Java Examples for org.bouncycastle.cert.ocsp.OCSPReq
The following java examples will help you to understand the usage of org.bouncycastle.cert.ocsp.OCSPReq. These source code samples are taken from different open source projects.
Example 1
Project: netty-master File: OcspServerExample.java View source code |
public static void main(String[] args) throws Exception {
// We assume there's a private key.
PrivateKey privateKey = null;
// Step 1: Load the certificate chain for netty.io. We'll need the certificate
// and the issuer's certificate and we don't need any of the intermediate certs.
// The array is assumed to be a certain order to keep things simple.
X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem");
X509Certificate certificate = keyCertChain[0];
X509Certificate issuer = keyCertChain[keyCertChain.length - 1];
// Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded
// into the certificate! Notice that it's a HTTP URL.
URI uri = OcspUtils.ocspUri(certificate);
System.out.println("OCSP Responder URI: " + uri);
if (uri == null) {
throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder");
}
// Step 3: Construct the OCSP request
OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build();
// Step 4: Do the request to the CA's OCSP responder
OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS);
if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
throw new IllegalStateException("response-status=" + response.getStatus());
}
// Step 5: Is my certificate any good or has the CA revoked it?
BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
SingleResp first = basicResponse.getResponses()[0];
CertificateStatus status = first.getCertStatus();
System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status));
System.out.println("This Update: " + first.getThisUpdate());
System.out.println("Next Update: " + first.getNextUpdate());
if (status != null) {
throw new IllegalStateException("certificate-status=" + status);
}
BigInteger certSerial = certificate.getSerialNumber();
BigInteger ocspSerial = first.getCertID().getSerialNumber();
if (!certSerial.equals(ocspSerial)) {
throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial);
}
if (!OpenSsl.isAvailable()) {
throw new IllegalStateException("OpenSSL is not available!");
}
if (!OpenSsl.isOcspSupported()) {
throw new IllegalStateException("OCSP is not supported!");
}
if (privateKey == null) {
throw new IllegalStateException("Because we don't have a PrivateKey we can't continue past this point.");
}
ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();
try {
ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response));
// so on and so forth...
} finally {
context.release();
}
}
Example 2
Project: canl-java-master File: OCSPClientImpl.java View source code |
/**
* Returns a verified single response, related to the checked certificate. This is single-shot version,
* which can be used instead of manual invocation of low-level methods.
* @param responder mandatory - URL of the responder. HTTP or HTTPs, however in https mode the
* @param toCheckCert mandatory certificate to be checked
* @param issuerCert mandatory certificate of the toCheckCert issuer
* @param requester if not null, then it is assumed that request must be signed by the requester.
* @param addNonce if true nonce will be added to the request and required in response
* @param timeout timeout
* @return Final OCSP checking result
* @throws IOException IO exception
* @throws OCSPException OCSP exception
*/
public OCSPResult queryForCertificate(URL responder, X509Certificate toCheckCert, X509Certificate issuerCert, X509Credential requester, boolean addNonce, int timeout) throws IOException, OCSPException {
OCSPReq request = createRequest(toCheckCert, issuerCert, requester, addNonce);
OCSPResp response = send(responder, request, timeout).getResponse();
byte[] nonce = null;
if (addNonce)
nonce = extractNonce(request);
SingleResp resp = verifyResponse(response, toCheckCert, issuerCert, nonce);
return new OCSPResult(resp);
}
Example 3
Project: oxAuth-master File: OCSPCertificateVerifier.java View source code |
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
String ocspUrl = getOCSPUrl(certificate);
if (ocspUrl == null) {
log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
return status;
}
log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
// Generate OCSP request
OCSPReq ocspReq = generateOCSPRequest(certificateId);
// Get OCSP response from server
OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
log.error("OCSP response is invalid!");
status.setValidity(CertificateValidity.INVALID);
return status;
}
boolean foundResponse = false;
BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
