}
if (unknownCA == true) {
String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacertusedefault", new String(Hex.encode(certId.getIssuerNameHash())));
m_log.info(errMsg);
// If we can not find the CA, answer UnknowStatus
responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), nextUpdate));
transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_UNKNOWN);
transactionLogger.writeln();
continue;
} else {
transactionLogger.paramPut(ITransactionLogger.ISSUER_NAME_DN, cacert.getSubjectDN().getName());
}
/*
* Implement logic according to
* chapter 2.7 in RFC2560
*
* 2.7 CA Key Compromise
* If an OCSP responder knows that a particular CA's private key has
* been compromised, it MAY return the revoked state for all
* certificates issued by that CA.
*/
final org.bouncycastle.ocsp.CertificateStatus certStatus;
transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD); // it seems to be correct
// Check if the cacert (or the default responderid) is revoked
final CertificateStatus cacertStatus = this.data.certificateStoreSession.getStatus(CertTools.getIssuerDN(cacert), CertTools.getSerialNumber(cacert));
if ( !cacertStatus.equals(CertificateStatus.REVOKED) ) {
// Check if cert is revoked
final CertificateStatus status = this.data.certificateStoreSession.getStatus(cacert.getSubjectDN().getName(), certId.getSerialNumber());
// If we have different maxAge and untilNextUpdate for different certificate profiles, we have to fetch these
// values now that we have fetched the certificate status, that includes certificate profile.
nextUpdate = OcspConfiguration.getUntilNextUpdate(status.certificateProfileId);
maxAge = OcspConfiguration.getMaxAge(status.certificateProfileId);
if (m_log.isDebugEnabled()) {
m_log.debug("Set nextUpdate="+nextUpdate+", and maxAge="+maxAge+" for certificateProfileId="+status.certificateProfileId);
}
final String sStatus;
if (status.equals(CertificateStatus.NOT_AVAILABLE)) {
// No revocation info available for this cert, handle it
if (m_log.isDebugEnabled()) {
m_log.debug("Unable to find revocation information for certificate with serial '"
+ certId.getSerialNumber().toString(16) + "'"
+ " from issuer '" + cacert.getSubjectDN().getName() + "'");
}
// If we do not treat non existing certificates as good
// OR
// we don't actually handle requests for the CA issuing the certificate asked about
// then we return unknown
if ( (!m_nonExistingIsGood) || (this.data.m_caCertCache.findByOcspHash(certId) == null) ) {
sStatus = "unknown";
certStatus = new UnknownStatus();
transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_UNKNOWN);
} else {
sStatus = "good";
certStatus = null; // null means "good" in OCSP
transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD);