test/jdk/java/security/testlibrary/SimpleOCSPServer.java
author jboes
Fri, 08 Nov 2019 11:15:16 +0000
changeset 59029 3786a0962570
parent 47216 71c04702a3d5
permissions -rw-r--r--
8232853: AuthenticationFilter.Cache::remove may throw ConcurrentModificationException Summary: Change implementation to use iterator instead of plain LinkedList Reviewed-by: dfuchs, vtewari

/*
 * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.testlibrary;

import java.io.*;
import java.net.*;
import java.security.*;
import java.security.cert.CRLReason;
import java.security.cert.X509Certificate;
import java.security.cert.Extension;
import java.security.cert.CertificateException;
import java.security.cert.CertificateEncodingException;
import java.security.Signature;
import java.util.*;
import java.util.concurrent.*;
import java.text.SimpleDateFormat;
import java.math.BigInteger;

import sun.security.x509.*;
import sun.security.x509.PKIXExtensions;
import sun.security.provider.certpath.ResponderId;
import sun.security.provider.certpath.CertId;
import sun.security.provider.certpath.OCSPResponse;
import sun.security.provider.certpath.OCSPResponse.ResponseStatus;
import sun.security.util.Debug;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;


/**
 * This is a simple OCSP server designed to listen and respond to incoming
 * requests.
 */
public class SimpleOCSPServer {
    private final Debug debug = Debug.getInstance("oserv");
    private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID =
            ObjectIdentifier.newInternal(
                    new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
    private static final SimpleDateFormat utcDateFmt =
            new SimpleDateFormat("MMM dd yyyy, HH:mm:ss z");

    static final int FREE_PORT = 0;

    // CertStatus values
    public static enum CertStatus {
        CERT_STATUS_GOOD,
        CERT_STATUS_REVOKED,
        CERT_STATUS_UNKNOWN,
    }

    // Fields used for the networking portion of the responder
    private ServerSocket servSocket;
    private InetAddress listenAddress;
    private int listenPort;

    // Keystore information (certs, keys, etc.)
    private KeyStore keystore;
    private X509Certificate issuerCert;
    private X509Certificate signerCert;
    private PrivateKey signerKey;

    // Fields used for the operational portions of the server
    private boolean logEnabled = false;
    private ExecutorService threadPool;
    private volatile boolean started = false;
    private volatile boolean serverReady = false;
    private volatile boolean receivedShutdown = false;
    private volatile boolean acceptConnections = true;
    private volatile long delayMsec = 0;

    // Fields used in the generation of responses
    private long nextUpdateInterval = -1;
    private Date nextUpdate = null;
    private ResponderId respId;
    private AlgorithmId sigAlgId;
    private Map<CertId, CertStatusInfo> statusDb =
            Collections.synchronizedMap(new HashMap<>());

    /**
     * Construct a SimpleOCSPServer using keystore, password, and alias
     * parameters.
     *
     * @param ks the keystore to be used
     * @param password the password to access key material in the keystore
     * @param issuerAlias the alias of the issuer certificate
     * @param signerAlias the alias of the signer certificate and key.  A
     * value of {@code null} means that the {@code issuerAlias} will be used
     * to look up the signer key.
     *
     * @throws GeneralSecurityException if there are problems accessing the
     * keystore or finding objects within the keystore.
     * @throws IOException if a {@code ResponderId} cannot be generated from
     * the signer certificate.
     */
    public SimpleOCSPServer(KeyStore ks, String password, String issuerAlias,
            String signerAlias) throws GeneralSecurityException, IOException {
        this(null, FREE_PORT, ks, password, issuerAlias, signerAlias);
    }

    /**
     * Construct a SimpleOCSPServer using specific network parameters,
     * keystore, password, and alias.
     *
     * @param addr the address to bind the server to.  A value of {@code null}
     * means the server will bind to all interfaces.
     * @param port the port to listen on.  A value of {@code 0} will mean that
     * the server will randomly pick an open ephemeral port to bind to.
     * @param ks the keystore to be used
     * @param password the password to access key material in the keystore
     * @param issuerAlias the alias of the issuer certificate
     * @param signerAlias the alias of the signer certificate and key.  A
     * value of {@code null} means that the {@code issuerAlias} will be used
     * to look up the signer key.
     *
     * @throws GeneralSecurityException if there are problems accessing the
     * keystore or finding objects within the keystore.
     * @throws IOException if a {@code ResponderId} cannot be generated from
     * the signer certificate.
     */
    public SimpleOCSPServer(InetAddress addr, int port, KeyStore ks,
            String password, String issuerAlias, String signerAlias)
            throws GeneralSecurityException, IOException {
        Objects.requireNonNull(ks, "Null keystore provided");
        Objects.requireNonNull(issuerAlias, "Null issuerName provided");

        utcDateFmt.setTimeZone(TimeZone.getTimeZone("GMT"));

        keystore = ks;
        issuerCert = (X509Certificate)ks.getCertificate(issuerAlias);
        if (issuerCert == null) {
            throw new IllegalArgumentException("Certificate for alias " +
                    issuerAlias + " not found");
        }

        if (signerAlias != null) {
            signerCert = (X509Certificate)ks.getCertificate(signerAlias);
            if (signerCert == null) {
                throw new IllegalArgumentException("Certificate for alias " +
                    signerAlias + " not found");
            }
            signerKey = (PrivateKey)ks.getKey(signerAlias,
                    password.toCharArray());
            if (signerKey == null) {
                throw new IllegalArgumentException("PrivateKey for alias " +
                    signerAlias + " not found");
            }
        } else {
            signerCert = issuerCert;
            signerKey = (PrivateKey)ks.getKey(issuerAlias,
                    password.toCharArray());
            if (signerKey == null) {
                throw new IllegalArgumentException("PrivateKey for alias " +
                    issuerAlias + " not found");
            }
        }

        sigAlgId = AlgorithmId.get("Sha256withRSA");
        respId = new ResponderId(signerCert.getSubjectX500Principal());
        listenAddress = addr;
        listenPort = port;
    }

    /**
     * Start the server.  The server will bind to the specified network
     * address and begin listening for incoming connections.
     *
     * @throws IOException if any number of things go wonky.
     */
    public synchronized void start() throws IOException {
        // You cannot start the server twice.
        if (started) {
            log("Server has already been started");
            return;
        } else {
            started = true;
        }

