCSP request will be retried 2 times

Parameters:

accessLocation - The AccessLocation of the OCSP Responder

OCSPConfiguration

public OCSPConfiguration(java.net.URL urlLocation)

Creates a Default OCSP Configuration with the specified URL.

The rest of the configuration will be set as follows:

• OCSP Requests will not be signed
• The requestorName is included in the request
• The OCSP responder's verification certificate is not configured
• No Certificate Authority DN list is set
• No Single Request or Request Extensions are set
• The ASN.1 CertID Hashing Algorithm is set to SHA256
• AIA extension checking is turned on
• Use of the Nonce is not enabled
• Connection and Read timeouts are not set
• An OCSP request will be retried 2 times

Parameters:

urlLocation - The URL location of the OCSP Responder

Method Detail

convertAccessLocation

public static java.net.URL convertAccessLocation(GeneralName accessLocation)

Converts an AccessLocation specified as a General name into a URL object.

Parameters:

accessLocation -

Returns:

The accessLocation as a URL object

addCADN

public void addCADN(Name name)

When a certificate is checked for revocation status, a list of CA Names is checked against the issuer of the certificate being checked for revocation.

• If the DN is present in the list, then this OCSPConfiguration can be used to contact the configured responder.
• If the DN is not present in the list, and the list of CADN's is empty, then this OCSPConfiguration can be used to check the revocation status of any certificate.
• If the DN is not present in the list, and the list of CADN's is populated, then this OCSPConfiguration should not be used to check the revocation status of the certificate in question.

The List of CA DN's is stored in an ArrayList, this method adds the given Name into the ArrayList. If the item is already in the list it is not added.

Parameters:

name - The DN's of the CA's which this responder is trusted. If this is not set, then this responder can be used to check all certificates that are requested.

addCADNList

public void addCADNList(java.util.ArrayList names)

When a a certificate is checked for revocation status, a list of CA Names is checked against the issuer of the certificate being checked for revocation.

• If the DN is present in the list, then this OCSPConfiguration can be used to contact the configured responder.
• If the DN is not present in the list, and the list of CADN's is empty, then this OCSPConfiguration can be used to check the revocation status of any certificate.
• If the DN is not present in the list, and the list of CADN's is populated, then this OCSPConfiguration should not be used to check the revocation status of the certificate in question.

This method adds the list of Names in the given arrayList into the internal List of Names.

Parameters:

names - The DN's of the CA's which this responder is trusted. If this is not set, then this responder can be used to check all certificates that are requested.

addCADNList

public void addCADNList(Name[] names)

A Convienance method for adding an Array of Name DNs to the internal list of CA Names.

When a a certificate is checked for revocation status, this list of CA Names is checked against the issuer of the certificate being checked for revocation.

• If the DN is present in the list, then this OCSPConfiguration can be used to contact the configured responder.
• If the DN is not present in the list, and the list of CADN's is empty, then this OCSPConfiguration can be used to check the revocation status of any certificate.
• If the DN is not present in the list, and the list of CADN's is populated, then this OCSPConfiguration should not be used to check the revocation status of the certificate in question.

The List of CA DN's is stored in an ArrayList, so this method simply adds the given Name array into the ArrayList. If the item is already in the list it is not added.

Parameters:

names - The DN's of the CA's which this responder is trusted. If this is not set, then this responder can be used to check all certificates that are requested.

addResponderCertificate

public void addResponderCertificate(X509Certificate responderCert)

Adds a trusted verficiation certificate of an OCSP responder to the list of trusted responder certificates for this OCSPConfiguration.

If there are no trusted responder certificates available, then the the toolkit will attempt to verify the OCSP response with the trusted credentials at its disposal. If an OCSP response cannot be verified, then the revocation status of the certificate cannot be verified. Therefore configuration of the list of responder certificates is recommended.

Parameters:

responderCert - the responders trusted verification certificate

addResponderCertificates

public void addResponderCertificates(java.util.ArrayList certificates)

Adds a List of trusted verification certificates for each OCSP responder which should be trusted by this OCSPConfiguration.

If there are no trusted responder certificates available, then the toolkit will attempt to verify the OCSP response with the trusted credentials at its disposal. If an OCSP response cannot be verified, then the revocation status of the certificate cannot be verified. Therefore configuration of the list of responder certificates is recommended.

Parameters:

certificates - an ArrayList containing certificate

addResponderCertificates

public void addResponderCertificates(X509Certificate[] responderCerts)

Adds an array of trusted verficiation certificates for each OCSP responder which should be trusted by this OCSPConfiguration.

If there are no trusted responder certificates available, then the the toolkit will attempt to verify the OCSP response with the trusted credentials at its disposal. If an OCSP response cannot be verified, then the revocation status of the certificate cannot be verified. Therefore configuration of the list of responder certificates is recommended.