SingleResp[] singleResps = basicOCSPResp.getResponses();
for (SingleResp singleResp : singleResps) {
CertificateID responseCertificateId = singleResp.getCertID();
if (!certificateId.equals(responseCertificateId)) {
continue;
}
foundResponse = true;
log.debug("OCSP validationDate: " + validationDate);
log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
Object certStatus = singleResp.getCertStatus();
if (certStatus == CertificateStatus.GOOD) {
log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
status.setValidity(CertificateValidity.VALID);
} else {
if (singleResp.getCertStatus() instanceof RevokedStatus) {
log.warn("OCSP status is revoked for: " + subjectX500Principal);
if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
status.setValidity(CertificateValidity.VALID);
} else {
Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
status.setRevocationDate(revocationDate);
status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
status.setValidity(CertificateValidity.REVOKED);
}
}
}
}
if (!foundResponse) {
log.error("There is no matching OCSP response entries");
}
} catch (Exception ex) {
log.error("OCSP exception: ", ex);
}
return status;
}
Example 4
Project: keycloak-master File: OcspHandler.java View source code |
@Override public void handleRequest(final HttpServerExchange exchange) throws Exception { if (exchange.isInIoThread()) { exchange.dispatch(this); return; } final byte[] buffy = new byte[16384]; try (InputStream requestStream = exchange.getInputStream()) { requestStream.read(buffy); } final OCSPReq request = new OCSPReq(buffy); final Req[] requested = request.getRequestList(); final Extension nonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); final DigestCalculator sha1Calculator = new JcaDigestCalculatorProviderBuilder().build().get(AlgorithmIdentifier.getInstance(RespID.HASH_SHA1)); final BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder(subjectPublicKeyInfo, sha1Calculator); if (nonce != null) { responseBuilder.setResponseExtensions(new Extensions(nonce)); } for (final Req req : requested) { final CertificateID certId = req.getCertID(); final BigInteger certificateSerialNumber = certId.getSerialNumber(); responseBuilder.addResponse(certId, REVOKED_CERTIFICATES_STATUS.get(certificateSerialNumber)); } final ContentSigner contentSigner = new BcRSAContentSignerBuilder(new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption), new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256)).build(privateKey); final OCSPResp response = new OCSPRespBuilder().build(OCSPResp.SUCCESSFUL, responseBuilder.build(contentSigner, chain, new Date())); final byte[] responseBytes = response.getEncoded(); final HeaderMap responseHeaders = exchange.getResponseHeaders(); responseHeaders.put(Headers.CONTENT_TYPE, "application/ocsp-response"); final Sender responseSender = exchange.getResponseSender(); responseSender.send(ByteBuffer.wrap(responseBytes)); exchange.endExchange(); }
Example 5
Project: poreid-master File: OCSPClient.java View source code |
private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws CertificateEncodingException, OperatorCreationException, OCSPException, IOException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(new JcaCertificateID(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1), issuerCert, serialNumber));
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
gen.setRequestExtensions(new Extensions(new Extension[] { ext }));
sentNonce = ext.getExtnId().getEncoded();
return gen.build();
}
Example 6
Project: dss-master File: OnlineOCSPSource.java View source code |
private byte[] buildOCSPRequest(final CertificateID certId, BigInteger nonce) throws DSSException {
try {
final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();
ocspReqBuilder.addRequest(certId);
/*
* The nonce extension is used to bind a request to a response to prevent replay attacks.
* RFC 6960 (OCSP) section 4.1.2 such extensions SHOULD NOT be flagged as critical
*/
if (nonce != null) {
DEROctetString encodedNonceValue = new DEROctetString(new DEROctetString(nonce.toByteArray()).getEncoded());
Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, encodedNonceValue);
Extensions extensions = new Extensions(extension);
ocspReqBuilder.setRequestExtensions(extensions);
}
final OCSPReq ocspReq = ocspReqBuilder.build();
final byte[] ocspReqData = ocspReq.getEncoded();
return ocspReqData;
} catch (OCSPException e) {
throw new DSSException("Cannot build OCSP Request", e);
} catch (IOException e) {
throw new DSSException("Cannot build OCSP Request", e);
}
}
Example 7
Project: itextpdf-master File: OcspClientBouncyCastle.java View source code |
/**
* Generates an OCSP request using BouncyCastle.