        // Create and start the thread pool
        threadPool = Executors.newFixedThreadPool(32, new ThreadFactory() {
            @Override
            public Thread newThread(Runnable r) {
                Thread t = Executors.defaultThreadFactory().newThread(r);
                t.setDaemon(true);
                return t;
            }
        });

        threadPool.submit(new Runnable() {
            @Override
            public void run() {
                try (ServerSocket sSock = new ServerSocket()) {
                    servSocket = sSock;
                    servSocket.setReuseAddress(true);
                    servSocket.setSoTimeout(500);
                    servSocket.bind(new InetSocketAddress(listenAddress,
                            listenPort), 128);
                    log("Listening on " + servSocket.getLocalSocketAddress());

                    // Singal ready
                    serverReady = true;

                    // Update the listenPort with the new port number.  If
                    // the server is restarted, it will bind to the same
                    // port rather than picking a new one.
                    listenPort = servSocket.getLocalPort();

                    // Main dispatch loop
                    while (!receivedShutdown) {
                        try {
                            Socket newConnection = servSocket.accept();
                            if (!acceptConnections) {
                                try {
                                    log("Reject connection");
                                    newConnection.close();
                                } catch (IOException e) {
                                    // ignore
                                }
                                continue;
                            }
                            threadPool.submit(new OcspHandler(newConnection));
                        } catch (SocketTimeoutException timeout) {
                            // Nothing to do here.  If receivedShutdown
                            // has changed to true then the loop will
                            // exit on its own.
                        } catch (IOException ioe) {
                            // Something bad happened, log and force a shutdown
                            log("Unexpected Exception: " + ioe);
                            stop();
                        }
                    }

                    log("Shutting down...");
                    threadPool.shutdown();
                } catch (IOException ioe) {
                    err(ioe);
                } finally {
                    // Reset state variables so the server can be restarted
                    receivedShutdown = false;
                    started = false;
                    serverReady = false;
                }
            }
        });
    }

    /**
     * Make the OCSP server reject incoming connections.
     */
    public synchronized void rejectConnections() {
        log("Reject OCSP connections");
        acceptConnections = false;
    }

    /**
     * Make the OCSP server accept incoming connections.
     */
    public synchronized void acceptConnections() {
        log("Accept OCSP connections");
        acceptConnections = true;
    }


    /**
     * Stop the OCSP server.
     */
    public synchronized void stop() {
        if (started) {
            receivedShutdown = true;
            log("Received shutdown notification");
        }
    }

    /**
     * Print {@code SimpleOCSPServer} operating parameters.
     *
     * @return the {@code SimpleOCSPServer} operating parameters in
     * {@code String} form.
     */
    @Override
    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("OCSP Server:\n");
        sb.append("----------------------------------------------\n");
        sb.append("issuer: ").append(issuerCert.getSubjectX500Principal()).
                append("\n");
        sb.append("signer: ").append(signerCert.getSubjectX500Principal()).
                append("\n");
        sb.append("ResponderId: ").append(respId).append("\n");
        sb.append("----------------------------------------------");

        return sb.toString();
    }

    /**
     * Helpful debug routine to hex dump byte arrays.
     *
     * @param data the array of bytes to dump to stdout.
     *
     * @return the hexdump of the byte array
     */
    private static String dumpHexBytes(byte[] data) {
        return dumpHexBytes(data, 16, "\n", " ");
    }

    /**
     *
     * @param data the array of bytes to dump to stdout.
     * @param itemsPerLine the number of bytes to display per line
     * if the {@code lineDelim} character is blank then all bytes will be
     * printed on a single line.
     * @param lineDelim the delimiter between lines
     * @param itemDelim the delimiter between bytes
     *
     * @return The hexdump of the byte array
     */
    private static String dumpHexBytes(byte[] data, int itemsPerLine,
            String lineDelim, String itemDelim) {
        StringBuilder sb = new StringBuilder();
        if (data != null) {
            for (int i = 0; i < data.length; i++) {
                if (i % itemsPerLine == 0 && i != 0) {
                    sb.append(lineDelim);
                }
                sb.append(String.format("%02X", data[i])).append(itemDelim);
            }
        }

        return sb.toString();
    }

    /**
     * Enable or disable the logging feature.
     *
     * @param enable {@code true} to enable logging, {@code false} to
     * disable it.  The setting must be activated before the server calls
     * its start method.  Any calls after that have no effect.
     */
    public void enableLog(boolean enable) {
        if (!started) {
            logEnabled = enable;
        }
    }

    /**
     * Sets the nextUpdate interval.  Intervals will be calculated relative
     * to the server startup time.  When first set, the nextUpdate date is
     * calculated based on the current time plus the interval.  After that,
     * calls to getNextUpdate() will return this date if it is still
     * later than current time.  If not, the Date will be updated to the
     * next interval that is later than current time.  This value must be set
     * before the server has had its start method called.  Calls made after
     * the server has been started have no effect.
     *
     * @param interval the recurring time interval in seconds used to
     * calculate nextUpdate times.   A value less than or equal to 0 will
     * disable the nextUpdate feature.
     */
    public synchronized void setNextUpdateInterval(long interval) {
        if (!started) {
            if (interval <= 0) {
                nextUpdateInterval = -1;
                nextUpdate = null;
                log("nexUpdate support has been disabled");
            } else {
                nextUpdateInterval = interval * 1000;
                nextUpdate = new Date(System.currentTimeMillis() +
                        nextUpdateInterval);
                log("nextUpdate set to " + nextUpdate);
            }
        }
    }

    /**
     * Return the nextUpdate {@code Date} object for this server.  If the
     * nextUpdate date has already passed, set a new nextUpdate based on
     * the nextUpdate interval and return that date.
     *
     * @return a {@code Date} object set to the nextUpdate field for OCSP
     * responses.
     */
    private synchronized Date getNextUpdate() {
        if (nextUpdate != null && nextUpdate.before(new Date())) {
            long nuEpochTime = nextUpdate.getTime();
            long currentTime = System.currentTimeMillis();

            // Keep adding nextUpdate intervals until you reach a date
            // that is later than current time.
            while (currentTime >= nuEpochTime) {
                nuEpochTime += nextUpdateInterval;
            }