Parameters:

responderCerts - the OCSP responder(s) trusted verification certificate(s)

equals

public boolean equals(java.lang.Object obj)

Tests whether each parameter configured in this OCSPConfiguration object is equal to each parameter configured in the provided OCSPConfiguration object.

Overrides:

equals in class java.lang.Object

Returns:

true if all the configured parameters are equal false otherwise

See Also:

Object.equals(java.lang.Object)

getAccessLocation

public GeneralName getAccessLocation()

Returns:

the AccessLocation of the OCSP responder

getAIAChecking

public boolean getAIAChecking()

Returns:

true if AIA revocation checking enabled, false if it is not enabled.

getCADNList

public java.util.ArrayList getCADNList()

Returns:

the list of CA DN's which this responder is trusted

getCADNs

public Name[] getCADNs()

Returns:

the CADN list as an array of Name objects.

getCertIDHashAlgorithm

public AlgorithmID getCertIDHashAlgorithm()

Returns the Hashing algorithm used to identify the certificate in the ASN.1 CertID structure.

getConnectTimeout

public int getConnectTimeout()

Returns:

the integer value of the ConnectTimeout

getIncludeAcceptableResponses

public boolean getIncludeAcceptableResponses()

Returns:

whether or not the AcceptableResponses OCSP extension should be included in the OCSP Request. It is optional

getIncludeRequestorName

public boolean getIncludeRequestorName()

Returns:

Whether or not the requestorName should be included in the OCSPRequest

getReadTimeout

public int getReadTimeout()

Returns:

the integer value of the ReadTimeout

getResponderCertificateList

public java.util.ArrayList getResponderCertificateList()

Returns the trusted responders verification certificate list if it was set. If it was not set, then this method will return an empty ArrayList.

Returns:

the list of ResponderCertificates as an ArrayList

getResponderCertificates

public X509Certificate[] getResponderCertificates()

Returns the trusted responders verfication certificate list if it was set. If it was not set, an empty array will be returned.

Returns:

the list of ResponderCertificates as an Array of X509Certificates

getRetries

public int getRetries()

Returns:

the number of times an OCSP request will be attempted.

getSigningAlgorithm

public AlgorithmID getSigningAlgorithm()

Returns:

the Algorithm used to sign the OCSP Request.

getIncludeVerificationChain

public int getIncludeVerificationChain()

Returns:

The List of OCSP Signing certificates.

getSignRequest

public boolean getSignRequest()

Convienance method which returns whether or not the request should be signed.

Returns:

true if the response should be signed, false otherwise

getURLLocation

public java.net.URL getURLLocation()

Returns:

the accessLocation of the OCSP responder as a URL

getUseNonce

public boolean getUseNonce()

Returns:

whether or not a Nonce should be generated for each OCSP request. If true, then a Random Nonce will be generated for all requests using this configuration. If false, no Nonce will be generated.

hashCode

public int hashCode()

Returns a hash code value for the object. This method is supported for the benefit of hashtables such as those provided by java.util.Hashtable.

Overrides:

hashCode in class java.lang.Object

See Also:

Object.hashCode()

removeCADN

public void removeCADN(Name cadn)

Removes a CA DN from the list of CA DN's which this responder is trusted.

Parameters:

cadn - the CADN to remove.

removeResponderCertificate

public void removeResponderCertificate(X509Certificate responderCert)

Removes a trusted Responder verification certificate from the list of trusted responder verification certificates.

Parameters:

responderCert - the certificate to remove

setAccessLocation

public void setAccessLocation(GeneralName accessLocation)

Sets the Access location of the OCSP Responder. RFC 2560 defines the following:

 In order to convey to OCSP clients a well-known point of information
 access, CAs SHALL provide the capability to include the
 AuthorityInfoAccess extension (defined in [RFC3280], section 4.2.2.1)
 in certificates that can be checked using OCSP.  Alternatively, the
 accessLocation for the OCSP provider may be configured locally at the
 OCSP client.

 CAs that support an OCSP service, either hosted locally or provided
 by an Authorized Responder, MUST provide for the inclusion of a value
 for a uniformResourceIndicator (URI) accessLocation and the OID value
 id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE.

 The value of the accessLocation field in the subject certificate
 defines the transport (e.g. HTTP) used to access the OCSP responder
 and may contain other transport dependent information (e.g. a URL).
 

This method stores the accessLocation in both GeneralName format, and URL format. If the accessLocation has already been set, it will be overridden with the new value. If the AccessMethod does not represent a URL, then the value of the AccessMethod and URL will be null.

Parameters:

accessLocation - The accessLocation of the OCSP responder

setAIAChecking

public void setAIAChecking(boolean useAIA)

This parameter will enable the OCSP configuration to use the Authority Information Access (AIA) Certificate extension id-ad-ocsp for checking revocation.