*
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException, OperatorException, CertificateEncodingException {
//Add provider BC
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCert), serialNumber);
// basic request generation with nonce
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(id);
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded()));
gen.setRequestExtensions(new Extensions(new Extension[] { ext }));
return gen.build();
}
Example 8
Project: Openfire-master File: OCSPChecker.java View source code |
@Override
public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
Log.debug("OCSPChecker: check called");
InputStream in = null;
OutputStream out = null;
try {
// Examine OCSP properties
X509Certificate responderCert = null;
//defaults to issuers cert
boolean haveResponderCert = true;
X500Principal responderSubjectName = null;
boolean haveIssuerCert = false;
// If we set the subject name, we need to find the certificate
if (ocspServerSubject != null) {
haveResponderCert = false;
responderSubjectName = new X500Principal(ocspServerSubject);
}
X509Certificate issuerCert = null;
X509Certificate currCert = (X509Certificate) cert;
// Set the issuer certificate if we were passed a chain
if (certIndex != 0) {
issuerCert = certs[certIndex];
haveIssuerCert = true;
if (haveResponderCert) {
responderCert = certs[certIndex];
}
}
if (!haveIssuerCert || !haveResponderCert) {
if (!haveResponderCert) {
Log.debug("OCSPChecker: Looking for responder's certificate");
}
if (!haveIssuerCert) {
Log.debug("OCSPChecker: Looking for issuer's certificate");
}
// Extract the anchor certs
Iterator anchors = pkixParams.getTrustAnchors().iterator();
if (!anchors.hasNext()) {
throw new CertPathValidatorException("Must specify at least one trust anchor");
}
X500Principal certIssuerName = currCert.getIssuerX500Principal();
while (anchors.hasNext() && (!haveIssuerCert || !haveResponderCert)) {
TrustAnchor anchor = (TrustAnchor) anchors.next();
X509Certificate anchorCert = anchor.getTrustedCert();
X500Principal anchorSubjectName = anchorCert.getSubjectX500Principal();
// Check if this anchor cert is the issuer cert
if (!haveIssuerCert && certIssuerName.equals(anchorSubjectName)) {
issuerCert = anchorCert;
haveIssuerCert = true;
//If we have not set the responderCert at this point, set it to the issuer
if (haveResponderCert && responderCert == null) {
responderCert = anchorCert;
Log.debug("OCSPChecker: Responder's certificate = issuer certificate");
}
}
// Check if this anchor cert is the responder cert
if (!haveResponderCert) {
if (responderSubjectName != null && responderSubjectName.equals(anchorSubjectName)) {
responderCert = anchorCert;
haveResponderCert = true;
}
}
}
if (issuerCert == null) {
//No trust anchor was found matching the issuer
throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN());
}
// Check cert stores if responder cert has not yet been found
if (!haveResponderCert) {
Log.debug("OCSPChecker: Searching cert stores for responder's certificate");
if (responderSubjectName != null) {
X509CertSelector filter = new X509CertSelector();
filter.setSubject(responderSubjectName.getName());
List<CertStore> certStores = pkixParams.getCertStores();
for (CertStore certStore : certStores) {
Iterator i = certStore.getCertificates(filter).iterator();
if (i.hasNext()) {
responderCert = (X509Certificate) i.next();
haveResponderCert = true;
break;
}
}
}
}
}
// Could not find the responder cert
if (!haveResponderCert) {
throw new CertPathValidatorException("Cannot find the responder's certificate.");
}
// Construct an OCSP Request
OCSPReqBuilder gen = new OCSPReqBuilder();
CertificateID certID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCert.getEncoded()), currCert.getSerialNumber());