            // Set the nextUpdate for future threads
            nextUpdate = new Date(nuEpochTime);
            log("nextUpdate updated to new value: " + nextUpdate);
        }
        return nextUpdate;
    }

    /**
     * Add entries into the responder's status database.
     *
     * @param newEntries a map of {@code CertStatusInfo} objects, keyed on
     * their serial number (as a {@code BigInteger}).  All serial numbers
     * are assumed to have come from this responder's issuer certificate.
     *
     * @throws IOException if a CertId cannot be generated.
     */
    public void updateStatusDb(Map<BigInteger, CertStatusInfo> newEntries)
            throws IOException {
         if (newEntries != null) {
            for (BigInteger serial : newEntries.keySet()) {
                CertStatusInfo info = newEntries.get(serial);
                if (info != null) {
                    CertId cid = new CertId(issuerCert,
                            new SerialNumber(serial));
                    statusDb.put(cid, info);
                    log("Added entry for serial " + serial + "(" +
                            info.getType() + ")");
                }
            }
        }
    }

    /**
     * Check the status database for revocation information one one or more
     * certificates.
     *
     * @param reqList the list of {@code LocalSingleRequest} objects taken
     * from the incoming OCSP request.
     *
     * @return a {@code Map} of {@code CertStatusInfo} objects keyed by their
     * {@code CertId} values, for each single request passed in.  Those
     * CertIds not found in the statusDb will have returned List members with
     * a status of UNKNOWN.
     */
    private Map<CertId, CertStatusInfo> checkStatusDb(
            List<LocalOcspRequest.LocalSingleRequest> reqList) {
        // TODO figure out what, if anything to do with request extensions
        Map<CertId, CertStatusInfo> returnMap = new HashMap<>();

        for (LocalOcspRequest.LocalSingleRequest req : reqList) {
            CertId cid = req.getCertId();
            CertStatusInfo info = statusDb.get(cid);
            if (info != null) {
                log("Status for SN " + cid.getSerialNumber() + ": " +
                        info.getType());
                returnMap.put(cid, info);
            } else {
                log("Status for SN " + cid.getSerialNumber() +
                        " not found, using CERT_STATUS_UNKNOWN");
                returnMap.put(cid,
                        new CertStatusInfo(CertStatus.CERT_STATUS_UNKNOWN));
            }
        }

        return Collections.unmodifiableMap(returnMap);
    }

    /**
     * Set the digital signature algorithm used to sign OCSP responses.
     *
     * @param algName The algorithm name
     *
     * @throws NoSuchAlgorithmException if the algorithm name is invalid.
     */
    public void setSignatureAlgorithm(String algName)
            throws NoSuchAlgorithmException {
        if (!started) {
            sigAlgId = AlgorithmId.get(algName);
        }
    }

    /**
     * Get the port the OCSP server is running on.
     *
     * @return the port that the OCSP server is running on, or -1 if the
     * server has not yet been bound to a port.
     */
    public int getPort() {
        if (serverReady) {
            InetSocketAddress inetSock =
                    (InetSocketAddress)servSocket.getLocalSocketAddress();
            return inetSock.getPort();
        } else {
            return -1;
        }
    }

    /**
     * Use to check if OCSP server is ready to accept connection.
     *
     * @return true if server ready, false otherwise
     */
    public boolean isServerReady() {
        return serverReady;
    }

    /**
     * Set a delay between the reception of the request and production of
     * the response.
     *
     * @param delayMillis the number of milliseconds to wait before acting
     * on the incoming request.
     */
    public void setDelay(long delayMillis) {
        delayMsec = delayMillis > 0 ? delayMillis : 0;
        if (delayMsec > 0) {
            log("OCSP latency set to " + delayMsec + " milliseconds.");
        } else {
            log("OCSP latency disabled");
        }
    }

    /**
     * Log a message to stdout.
     *
     * @param message the message to log
     */
    private synchronized void log(String message) {
        if (logEnabled || debug != null) {
            System.out.println("[" + Thread.currentThread().getName() + "]: " +
                    message);
        }
    }

    /**
     * Log an error message on the stderr stream.
     *
     * @param message the message to log
     */
    private static synchronized void err(String message) {
        System.out.println("[" + Thread.currentThread().getName() + "]: " +
                message);
    }

    /**
     * Log exception information on the stderr stream.
     *
     * @param exc the exception to dump information about
     */
    private static synchronized void err(Throwable exc) {
        System.out.print("[" + Thread.currentThread().getName() +
                "]: Exception: ");
        exc.printStackTrace(System.out);
    }

    /**
     * The {@code CertStatusInfo} class defines an object used to return
     * information from the internal status database.  The data in this
     * object may be used to construct OCSP responses.
     */
    public static class CertStatusInfo {
        private CertStatus certStatusType;
        private CRLReason reason;
        private Date revocationTime;

        /**
         * Create a Certificate status object by providing the status only.
         * If the status is {@code REVOKED} then current time is assumed
         * for the revocation time.
         *
         * @param statType the status for this entry.
         */
        public CertStatusInfo(CertStatus statType) {
            this(statType, null, null);
        }

        /**
         * Create a CertStatusInfo providing both type and revocation date
         * (if applicable).
         *
         * @param statType the status for this entry.
         * @param revDate if applicable, the date that revocation took place.
         * A value of {@code null} indicates that current time should be used.
         * If the value of {@code statType} is not {@code CERT_STATUS_REVOKED},
         * then the {@code revDate} parameter is ignored.
         */
        public CertStatusInfo(CertStatus statType, Date revDate) {
            this(statType, revDate, null);
        }

        /**
         * Create a CertStatusInfo providing type, revocation date
         * (if applicable) and revocation reason.
         *
         * @param statType the status for this entry.
         * @param revDate if applicable, the date that revocation took place.
         * A value of {@code null} indicates that current time should be used.
         * If the value of {@code statType} is not {@code CERT_STATUS_REVOKED},
         * then the {@code revDate} parameter is ignored.
         * @param revReason the reason the certificate was revoked.  A value of
         * {@code null} means that no reason was provided.
         */
        public CertStatusInfo(CertStatus statType, Date revDate,
                CRLReason revReason) {
            Objects.requireNonNull(statType, "Cert Status must be non-null");
            certStatusType = statType;
            switch (statType) {
                case CERT_STATUS_GOOD:
                case CERT_STATUS_UNKNOWN:
                    revocationTime = null;
                    break;
                case CERT_STATUS_REVOKED:
                    revocationTime = revDate != null ? (Date)revDate.clone() :
                            new Date();
                    break;
                default:
                    throw new IllegalArgumentException("Unknown status type: " +
                            statType);
            }
        }

