如何缓存iTextSharp(LTV签名)的OCSP响应?
问题描述:
我使用iTextSharp 5.5.10来生成签名的PDF。特别是,我需要LTV签名。 LTV可以通过CRL和OCSP请求完成。如何缓存iTextSharp(LTV签名)的OCSP响应?
我有这样的代码做了它:
IOcspClient ocspClient = new OcspClientBouncyCastle();
ICrlClient crlClient = new CrlClientOnline(myCert.Chain);
List<ICrlClient> lstCrlClients = new List<ICrlClient> { crlClient };
MakeSignature.SignDetached(sap, signature, this.myCert.Chain, lstCrlClients, ocspClient, null, 0, CryptoStandard.CMS);
的问题是:我登录了很多很多PDF(总是以相同的证书)。所以,我不想每次都做CRL和OCSP请求,我必须“缓存”它们。
我设法用这种代码(它依赖于C#的MemoryCache)来缓存CRL:
private List<ICrlClient> GetCachedListCrlClient()
{
var key = "LstCrlClient";
List<ICrlClient> lstCrlClients = MyGlobalCachingProvider.GetItem<List<ICrlClient>>(key);
if (lstCrlClients == null)
{
lstCrlClients = new List<ICrlClient>();
for (int i = 0; i < myCert.Chain.Length; i++)
{
String crlUrl = CertificateUtil.GetCRLURL(myCert.Chain[i]);
if (crlUrl != null)
{
byte[] crlDownloaded = new System.Net.WebClient().DownloadData(crlUrl);
ICrlClient crlClient = new CrlClientOffline(crlDownloaded);
lstCrlClients.Add(crlClient);
}
}
MyGlobalCachingProvider.AddItem(key, lstCrlClients, DateTime.Now.AddHours(2));
}
return lstCrlClients;
}
我却无法找到任何解决方案缓存OCSP响应。有人有线索吗?
答
感谢mlk评论,我做到了:我实现了我自己的类,灵感来自OcspClientBouncyCastle代码。代码确实很简单。我的班级管理缓存:它只发送一个OCSP请求。这是做这些事的好方法。
示例代码:
// Once instanciated, this class fires one and only one OCSP request : it keeps the first result in memory.
// You may want to cache this object ; ie with MemoryCache.
public class MyOcspClientBouncyCastleSingleRequest : IOcspClient
{
private static readonly ILogger LOGGER = LoggerFactory.GetLogger(typeof(OcspClientBouncyCastle));
private readonly OcspVerifier verifier;
// The request-result
private Dictionary<String, BasicOcspResp> _cachedOcspResponse = new Dictionary<string, BasicOcspResp>();
/**
* Create default implemention of {@code OcspClient}.
* Note, if you use this constructor, OCSP response will not be verified.
*/
[Obsolete]
public MyOcspClientBouncyCastleSingleRequest()
{
verifier = null;
}
/**
* Create {@code OcspClient}
* @param verifier will be used for response verification. {@see OCSPVerifier}.
*/
public MyOcspClientBouncyCastleSingleRequest(OcspVerifier verifier)
{
this.verifier = verifier;
}
/**
* Gets OCSP response. If {@see OCSPVerifier} was set, the response will be checked.
*/
public virtual BasicOcspResp GetBasicOCSPResp(X509Certificate checkCert, X509Certificate rootCert, String url)
{
String dicKey = checkCert.SubjectDN.ToString() + "-" + rootCert.SubjectDN.ToString() + "-" + url;
if (_cachedOcspResponse != null && _cachedOcspResponse.Count > 0 && _cachedOcspResponse.ContainsKey(dicKey))
{
BasicOcspResp cachedResult = _cachedOcspResponse[dicKey];
return cachedResult;
}
else
{
try
{
OcspResp ocspResponse = GetOcspResponse(checkCert, rootCert, url);
if (ocspResponse == null)
{
_cachedOcspResponse.Add(dicKey, null);
return null;
}
if (ocspResponse.Status != OcspRespStatus.Successful)
{
_cachedOcspResponse.Add(dicKey, null);
return null;
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (verifier != null)
{
verifier.IsValidResponse(basicResponse, rootCert);
}
_cachedOcspResponse.Add(dicKey, basicResponse);
return basicResponse;
}
catch (Exception ex)
{
if (LOGGER.IsLogging(Level.ERROR))
LOGGER.Error(ex.Message);
}
return null;
}
}
/**
* Gets an encoded byte array with OCSP validation. The method should not throw an exception.
*
* @param checkCert to certificate to check
* @param rootCert the parent certificate
* @param url to get the verification. It it's null it will be taken
* from the check cert or from other implementation specific source
* @return a byte array with the validation or null if the validation could not be obtained
*/
public byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url)
{
try
{
BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url);
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return basicResponse.GetEncoded();
}
else if (status is RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
}
catch (Exception ex)
{
if (LOGGER.IsLogging(Level.ERROR))
LOGGER.Error(ex.Message);
}
return null;
}
/**
* Generates an OCSP request using BouncyCastle.
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber)
{
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber);
// basic request generation with nonce
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(id);
// create details for nonce extension
IDictionary extensions = new Hashtable();
extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded()));
gen.SetRequestExtensions(new X509Extensions(extensions));
return gen.Generate();
}
private OcspResp GetOcspResponse(X509Certificate checkCert, X509Certificate rootCert, String url)
{
if (checkCert == null || rootCert == null)
return null;
if (url == null)
{
url = CertificateUtil.GetOCSPURL(checkCert);
}
if (url == null)
return null;
LOGGER.Info("Getting OCSP from " + url);
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
return ocspResponse;
}
OCSP响应通常只有很短的时间去生活。因此,通常缓存它们是不值得的。如果您在短时间内签署非常多的PDF,您可能需要实施类似于“CrlClientOffline”的“OcspClientOffline”。看看代码,这是微不足道的。 – mkl
谢谢。你的解决方案是好的。然而,OCSP的回应并不总是短暂的:几分钟到几天。就我而言,这是10天!所以我认为iText应该为我们提供这个问题的标准解决方案... – AEC
10天OCSP响应?哇!好吧,在这种情况下,我确实知道你想要缓存。我只习惯不超过几分钟的生活时间。 – mkl