gen.addRequest(certID);
OCSPReq ocspRequest = gen.build();
URL url;
if (ocspServerUrl != null) {
try {
url = new URL(ocspServerUrl);
} catch (MalformedURLException e) {
throw new CertPathValidatorException(e);
}
} else {
throw new CertPathValidatorException("Must set OCSP Server URL");
}
HttpURLConnection con = (HttpURLConnection) url.openConnection();
Log.debug("OCSPChecker: connecting to OCSP service at: " + url);
con.setDoOutput(true);
con.setDoInput(true);
con.setRequestMethod("POST");
con.setRequestProperty("Content-type", "application/ocsp-request");
con.setRequestProperty("Accept", "application/ocsp-response");
byte[] bytes = ocspRequest.getEncoded();
con.setRequestProperty("Content-length", String.valueOf(bytes.length));
out = con.getOutputStream();
out.write(bytes);
out.flush();
// Check the response
if (con.getResponseCode() != HttpURLConnection.HTTP_OK) {
Log.debug("OCSPChecker: Received HTTP error: " + con.getResponseCode() + " - " + con.getResponseMessage());
}
in = con.getInputStream();
OCSPResp ocspResponse = new OCSPResp(in);
BigInteger serialNumber = currCert.getSerialNumber();
BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject();
try {
if (!brep.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(responderCert.getPublicKey()))) {
throw new CertPathValidatorException("OCSP response is not verified");
}
} catch (Exception e) {
throw new CertPathValidatorException("OCSP response could not be verified (" + e.getMessage() + ")", null, cp, certIndex);
}
SingleResp[] singleResp = brep.getResponses();
boolean foundResponse = false;
for (SingleResp resp : singleResp) {
CertificateID respCertID = resp.getCertID();
if (respCertID.equals(certID)) {
Object status = resp.getCertStatus();
if (status == CertificateStatus.GOOD) {
Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: good");
foundResponse = true;
break;
} else if (status instanceof org.bouncycastle.cert.ocsp.RevokedStatus) {
Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: revoked");
throw new CertPathValidatorException("Certificate has been revoked", null, cp, certIndex);
} else if (status instanceof org.bouncycastle.cert.ocsp.UnknownStatus) {
Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: unknown");
throw new CertPathValidatorException("Certificate's revocation status is unknown", null, cp, certIndex);
} else {
Log.debug("Status of certificate (with serial number " + serialNumber.toString() + ") is: not recognized");
throw new CertPathValidatorException("Unknown OCSP response for certificate", null, cp, certIndex);
}
}
}
// Check that response applies to the cert that was supplied
if (!foundResponse) {
throw new CertPathValidatorException("No certificates in the OCSP response match the " + "certificate supplied in the OCSP request.");
}
} catch (CertPathValidatorException cpve) {
throw cpve;
} catch (Exception e) {
throw new CertPathValidatorException(e);
} finally {
if (in != null) {
try {
in.close();
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
}
}
if (out != null) {
try {
out.close();
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
}
}
}
}
Example 9
Project: xipki-master File: OcspServer.java View source code |
public OcspRespWithCacheInfo answer(final Responder responder, final OCSPReq request, final boolean viaGet, final AuditEvent event) {
ParamUtil.requireNonNull("responder", responder);
ParamUtil.requireNonNull("request", request);
RequestOption reqOpt = responder.getRequestOption();
ResponderSigner signer = responder.getSigner();
ResponseOption repOpt = responder.getResponseOption();
String msgId = null;
if (event != null) {
msgId = RandomUtil.nextHexLong();
event.addEventData(OcspAuditConstants.NAME_mid, msgId);
}
// BC returns 1 for v1(0) instead the real value 0.