        /**
         * Get the cert status type
         *
         * @return the status applied to this object (e.g.
         * {@code CERT_STATUS_GOOD}, {@code CERT_STATUS_UNKNOWN}, etc.)
         */
        public CertStatus getType() {
            return certStatusType;
        }

        /**
         * Get the revocation time (if applicable).
         *
         * @return the revocation time as a {@code Date} object, or
         * {@code null} if not applicable (i.e. if the certificate hasn't been
         * revoked).
         */
        public Date getRevocationTime() {
            return (revocationTime != null ? (Date)revocationTime.clone() :
                    null);
        }

        /**
         * Get the revocation reason.
         *
         * @return the revocation reason, or {@code null} if one was not
         * provided.
         */
        public CRLReason getRevocationReason() {
            return reason;
        }
    }

    /**
     * Runnable task that handles incoming OCSP Requests and returns
     * responses.
     */
    private class OcspHandler implements Runnable {
        private final Socket sock;
        InetSocketAddress peerSockAddr;

        /**
         * Construct an {@code OcspHandler}.
         *
         * @param incomingSocket the socket the server created on accept()
         */
        private OcspHandler(Socket incomingSocket) {
            sock = incomingSocket;
        }

        /**
         * Run the OCSP Request parser and construct a response to be sent
         * back to the client.
         */
        @Override
        public void run() {
            // If we have implemented a delay to simulate network latency
            // wait out the delay here before any other processing.
            try {
                if (delayMsec > 0) {
                    Thread.sleep(delayMsec);
                }
            } catch (InterruptedException ie) {
                // Just log the interrupted sleep
                log("Delay of " + delayMsec + " milliseconds was interrupted");
            }

            try (Socket ocspSocket = sock;
                    InputStream in = ocspSocket.getInputStream();
                    OutputStream out = ocspSocket.getOutputStream()) {
                peerSockAddr =
                        (InetSocketAddress)ocspSocket.getRemoteSocketAddress();
                log("Received incoming connection from " + peerSockAddr);
                String[] headerTokens = readLine(in).split(" ");
                LocalOcspRequest ocspReq = null;
                LocalOcspResponse ocspResp = null;
                ResponseStatus respStat = ResponseStatus.INTERNAL_ERROR;
                try {
                    if (headerTokens[0] != null) {
                        switch (headerTokens[0]) {
                            case "POST":
                                    ocspReq = parseHttpOcspPost(in);
                                break;
                            case "GET":
                                // req = parseHttpOcspGet(in);
                                // TODO implement the GET parsing
                                throw new IOException("GET method unsupported");
                            default:
                                respStat = ResponseStatus.MALFORMED_REQUEST;
                                throw new IOException("Not a GET or POST");
                        }
                    } else {
                        respStat = ResponseStatus.MALFORMED_REQUEST;
                        throw new IOException("Unable to get HTTP method");
                    }

                    if (ocspReq != null) {
                        log(ocspReq.toString());
                        // Get responses for all CertIds in the request
                        Map<CertId, CertStatusInfo> statusMap =
                                checkStatusDb(ocspReq.getRequests());
                        if (statusMap.isEmpty()) {
                            respStat = ResponseStatus.UNAUTHORIZED;
                        } else {
                            ocspResp = new LocalOcspResponse(
                                    ResponseStatus.SUCCESSFUL, statusMap,
                                    ocspReq.getExtensions());
                        }
                    } else {
                        respStat = ResponseStatus.MALFORMED_REQUEST;
                        throw new IOException("Found null request");
                    }
                } catch (IOException | RuntimeException exc) {
                    err(exc);
                }
                if (ocspResp == null) {
                    ocspResp = new LocalOcspResponse(respStat);
                }
                sendResponse(out, ocspResp);
            } catch (IOException | CertificateException exc) {
                err(exc);
            }
        }

        /**
         * Send an OCSP response on an {@code OutputStream}.
         *
         * @param out the {@code OutputStream} on which to send the response.
         * @param resp the OCSP response to send.
         *
         * @throws IOException if an encoding error occurs.
         */
        public void sendResponse(OutputStream out, LocalOcspResponse resp)
                throws IOException {
            StringBuilder sb = new StringBuilder();

            byte[] respBytes;
            try {
                respBytes = resp.getBytes();
            } catch (RuntimeException re) {
                err(re);
                return;
            }

            sb.append("HTTP/1.0 200 OK\r\n");
            sb.append("Content-Type: application/ocsp-response\r\n");
            sb.append("Content-Length: ").append(respBytes.length);
            sb.append("\r\n\r\n");

            out.write(sb.toString().getBytes("UTF-8"));
            out.write(respBytes);
            log(resp.toString());
        }

        /**
         * Parse the incoming HTTP POST of an OCSP Request.
         *
         * @param inStream the input stream from the socket bound to this
         * {@code OcspHandler}.
         *
         * @return the OCSP Request as a {@code LocalOcspRequest}
         *
         * @throws IOException if there are network related issues or problems
         * occur during parsing of the OCSP request.
         * @throws CertificateException if one or more of the certificates in
         * the OCSP request cannot be read/parsed.
         */
        private LocalOcspRequest parseHttpOcspPost(InputStream inStream)
                throws IOException, CertificateException {
            boolean endOfHeader = false;
            boolean properContentType = false;
            int length = -1;

            while (!endOfHeader) {
                String[] lineTokens = readLine(inStream).split(" ");
                if (lineTokens[0].isEmpty()) {
                    endOfHeader = true;
                } else if (lineTokens[0].equalsIgnoreCase("Content-Type:")) {
                    if (lineTokens[1] == null ||
                            !lineTokens[1].equals(
                                    "application/ocsp-request")) {
                        log("Unknown Content-Type: " +
                                (lineTokens[1] != null ?
                                        lineTokens[1] : "<NULL>"));
                        return null;
                    } else {
                        properContentType = true;
                        log("Content-Type = " + lineTokens[1]);
                    }
                } else if (lineTokens[0].equalsIgnoreCase("Content-Length:")) {
                    if (lineTokens[1] != null) {
                        length = Integer.parseInt(lineTokens[1]);
                        log("Content-Length = " + length);
                    }
                }
            }

