OcspClient Class — netty Architecture
Architecture documentation for the OcspClient class in OcspClient.java from the netty codebase.
Entity Profile
Dependency Diagram
graph TD b3812cec_6383_4848_72ed_d7aa9ab08546["OcspClient"] 1fc80aa3_ba19_9b50_d3a5_47eaa0a7dc98["OcspClient.java"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|defined in| 1fc80aa3_ba19_9b50_d3a5_47eaa0a7dc98 a95f2426_2f96_5a1e_b38a_6852764f680c["query()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| a95f2426_2f96_5a1e_b38a_6852764f680c 665d2265_ea4a_1a24_17a6_15e9efedc3f9["validateResponse()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| 665d2265_ea4a_1a24_17a6_15e9efedc3f9 4b22f2c1_501c_bdd1_fafa_7de113198125["validateNonce()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| 4b22f2c1_501c_bdd1_fafa_7de113198125 af12db0d_0585_7f39_ea00_ea888c0f0445["validateSignature()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| af12db0d_0585_7f39_ea00_ea888c0f0445 50598886_9268_4a91_78f1_ceeb719d9600["validateCertificateChain()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| 50598886_9268_4a91_78f1_ceeb719d9600 eed38e08_ff7d_6979_6ead_826c58934b20["String()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| eed38e08_ff7d_6979_6ead_826c58934b20 d2ac9bea_c790_2932_2c32_116afd26b876["OcspClient()"] b3812cec_6383_4848_72ed_d7aa9ab08546 -->|method| d2ac9bea_c790_2932_2c32_116afd26b876
Relationship Graph
Source Code
handler-ssl-ocsp/src/main/java/io/netty/handler/ssl/ocsp/OcspClient.java lines 86–410
final class OcspClient {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OcspClient.class);
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
private static final int OCSP_RESPONSE_MAX_SIZE = SystemPropertyUtil.getInt(
"io.netty.ocsp.responseSize", 1024 * 10);
static {
logger.debug("-Dio.netty.ocsp.responseSize: {} bytes", OCSP_RESPONSE_MAX_SIZE);
}
/**
* Query the certificate status using OCSP
*
* @param x509Certificate Client {@link X509Certificate} to validate
* @param issuer {@link X509Certificate} issuer of client certificate
* @param validateResponseNonce Set to {@code true} to enable OCSP response validation
* @param ioTransport {@link IoTransport} to use
* @return {@link Promise} of {@link BasicOCSPResp}
*/
static Promise<BasicOCSPResp> query(final X509Certificate x509Certificate,
final X509Certificate issuer, final boolean validateResponseNonce,
final IoTransport ioTransport, final DnsNameResolver dnsNameResolver) {
final EventLoop eventLoop = ioTransport.eventLoop();
final Promise<BasicOCSPResp> responsePromise = eventLoop.newPromise();
eventLoop.execute(new Runnable() {
@Override
public void run() {
try {
CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder()
.build().get(HASH_SHA1), new JcaX509CertificateHolder(issuer),
x509Certificate.getSerialNumber());
// Initialize OCSP Request Builder and add CertificateID into it.
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(certificateID);
// Generate 16-bytes (octets) of nonce and add it into OCSP Request builder.
// Because as per RFC-8954#2.1:
//
// OCSP responders MUST accept lengths of at least
// 16 octets and MAY choose to ignore the Nonce extension for requests
// where the length of the nonce is less than 16 octets.
byte[] nonce = new byte[16];
SECURE_RANDOM.nextBytes(nonce);
final DEROctetString derNonce = new DEROctetString(nonce);
builder.setRequestExtensions(new Extensions(new Extension(id_pkix_ocsp_nonce, false, derNonce)));
// Get OCSP URL from Certificate and query it.
URL uri = new URL(parseOcspUrlFromCertificate(x509Certificate));
// Find port
int port = uri.getPort();
if (port == -1) {
port = uri.getDefaultPort();
}
// Configure path
String path = uri.getPath();
if (path.isEmpty()) {
path = "/";
} else {
if (uri.getQuery() != null) {
path = path + '?' + uri.getQuery();
}
}
Promise<OCSPResp> ocspResponsePromise = query(eventLoop,
Unpooled.wrappedBuffer(builder.build().getEncoded()),
uri.getHost(), port, path, ioTransport, dnsNameResolver);
// Validate OCSP response
ocspResponsePromise.addListener((GenericFutureListener<Future<OCSPResp>>) future -> {
// If Future was successful then we have received OCSP response
// We will now validate it.
if (future.isSuccess()) {
try {
BasicOCSPResp resp = (BasicOCSPResp) future.getNow().getResponseObject();
validateResponse(responsePromise, resp, derNonce, issuer, validateResponseNonce);
} catch (Throwable t) {Source
Frequently Asked Questions
What is the OcspClient class?
OcspClient is a class in the netty codebase, defined in handler-ssl-ocsp/src/main/java/io/netty/handler/ssl/ocsp/OcspClient.java.
Where is OcspClient defined?
OcspClient is defined in handler-ssl-ocsp/src/main/java/io/netty/handler/ssl/ocsp/OcspClient.java at line 86.
Analyze Your Own Codebase
Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.
Try Supermodel Free