int version = request.getVersionNumber() - 1;
if (!reqOpt.isVersionAllowed(version)) {
String message = "invalid request version " + version;
LOG.warn(message);
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message);
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
try {
OcspRespWithCacheInfo resp = checkSignature(request, reqOpt, event);
if (resp != null) {
return resp;
}
List<Extension> responseExtensions = new ArrayList<>(2);
Req[] requestList = request.getRequestList();
int requestsSize = requestList.length;
if (requestsSize > reqOpt.getMaxRequestListCount()) {
String message = requestsSize + " entries in RequestList, but maximal " + reqOpt.getMaxRequestListCount() + " is allowed";
LOG.warn(message);
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message);
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
Set<ASN1ObjectIdentifier> criticalExtensionOids = new HashSet<>();
Set<?> tmp = request.getCriticalExtensionOIDs();
if (tmp != null) {
for (Object oid : tmp) {
criticalExtensionOids.add((ASN1ObjectIdentifier) oid);
}
}
OcspRespControl repControl = new OcspRespControl();
repControl.canCacheInfo = true;
RespID respId = signer.getResponder(repOpt.isResponderIdByName());
BasicOCSPRespBuilder basicOcspBuilder = new BasicOCSPRespBuilder(respId);
ASN1ObjectIdentifier extensionType = OCSPObjectIdentifiers.id_pkix_ocsp_nonce;
criticalExtensionOids.remove(extensionType);
Extension nonceExtn = request.getExtension(extensionType);
if (nonceExtn != null) {
if (reqOpt.getNonceOccurrence() == TripleState.FORBIDDEN) {
String message = "nonce forbidden, but is present in the request";
LOG.warn(message);
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message);
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
byte[] nonce = nonceExtn.getExtnValue().getOctets();
int len = nonce.length;
int min = reqOpt.getNonceMinLen();
int max = reqOpt.getNonceMaxLen();
if (len < min || len > max) {
LOG.warn("length of nonce {} not within [{},{}]", len, min, max);
StringBuilder sb = new StringBuilder(50);
sb.append("length of nonce ").append(len);
sb.append(" not within [").append(min).append(", ").append(max).append("]");
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, sb.toString());
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
repControl.canCacheInfo = false;
responseExtensions.add(nonceExtn);
} else {
if (reqOpt.getNonceOccurrence() == TripleState.REQUIRED) {
String message = "nonce required, but is not present in the request";
LOG.warn(message);
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message);
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
}
ConcurrentContentSigner concurrentSigner = null;
if (responder.getResponderOption().getMode() != OcspMode.RFC2560) {
extensionType = ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs;
criticalExtensionOids.remove(extensionType);
Extension ext = request.getExtension(extensionType);
if (ext != null) {
ASN1Sequence preferredSigAlgs = ASN1Sequence.getInstance(ext.getParsedValue());
concurrentSigner = signer.getSignerForPreferredSigAlgs(preferredSigAlgs);
}
}
if (CollectionUtil.isNonEmpty(criticalExtensionOids)) {
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
if (concurrentSigner == null) {
concurrentSigner = signer.getFirstSigner();
}
AlgorithmCode cacheDbSigAlgCode = null;
AlgorithmCode cacheDbCertHashAlgCode = null;
BigInteger cacheDbSerialNumber = null;
Integer cacheDbIssuerId = null;
boolean canCacheDb = responseCacher != null && responseCacher.isOnService() && nonceExtn == null && requestsSize == 1;
if (canCacheDb) {
// try to find the cached response
CertificateID certId = requestList[0].getCertID();
String certIdHashAlgo = certId.getHashAlgOID().getId();
HashAlgoType reqHashAlgo = HashAlgoType.getHashAlgoType(certIdHashAlgo);
if (reqHashAlgo == null) {
LOG.warn("unknown CertID.hashAlgorithm {}", certIdHashAlgo);
if (event != null) {
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "unknown CertID.hashAlgorithm " + certIdHashAlgo);
}
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
} else if (!reqOpt.allows(reqHashAlgo)) {
LOG.warn("CertID.hashAlgorithm {} not allowed", certIdHashAlgo);
if (event != null) {
fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "not allowed CertID.hashAlgorithm " + certIdHashAlgo);
}
return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest);
}
HashAlgoType certHashAlgo = repOpt.getCertHashAlgo();
if (certHashAlgo == null) {
certHashAlgo = reqHashAlgo;
}
cacheDbCertHashAlgCode = certHashAlgo.getAlgorithmCode();
cacheDbSigAlgCode = AlgorithmUtil.getSignatureAlgorithmCode(concurrentSigner.getAlgorithmIdentifier());
byte[] nameHash = certId.getIssuerNameHash();
byte[] keyHash = certId.getIssuerKeyHash();
cacheDbIssuerId = responseCacher.getIssuerId(reqHashAlgo, nameHash, keyHash);
cacheDbSerialNumber = certId.getSerialNumber();
if (cacheDbIssuerId != null) {
OcspRespWithCacheInfo cachedResp = responseCacher.getOcspResponse(cacheDbIssuerId.intValue(), cacheDbSerialNumber, cacheDbSigAlgCode, cacheDbCertHashAlgCode);
if (cachedResp != null) {
// found cached response
LOG.debug("use cached response for (cacheIssuer={} and serial={}", cacheDbIssuerId, cacheDbSerialNumber);
return cachedResp;
}
} else if (master) {
// store the issuer certificate in cache database.