            // Okay, make sure we got what we needed from the header, then
            // read the remaining OCSP Request bytes
            if (properContentType && length >= 0) {
                byte[] ocspBytes = new byte[length];
                inStream.read(ocspBytes);
                return new LocalOcspRequest(ocspBytes);
            } else {
                return null;
            }
        }

        /**
         * Read a line of text that is CRLF-delimited.
         *
         * @param is the {@code InputStream} tied to the socket
         * for this {@code OcspHandler}
         *
         * @return a {@code String} consisting of the line of text
         * read from the stream with the CRLF stripped.
         *
         * @throws IOException if any I/O error occurs.
         */
        private String readLine(InputStream is) throws IOException {
            PushbackInputStream pbis = new PushbackInputStream(is);
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            boolean done = false;
            while (!done) {
                byte b = (byte)pbis.read();
                if (b == '\r') {
                    byte bNext = (byte)pbis.read();
                    if (bNext == '\n' || bNext == -1) {
                        done = true;
                    } else {
                        pbis.unread(bNext);
                        bos.write(b);
                    }
                } else if (b == -1) {
                    done = true;
                } else {
                    bos.write(b);
                }
            }

            return new String(bos.toByteArray(), "UTF-8");
        }
    }


    /**
     * Simple nested class to handle OCSP requests without making
     * changes to sun.security.provider.certpath.OCSPRequest
     */
    public class LocalOcspRequest {

        private byte[] nonce;
        private byte[] signature = null;
        private AlgorithmId algId = null;
        private int version = 0;
        private GeneralName requestorName = null;
        private Map<String, Extension> extensions = Collections.emptyMap();
        private final List<LocalSingleRequest> requestList = new ArrayList<>();
        private final List<X509Certificate> certificates = new ArrayList<>();

        /**
         * Construct a {@code LocalOcspRequest} from its DER encoding.
         *
         * @param requestBytes the DER-encoded bytes
         *
         * @throws IOException if decoding errors occur
         * @throws CertificateException if certificates are found in the
         * OCSP request and they do not parse correctly.
         */
        private LocalOcspRequest(byte[] requestBytes) throws IOException,
                CertificateException {
            Objects.requireNonNull(requestBytes, "Received null input");

            DerInputStream dis = new DerInputStream(requestBytes);

            // Parse the top-level structure, it should have no more than
            // two elements.
            DerValue[] topStructs = dis.getSequence(2);
            for (DerValue dv : topStructs) {
                if (dv.tag == DerValue.tag_Sequence) {
                    parseTbsRequest(dv);
                } else if (dv.isContextSpecific((byte)0)) {
                    parseSignature(dv);
                } else {
                    throw new IOException("Unknown tag at top level: " +
                            dv.tag);
                }
            }
        }

        /**
         * Parse the signature block from an OCSP request
         *
         * @param sigSequence a {@code DerValue} containing the signature
         * block at the outer sequence datum.
         *
         * @throws IOException if any non-certificate-based parsing errors occur
         * @throws CertificateException if certificates are found in the
         * OCSP request and they do not parse correctly.
         */
        private void parseSignature(DerValue sigSequence)
                throws IOException, CertificateException {
            DerValue[] sigItems = sigSequence.data.getSequence(3);
            if (sigItems.length != 3) {
                throw new IOException("Invalid number of signature items: " +
                        "expected 3, got " + sigItems.length);
            }

            algId = AlgorithmId.parse(sigItems[0]);
            signature = sigItems[1].getBitString();

            if (sigItems[2].isContextSpecific((byte)0)) {
                DerValue[] certDerItems = sigItems[2].data.getSequence(4);
                int i = 0;
                for (DerValue dv : certDerItems) {
                    X509Certificate xc = new X509CertImpl(dv);
                    certificates.add(xc);
                }
            } else {
                throw new IOException("Invalid tag in signature block: " +
                    sigItems[2].tag);
            }
        }

        /**
         * Parse the to-be-signed request data
         *
         * @param tbsReqSeq a {@code DerValue} object containing the to-be-
         * signed OCSP request at the outermost SEQUENCE tag.
         * @throws IOException if any parsing errors occur
         */
        private void parseTbsRequest(DerValue tbsReqSeq) throws IOException {
            while (tbsReqSeq.data.available() > 0) {
                DerValue dv = tbsReqSeq.data.getDerValue();
                if (dv.isContextSpecific((byte)0)) {
                    // The version was explicitly called out
                    version = dv.data.getInteger();
                } else if (dv.isContextSpecific((byte)1)) {
                    // A GeneralName was provided
                    requestorName = new GeneralName(dv.data.getDerValue());
                } else if (dv.isContextSpecific((byte)2)) {
                    // Parse the extensions
                    DerValue[] extItems = dv.data.getSequence(2);
                    extensions = parseExtensions(extItems);
                } else if (dv.tag == DerValue.tag_Sequence) {
                    while (dv.data.available() > 0) {
                        requestList.add(new LocalSingleRequest(dv.data));
                    }
                }
            }
        }

        /**
         * Parse a SEQUENCE of extensions.  This routine is used both
         * at the overall request level and down at the singleRequest layer.
         *
         * @param extDerItems an array of {@code DerValue} items, each one
         * consisting of a DER-encoded extension.
         *
         * @return a {@code Map} of zero or more extensions,
         * keyed by its object identifier in {@code String} form.
         *
         * @throws IOException if any parsing errors occur.
         */
        private Map<String, Extension> parseExtensions(DerValue[] extDerItems)
                throws IOException {
            Map<String, Extension> extMap = new HashMap<>();

            if (extDerItems != null && extDerItems.length != 0) {
                for (DerValue extDerVal : extDerItems) {
                    sun.security.x509.Extension ext =
                            new sun.security.x509.Extension(extDerVal);
                    extMap.put(ext.getId(), ext);
                }
            }

            return extMap;
        }

        /**
         * Return the list of single request objects in this OCSP request.
         *
         * @return an unmodifiable {@code List} of zero or more requests.
         */
        private List<LocalSingleRequest> getRequests() {
            return Collections.unmodifiableList(requestList);
        }

        /**
         * Return the list of X.509 Certificates in this OCSP request.
         *
         * @return an unmodifiable {@code List} of zero or more
         * {@cpde X509Certificate} objects.
         */
        private List<X509Certificate> getCertificates() {
            return Collections.unmodifiableList(certificates);
        }

        /**
         * Return the map of OCSP request extensions.
         *
         * @return an unmodifiable {@code Map} of zero or more
         * {@code Extension} objects, keyed by their object identifiers
         * in {@code String} form.
         */
        private Map<String, Extension> getExtensions() {
            return Collections.unmodifiableMap(extensions);
        }

        /**
         * Display the {@code LocalOcspRequest} in human readable form.
         *
         * @return a {@code String} representation of the
         * {@code LocalOcspRequest}
         */
        @Override
        public String toString() {
            StringBuilder sb = new StringBuilder();

            sb.append(String.format("OCSP Request: Version %d (0x%X)",
                    version + 1, version)).append("\n");
            if (requestorName != null) {
                sb.append("Requestor Name: ").append(requestorName).
                        append("\n");
            }

            int requestCtr = 0;
            for (LocalSingleRequest lsr : requestList) {
                sb.append("Request [").append(requestCtr++).append("]\n");
                sb.append(lsr).append("\n");
            }
            if (!extensions.isEmpty()) {
                sb.append("Extensions (").append(extensions.size()).
                        append(")\n");
                for (Extension ext : extensions.values()) {
                    sb.append("\t").append(ext).append("\n");
                }
            }
            if (signature != null) {
                sb.append("Signature: ").append(algId).append("\n");
                sb.append(dumpHexBytes(signature)).append("\n");
                int certCtr = 0;
                for (X509Certificate cert : certificates) {
                    sb.append("Certificate [").append(certCtr++).append("]").
                            append("\n");
                    sb.append("\tSubject: ");
                    sb.append(cert.getSubjectX500Principal()).append("\n");
                    sb.append("\tIssuer: ");
                    sb.append(cert.getIssuerX500Principal()).append("\n");
                    sb.append("\tSerial: ").append(cert.getSerialNumber());
                }
            }

            return sb.toString();
        }

        /**
         * Inner class designed to handle the decoding/representation of
         * single requests within a {@code LocalOcspRequest} object.
         */
        public class LocalSingleRequest {
            private final CertId cid;
            private Map<String, Extension> extensions = Collections.emptyMap();

            private LocalSingleRequest(DerInputStream dis)
                    throws IOException {
                DerValue[] srItems = dis.getSequence(2);

                // There should be 1, possibly 2 DerValue items
                if (srItems.length == 1 || srItems.length == 2) {
                    // The first parsable item should be the mandatory CertId
                    cid = new CertId(srItems[0].data);
                    if (srItems.length == 2) {
                        if (srItems[1].isContextSpecific((byte)0)) {
                            DerValue[] extDerItems = srItems[1].data.getSequence(2);
                            extensions = parseExtensions(extDerItems);
                        } else {
                            throw new IOException("Illegal tag in Request " +
                                    "extensions: " + srItems[1].tag);
                        }
                    }
                } else {
                    throw new IOException("Invalid number of items in " +
                            "Request (" + srItems.length + ")");
                }
            }

            /**
             * Get the {@code CertId} for this single request.
             *
             * @return the {@code CertId} for this single request.
             */
            private CertId getCertId() {
                return cid;
            }

            /**
             * Return the map of single request extensions.
             *
             * @return an unmodifiable {@code Map} of zero or more
             * {@code Extension} objects, keyed by their object identifiers
             * in {@code String} form.
             */
            private Map<String, Extension> getExtensions() {
                return Collections.unmodifiableMap(extensions);
            }

            /**
             * Display the {@code LocalSingleRequest} in human readable form.
             *
             * @return a {@code String} representation of the
             * {@code LocalSingleRequest}
             */
            @Override
            public String toString() {
                StringBuilder sb = new StringBuilder();
                sb.append("CertId, Algorithm = ");
                sb.append(cid.getHashAlgorithm()).append("\n");
                sb.append("\tIssuer Name Hash: ");
                sb.append(dumpHexBytes(cid.getIssuerNameHash(), 256, "", ""));
                sb.append("\n");
                sb.append("\tIssuer Key Hash: ");
                sb.append(dumpHexBytes(cid.getIssuerKeyHash(), 256, "", ""));
                sb.append("\n");
                sb.append("\tSerial Number: ").append(cid.getSerialNumber());
                if (!extensions.isEmpty()) {
                    sb.append("Extensions (").append(extensions.size()).
                            append(")\n");
                    for (Extension ext : extensions.values()) {
                        sb.append("\t").append(ext).append("\n");
                    }
                }

                return sb.toString();
            }
        }
    }

    /**
     * Simple nested class to handle OCSP requests without making
     * changes to sun.security.provider.certpath.OCSPResponse
     */
    public class LocalOcspResponse {
        private final int version = 0;
        private final OCSPResponse.ResponseStatus responseStatus;
        private final Map<CertId, CertStatusInfo> respItemMap;
        private final Date producedAtDate;
        private final List<LocalSingleResponse> singleResponseList =
                new ArrayList<>();
        private final Map<String, Extension> responseExtensions;
        private byte[] signature;
        private final List<X509Certificate> certificates;
        private final byte[] encodedResponse;

        /**
         * Constructor for the generation of non-successful responses
         *
         * @param respStat the OCSP response status.
         *
         * @throws IOException if an error happens during encoding
         * @throws NullPointerException if {@code respStat} is {@code null}
         * or {@code respStat} is successful.
         */
        public LocalOcspResponse(OCSPResponse.ResponseStatus respStat)
                throws IOException {
            this(respStat, null, null);
        }

        /**
         * Construct a response from a list of certificate
         * status objects and extensions.
         *
         * @param respStat the status of the entire response
         * @param itemMap a {@code Map} of {@code CertId} objects and their
         * respective revocation statuses from the server's response DB.
         * @param reqExtensions a {@code Map} of request extensions
         *
         * @throws IOException if an error happens during encoding
         * @throws NullPointerException if {@code respStat} is {@code null}
         * or {@code respStat} is successful, and a {@code null} {@code itemMap}
         * has been provided.
         */
        public LocalOcspResponse(OCSPResponse.ResponseStatus respStat,
                Map<CertId, CertStatusInfo> itemMap,
                Map<String, Extension> reqExtensions) throws IOException {
            responseStatus = Objects.requireNonNull(respStat,
                    "Illegal null response status");
            if (responseStatus == ResponseStatus.SUCCESSFUL) {
                respItemMap = Objects.requireNonNull(itemMap,
                        "SUCCESSFUL responses must have a response map");
                producedAtDate = new Date();

                // Turn the answerd from the response DB query into a list
                // of single responses.
                for (CertId id : itemMap.keySet()) {
                    singleResponseList.add(
                            new LocalSingleResponse(id, itemMap.get(id)));
                }

                responseExtensions = setResponseExtensions(reqExtensions);
                certificates = new ArrayList<>();
                if (signerCert != issuerCert) {
                    certificates.add(signerCert);
                }
                certificates.add(issuerCert);
            } else {
                respItemMap = null;
                producedAtDate = null;
                responseExtensions = null;
                certificates = null;
            }
            encodedResponse = this.getBytes();
        }

        /**
         * Set the response extensions based on the request extensions
         * that were received.  Right now, this is limited to the
         * OCSP nonce extension.
         *
         * @param reqExts a {@code Map} of zero or more request extensions
         *
         * @return a {@code Map} of zero or more response extensions, keyed
         * by the extension object identifier in {@code String} form.
         */
        private Map<String, Extension> setResponseExtensions(
                Map<String, Extension> reqExts) {
            Map<String, Extension> respExts = new HashMap<>();
            String ocspNonceStr = PKIXExtensions.OCSPNonce_Id.toString();

            if (reqExts != null) {
                for (String id : reqExts.keySet()) {
                    if (id.equals(ocspNonceStr)) {
                        // We found a nonce, add it into the response extensions
                        Extension ext = reqExts.get(id);
                        if (ext != null) {
                            respExts.put(id, ext);
                            log("Added OCSP Nonce to response");
                        } else {
                            log("Error: Found nonce entry, but found null " +
                                    "value.  Skipping");
                        }
                    }
                }
            }

            return respExts;
        }

        /**
         * Get the DER-encoded response bytes for this response
         *
         * @return a byte array containing the DER-encoded bytes for
         * the response
         *
         * @throws IOException if any encoding errors occur
         */
        private byte[] getBytes() throws IOException {
            DerOutputStream outerSeq = new DerOutputStream();
            DerOutputStream responseStream = new DerOutputStream();
            responseStream.putEnumerated(responseStatus.ordinal());
            if (responseStatus == ResponseStatus.SUCCESSFUL &&
                    respItemMap != null) {
                encodeResponseBytes(responseStream);
            }

            // Commit the outermost sequence bytes
            outerSeq.write(DerValue.tag_Sequence, responseStream);
            return outerSeq.toByteArray();
        }

        private void encodeResponseBytes(DerOutputStream responseStream)
                throws IOException {
            DerOutputStream explicitZero = new DerOutputStream();
            DerOutputStream respItemStream = new DerOutputStream();

            respItemStream.putOID(OCSP_BASIC_RESPONSE_OID);

            byte[] basicOcspBytes = encodeBasicOcspResponse();
            respItemStream.putOctetString(basicOcspBytes);
            explicitZero.write(DerValue.tag_Sequence, respItemStream);
            responseStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                    true, (byte)0), explicitZero);
        }

        private byte[] encodeBasicOcspResponse() throws IOException {
            DerOutputStream outerSeq = new DerOutputStream();
            DerOutputStream basicORItemStream = new DerOutputStream();

            // Encode the tbsResponse
            byte[] tbsResponseBytes = encodeTbsResponse();
            basicORItemStream.write(tbsResponseBytes);

            try {
                sigAlgId.derEncode(basicORItemStream);

                // Create the signature
                Signature sig = Signature.getInstance(sigAlgId.getName());
                sig.initSign(signerKey);
                sig.update(tbsResponseBytes);
                signature = sig.sign();
                basicORItemStream.putBitString(signature);
            } catch (GeneralSecurityException exc) {
                err(exc);
                throw new IOException(exc);
            }

            // Add certificates
            try {
                DerOutputStream certStream = new DerOutputStream();
                ArrayList<DerValue> certList = new ArrayList<>();
                if (signerCert != issuerCert) {
                    certList.add(new DerValue(signerCert.getEncoded()));
                }
                certList.add(new DerValue(issuerCert.getEncoded()));
                DerValue[] dvals = new DerValue[certList.size()];
                certStream.putSequence(certList.toArray(dvals));
                basicORItemStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                        true, (byte)0), certStream);
            } catch (CertificateEncodingException cex) {
                err(cex);
                throw new IOException(cex);
            }

            // Commit the outermost sequence bytes
            outerSeq.write(DerValue.tag_Sequence, basicORItemStream);
            return outerSeq.toByteArray();
        }

        private byte[] encodeTbsResponse() throws IOException {
            DerOutputStream outerSeq = new DerOutputStream();
            DerOutputStream tbsStream = new DerOutputStream();

            // Note: We're not going explicitly assert the version
            tbsStream.write(respId.getEncoded());
            tbsStream.putGeneralizedTime(producedAtDate);

            // Sequence of responses
            encodeSingleResponses(tbsStream);

            // TODO: add response extension support
            encodeExtensions(tbsStream);

            outerSeq.write(DerValue.tag_Sequence, tbsStream);
            return outerSeq.toByteArray();
        }

        private void encodeSingleResponses(DerOutputStream tbsStream)
                throws IOException {
            DerValue[] srDerVals = new DerValue[singleResponseList.size()];
            int srDvCtr = 0;

            for (LocalSingleResponse lsr : singleResponseList) {
                srDerVals[srDvCtr++] = new DerValue(lsr.getBytes());
            }

            tbsStream.putSequence(srDerVals);
        }

        private void encodeExtensions(DerOutputStream tbsStream)
                throws IOException {
            DerOutputStream extSequence = new DerOutputStream();
            DerOutputStream extItems = new DerOutputStream();

            for (Extension ext : responseExtensions.values()) {
                ext.encode(extItems);
            }
            extSequence.write(DerValue.tag_Sequence, extItems);
            tbsStream.write(DerValue.createTag(DerValue.TAG_CONTEXT, true,
                    (byte)1), extSequence);
        }

        @Override
        public String toString() {
            StringBuilder sb = new StringBuilder();

            sb.append("OCSP Response: ").append(responseStatus).append("\n");
            if (responseStatus == ResponseStatus.SUCCESSFUL) {
                sb.append("Response Type: ").
                        append(OCSP_BASIC_RESPONSE_OID.toString()).append("\n");
                sb.append(String.format("Version: %d (0x%X)", version + 1,
                        version)).append("\n");
                sb.append("Responder Id: ").append(respId.toString()).
                        append("\n");
                sb.append("Produced At: ").
                        append(utcDateFmt.format(producedAtDate)).append("\n");

                int srCtr = 0;
                for (LocalSingleResponse lsr : singleResponseList) {
                    sb.append("SingleResponse [").append(srCtr++).append("]\n");
                    sb.append(lsr);
                }

                if (!responseExtensions.isEmpty()) {
                    sb.append("Extensions (").append(responseExtensions.size()).
                            append(")\n");
                    for (Extension ext : responseExtensions.values()) {
                        sb.append("\t").append(ext).append("\n");
                    }
                } else {
                    sb.append("\n");
                }

                if (signature != null) {
                    sb.append("Signature: ").append(sigAlgId).append("\n");
                    sb.append(dumpHexBytes(signature)).append("\n");
                    int certCtr = 0;
                    for (X509Certificate cert : certificates) {
                        sb.append("Certificate [").append(certCtr++).append("]").
                                append("\n");
                        sb.append("\tSubject: ");
                        sb.append(cert.getSubjectX500Principal()).append("\n");
                        sb.append("\tIssuer: ");
                        sb.append(cert.getIssuerX500Principal()).append("\n");
                        sb.append("\tSerial: ").append(cert.getSerialNumber());
                        sb.append("\n");
                    }
                }
            }

            return sb.toString();
        }

        private class LocalSingleResponse {
            private final CertId certId;
            private final CertStatusInfo csInfo;
            private final Date thisUpdate;
            private final Date lsrNextUpdate;
            private final Map<String, Extension> singleExtensions;

            public LocalSingleResponse(CertId cid, CertStatusInfo info) {
                certId = Objects.requireNonNull(cid, "CertId must be non-null");
                csInfo = Objects.requireNonNull(info,
                        "CertStatusInfo must be non-null");

                // For now, we'll keep things simple and make the thisUpdate
                // field the same as the producedAt date.
                thisUpdate = producedAtDate;
                lsrNextUpdate = getNextUpdate();

                // TODO Add extensions support
                singleExtensions = Collections.emptyMap();
            }

            @Override
            public String toString() {
                StringBuilder sb = new StringBuilder();
                sb.append("Certificate Status: ").append(csInfo.getType());
                sb.append("\n");
                if (csInfo.getType() == CertStatus.CERT_STATUS_REVOKED) {
                    sb.append("Revocation Time: ");
                    sb.append(utcDateFmt.format(csInfo.getRevocationTime()));
                    sb.append("\n");
                    if (csInfo.getRevocationReason() != null) {
                        sb.append("Revocation Reason: ");
                        sb.append(csInfo.getRevocationReason()).append("\n");
                    }
                }

                sb.append("CertId, Algorithm = ");
                sb.append(certId.getHashAlgorithm()).append("\n");
                sb.append("\tIssuer Name Hash: ");
                sb.append(dumpHexBytes(certId.getIssuerNameHash(), 256, "", ""));
                sb.append("\n");
                sb.append("\tIssuer Key Hash: ");
                sb.append(dumpHexBytes(certId.getIssuerKeyHash(), 256, "", ""));
                sb.append("\n");
                sb.append("\tSerial Number: ").append(certId.getSerialNumber());
                sb.append("\n");
                sb.append("This Update: ");
                sb.append(utcDateFmt.format(thisUpdate)).append("\n");
                if (lsrNextUpdate != null) {
                    sb.append("Next Update: ");
                    sb.append(utcDateFmt.format(lsrNextUpdate)).append("\n");
                }

                if (!singleExtensions.isEmpty()) {
                    sb.append("Extensions (").append(singleExtensions.size()).
                            append(")\n");
                    for (Extension ext : singleExtensions.values()) {
                        sb.append("\t").append(ext).append("\n");
                    }
                }

                return sb.toString();
            }

            public byte[] getBytes() throws IOException {
                byte[] nullData = { };
                DerOutputStream responseSeq = new DerOutputStream();
                DerOutputStream srStream = new DerOutputStream();

                // Encode the CertId
                certId.encode(srStream);

                // Next, encode the CertStatus field
                CertStatus csiType = csInfo.getType();
                switch (csiType) {
                    case CERT_STATUS_GOOD:
                        srStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                false, (byte)0), nullData);
                        break;
                    case CERT_STATUS_REVOKED:
                        DerOutputStream revInfo = new DerOutputStream();
                        revInfo.putGeneralizedTime(csInfo.getRevocationTime());
                        CRLReason revReason = csInfo.getRevocationReason();
                        if (revReason != null) {
                            byte[] revDer = new byte[3];
                            revDer[0] = DerValue.tag_Enumerated;
                            revDer[1] = 1;
                            revDer[2] = (byte)revReason.ordinal();
                            revInfo.write(DerValue.createTag(
                                    DerValue.TAG_CONTEXT, true, (byte)0),
                                    revDer);
                        }
                        srStream.write(DerValue.createTag(
                                DerValue.TAG_CONTEXT, true, (byte)1),
                                revInfo);
                        break;
                    case CERT_STATUS_UNKNOWN:
                        srStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                                false, (byte)2), nullData);
                        break;
                    default:
                        throw new IOException("Unknown CertStatus: " + csiType);
                }

                // Add the necessary dates
                srStream.putGeneralizedTime(thisUpdate);
                if (lsrNextUpdate != null) {
                    DerOutputStream nuStream = new DerOutputStream();
                    nuStream.putGeneralizedTime(lsrNextUpdate);
                    srStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
                            true, (byte)0), nuStream);
                }

                // TODO add singleResponse Extension support

                // Add the single response to the response output stream
                responseSeq.write(DerValue.tag_Sequence, srStream);
                return responseSeq.toByteArray();
            }
        }
    }
}