Parameters:

useAIA - A value of true will enable AIA checking. A value of false will disable AIA checking. The default configuration is set to true.

setCertIDHashAlgorithm

public void setCertIDHashAlgorithm(java.lang.String alg)

Sets the Hashing algorithm used to identify the certificate in the ASN.1 CertID structure.

Currently the following hashing algorithms are allowed:

• sha1
• sha256
• sha384
• sha512

Parameters:

alg - The Hashing algorithm. The Default is SHA-256.

setConnectTimeout

public void setConnectTimeout(int ConnectTimeout)

Under a Java 1.4.x environment, the ConnectTimeout is the maximum length of time in milliseconds which the Java toolkit will allow for connecting and reading data from the OCSP responder. The default timeout value is 0, which means the Java toolkit will wait forever. Under Java 1.4.x there is no distinction between the ConnectTimeout and ReadTimeout values. .

Under a Java 1.5.x or later environment, the ConnectTimeout is the maximum length of time in milliseonds which the Java toolkit will allow for connection to the OCSP responder. The default timeout value is 0, which means there is no limit.

It is recommended that this value be set to an approperiate timeout value.

Parameters:

ConnectTimeout - the ConnectTimeout in milliseconds

setIncludeAcceptableResponses

public void setIncludeAcceptableResponses(boolean includeRequest)

Allows inclusion of the AcceptableResponseTypes extension to be included in the message. Since the Java toolkit only supports the "Basic" response type, this Basic type will only be included in the message if this API is set to true.

AcceptableResponseTypes - (RFC 2560) specifies the AcceptableResponses extension for allowing an OCSP client to specify the kinds of response types it understands.

This extension is included as one of the requestExtensions in requests. The OIDs included in AcceptableResponses are the OIDs of the various response types this client can accept (e.g., id-pkix-ocsp-basic).

The "basic" response type BasicOCSPResponse.responseType is the only standardized type, so the presence of this extension is unnecessary in the general case.

Parameters:

includeRequest - true indicates the extension will be included, otherwise the extension will not be included

setIncludeRequestorName

public void setIncludeRequestorName(boolean include)

RFC 2560 section 4 states the requestorName is optional.

 TBSRequest      ::=     SEQUENCE {
 version             [0]     EXPLICIT Version DEFAULT v1,
 requestorName       [1]     EXPLICIT GeneralName OPTIONAL,
 requestList                 SEQUENCE OF Request,
 requestExtensions   [2]     EXPLICIT Extensions OPTIONAL }
 

Therefore, this method allows the requestorName to be excluded from the OCSP request. This exclusion will only be honoured when OCSP requests are not signed. RFC 2560 states that the requestorName must be included in signed requests.

Parameters:

include - should be set to true if the requestorName will be included, false if the requestorName will be excluded.

setReadTimeout

public void setReadTimeout(int ReadTimeout)

Under a Java 1.4.x environment, setting the ReadTimeout value has no effect on the behaviour of the toolkit.

Under a Java 1.5.x or later environment, the ReadTimeout is the maximum length of time in milliseconds which the Java toolkit will allow for reading data from the OCSP responder. The default timeout value is 0, which means there is no limit.

Parameters:

ReadTimeout - the read timeout in milliseconds

setRetries

public void setRetries(int retry)

Sets the number of times that an OCSP request will be attempted to be set The minimum is 0, maximum is defined by MAX_RETRIES

Parameters:

retry - the number of OCSP request attempts

setSignRequest

public void setSignRequest(boolean isSigned,
                  int includeCerts,
                  java.lang.String signaturealg)

This method is used to set whether the OCSP Request is signed. If the boolean value isSigned is true, then the request will be signed. If the value is false then the request is not signed.

When an OCSP request is signed, RFC 2560 section 4.1.2 states:

 The requestor MAY choose to sign the OCSP request. In that case, the
 signature is computed over the tbsRequest structure. If the request
 is signed, the requestor SHALL specify its name in the requestorName
 field. Also, for signed requests, the requestor MAY include certificates
 that help the OCSP responder verify the requestor's
 signature in the certs field of Signature.
 

This list of certificates should help the OCSP responder build a path to the OCSP requestor’s certificate. In this implementation, the client has the option of including the signer certificates in one of three ways:

• INCLUDE_VERIFICATION_CERT (0) - Only the verification certificate for the key that signed the OCSP request is included in the OCSP request. This is the default configuration if not set
• INCLUDE_ALL_CERTS (1) - The full certificate path is included (verification cert plus CA certificate chain to root of trust). Depending on the environment, using the full chain could make the OCSP requests very large.
• INCLUDE_NONE (2) - Do not include any certificates in the OCSP request. This may make signature verification difficult for the OCSP responder because the responder would need to be pre-configured with the identity of the client.

If the request is signed, the requestorName must be set, so if the excludeRequestName() method has been called, it will be ignored.

A string indicating the signing algorithms to be used for signing the request should also be included. If nothing is include, the default "sha256WithRSAEncryption" algorithm will be used. The list of currently supported algorithms is as follows:

• "sha1WithRSAEncryption" - AlgorithmID.SignatureAlgs.sha1WithRSAEncryption
• "sha256WithRSAEncryption" - AlgorithmID.SignatureAlgs.sha256WithRSAEncryption
• "sha384WithRSAEncryption" - AlgorithmID.SignatureAlgs.sha384WithRSAEncryption
• "sha512WithRSAEncryption" - AlgorithmID.SignatureAlgs.sha512WithRSAEncryption
• "dsaWithSHA1" - AlgorithmID.SignatureAlgs.dsaWithSHA1
• "ecdsaWithSHA1" - AlgorithmID.SignatureAlgs.ecdsaWithSHA1

Parameters:

isSigned - Boolean value which determines whether the OCSP Request is signed (true) or whether it is unsigned (false). The default value is unsigned (false).

includeCerts - An optional parameter than used to help the OCSP responder build a path to the requestorCertificate for certificate validation on the OCSP server side.

signaturealg - The signature algorithm used to signed the request.

setURLLocation

public void setURLLocation(java.net.URL url)

Sets the Access location of the OCSP Responder. RFC 2560 defines the following:

 In order to convey to OCSP clients a well-known point of information
 access, CAs SHALL provide the capability to include the
 AuthorityInfoAccess extension (defined in [RFC3280], section 4.2.2.1)
 in certificates that can be checked using OCSP.  Alternatively, the
 accessLocation for the OCSP provider may be configured locally at the
 OCSP client.

 CAs that support an OCSP service, either hosted locally or provided
 by an Authorized Responder, MUST provide for the inclusion of a value
 for a uniformResourceIndicator (URI) accessLocation and the OID value
 id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE.

 The value of the accessLocation field in the subject certificate
 defines the transport (e.g. HTTP) used to access the OCSP responder
 and may contain other transport dependent information (e.g. a URL).
 

This method stores the URL in both URL and GeneralName format. If the URL has already been set, it will be overridden with the new value. If the URL does not represent a URL, then the value of the URL and AccessMethod will be null.

Parameters:

url - The accessLocation of the OCSP responder

setUseNonce

public void setUseNonce(boolean useNonce)

Allows sending of the Nonce OCSP request extension.

Nonce - (RFC 2560) specifies the Nonce extension for cryptographically binding a request and a response to prevent replay attacks. It is used only in requests where pre-generated or cached responses are not acceptable. The nonce is included as one of the requestExtensions in an OCSPRequest, while in responses it would be included as one of the responseExtensions.

Setting this value to true in the OCSPConfiguration will cause the Java toolkit to create a random Nonce value each time an OCSP request is generated. When the OCSP responder responds to a request with the Nonce extension, it must include a copy of the Nonce in the signed response, otherwise the response will be considered invalid. Usage of the nonce therefore forces the OCSP responder to generate a fresh OCSP request, which may result in more timely revocation information.

SingleResponses are not cached when this setting is true.

Parameters:

useNonce - true to indicate Nonce should be used, false if nonce should not be used. The default setting is false.

setSSLConfiguration

public void setSSLConfiguration(javax.net.ssl.SSLSocketFactory factory,
                       javax.net.ssl.HostnameVerifier hostnameVerifier,
                       java.net.URLStreamHandler streamHandler)

Set the SSL Connection parameters to use when the OCSP access location is an HTTPS location

Parameters:

factory - The SSLSocketFactory that will be used to create the sockets

hostnameVerifier - the HostnameVerifier to use when performing hostname validation on SSL requests

streamHandler - The URLStreamHandler that will be used to perform the protocol side of the connection.

getSSLSocketFactory

public javax.net.ssl.SSLSocketFactory getSSLSocketFactory()

Return the SSLSocketFactory used when an OCSP request over HTTPS is used:

Returns:

The SSLSocketFactory

getHostnameVerifier

public javax.net.ssl.HostnameVerifier getHostnameVerifier()

Return the HostnameVerifier to use when an OCSP request over HTTPS is used

Returns:

The HostnameVerifier

getStreamHandler

public java.net.URLStreamHandler getStreamHandler()

Return the URLStreamHandler to use when an OCSP request over HTTPS is used

Returns:

The URLStreamHandler

shallowCopy

public OCSPConfiguration shallowCopy()

Makes a shallow copy of this object.

Warning: This object does not make a deep copy of the object! Care must be taken after calling this method as changes to the object could affect the original object.

After this method is called, any calls to add or remove CADN or ResponderCerticate Lists are not safe. These methods make changes to the underlying Arraylist structure.

All other method calls replace existing data in the newly copied object and are therefore safe.

Returns:

a copy of this object