X509Certificate issuerCert = null;
for (OcspStore store : responder.getStores()) {
issuerCert = store.getIssuerCert(reqHashAlgo, nameHash, keyHash);
if (issuerCert != null) {
break;
}
}
if (issuerCert != null) {
cacheDbIssuerId = responseCacher.storeIssuer(issuerCert);
}
}
if (cacheDbIssuerId == null) {
canCacheDb = false;
}
}
for (int i = 0; i < requestsSize; i++) {
AuditEvent singleEvent = null;
if (event != null) {
singleEvent = new AuditEvent(new Date());
singleEvent.setApplicationName(OcspAuditConstants.APPNAME);
singleEvent.setName(OcspAuditConstants.NAME_PERF);
singleEvent.addEventData(OcspAuditConstants.NAME_mid, msgId);
}
OcspRespWithCacheInfo failureOcspResp = null;
try {
failureOcspResp = processCertReq(requestList[i], basicOcspBuilder, responder, reqOpt, repOpt, repControl, singleEvent);
} finally {
if (singleEvent != null) {
singleEvent.finish();
auditServiceRegister.getAuditService().doLogEvent(singleEvent);
}
}
if (failureOcspResp != null) {
return failureOcspResp;
}
}
if (repControl.includeExtendedRevokeExtension) {
responseExtensions.add(new Extension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke, true, Arrays.copyOf(DERNullBytes, DERNullBytes.length)));
}
if (CollectionUtil.isNonEmpty(responseExtensions)) {
basicOcspBuilder.setResponseExtensions(new Extensions(responseExtensions.toArray(new Extension[0])));
}
X509CertificateHolder[] certsInResp;
EmbedCertsMode certsMode = repOpt.getEmbedCertsMode();
if (certsMode == null || certsMode == EmbedCertsMode.SIGNER) {
certsInResp = new X509CertificateHolder[] { signer.getBcCertificate() };
} else if (certsMode == EmbedCertsMode.SIGNER_AND_CA) {
certsInResp = signer.getBcCertificateChain();
} else {
// NONE
certsInResp = null;
}
BasicOCSPResp basicOcspResp;
try {
basicOcspResp = concurrentSigner.build(basicOcspBuilder, certsInResp, new Date());
} catch (NoIdleSignerException ex) {
return createUnsuccessfulOcspResp(OcspResponseStatus.tryLater);
} catch (OCSPException ex) {
LogUtil.error(LOG, ex, "answer() basicOcspBuilder.build");
fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "BasicOCSPRespBuilder.build() with OCSPException");
return createUnsuccessfulOcspResp(OcspResponseStatus.internalError);
}
OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();
try {
OCSPResp ocspResp = ocspRespBuilder.build(OcspResponseStatus.successful.getStatus(), basicOcspResp);
// cache response in database
if (canCacheDb && repControl.canCacheInfo) {
// Don't cache the response with status UNKNOWN, since this may results in DDoS
// of storage
responseCacher.storeOcspResponse(cacheDbIssuerId.intValue(), cacheDbSerialNumber, repControl.cacheThisUpdate, repControl.cacheNextUpdate, cacheDbSigAlgCode, cacheDbCertHashAlgCode, ocspResp);
}
if (viaGet && repControl.canCacheInfo) {
ResponseCacheInfo cacheInfo = new ResponseCacheInfo(repControl.cacheThisUpdate);
if (repControl.cacheNextUpdate != Long.MAX_VALUE) {
cacheInfo.setNextUpdate(repControl.cacheNextUpdate);
}
return new OcspRespWithCacheInfo(ocspResp, cacheInfo);
} else {
return new OcspRespWithCacheInfo(ocspResp, null);
}
} catch (OCSPException ex) {
LogUtil.error(LOG, ex, "answer() ocspRespBuilder.build");
fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "OCSPRespBuilder.build() with OCSPException");
return createUnsuccessfulOcspResp(OcspResponseStatus.internalError);
}
} catch (Throwable th) {
LogUtil.error(LOG, th);
fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "internal error");
return createUnsuccessfulOcspResp(OcspResponseStatus.internalError);
}
}
Example 10
Project: poi-master File: PkiTestUtils.java View source code |
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm, long nonceTimeinMillis) throws Exception {
DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1);
X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());
CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());
// request
//create a nonce to avoid replay attack
BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);
DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);
Extensions exts = new Extensions(ext);
OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();
ocspReqBuilder.addRequest(certId);
ocspReqBuilder.setRequestExtensions(exts);
OCSPReq ocspReq = ocspReqBuilder.build();
SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo(CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded());
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);
basicOCSPRespBuilder.setResponseExtensions(exts);
// request processing
Req[] requestList = ocspReq.getRequestList();
for (Req ocspRequest : requestList) {
CertificateID certificateID = ocspRequest.getCertID();
CertificateStatus certificateStatus = CertificateStatus.GOOD;
if (revoked) {
certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
}
basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);
}
// basic response generation
X509CertificateHolder[] chain = null;
if (!ocspResponderCertificate.equals(issuerCertificate)) {
// TODO: HorribleProxy can't convert array input params yet
chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()), issuerHolder };
}
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(ocspResponderPrivateKey);
BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));
OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();
OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);
return ocspResp;
}
Example 11
Project: nifi-master File: OcspCertificateValidator.java View source code |
/**
* Gets the OCSP status for the specified subject and issuer certificates.
*
* @param ocspStatusKey status key
* @return ocsp status
*/
private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) {
final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate();
final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate();
// initialize the default status
final OcspStatus ocspStatus = new OcspStatus();
ocspStatus.setVerificationStatus(VerificationStatus.Unknown);
ocspStatus.setValidationStatus(ValidationStatus.Unknown);
try {
// prepare the request
final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber();
final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
final CertificateID certificateId = new CertificateID(calculatorProviderBuilder.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber);
// generate the request
final OCSPReqBuilder requestGenerator = new OCSPReqBuilder();
requestGenerator.addRequest(certificateId);
// Create a nonce to avoid replay attack
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext }));
final OCSPReq ocspRequest = requestGenerator.build();
// perform the request
final ClientResponse response = getClientResponse(ocspRequest);
// ensure the request was completed successfully
if (ClientResponse.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) {
logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus()));
return ocspStatus;
}
// interpret the response
OCSPResp ocspResponse = new OCSPResp(response.getEntityInputStream());
// verify the response status
switch(ocspResponse.getStatus()) {
case OCSPRespBuilder.SUCCESSFUL:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful);
break;
case OCSPRespBuilder.INTERNAL_ERROR:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError);
break;
case OCSPRespBuilder.MALFORMED_REQUEST:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest);
break;
case OCSPRespBuilder.SIG_REQUIRED:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired);
break;
case OCSPRespBuilder.TRY_LATER:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater);
break;
case OCSPRespBuilder.UNAUTHORIZED:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized);
break;
default:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown);
break;
}
// only proceed if the response was successful
if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString()));
return ocspStatus;
}
// ensure the appropriate response object
final Object ocspResponseObject = ocspResponse.getResponseObject();
if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) {
logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject));
return ocspStatus;
}
// get the response object
final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
// attempt to locate the responder certificate
final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts();
if (responderCertificates.length != 1) {
logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", responderCertificates.length));
return ocspStatus;
}
// get the responder certificate
final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate(responderCertificates[0], issuerCertificate);
if (trustedResponderCertificate != null) {
// verify the response
if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) {
ocspStatus.setVerificationStatus(VerificationStatus.Verified);
} else {
ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
}
} else {
ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
}
// validate the response
final SingleResp[] responses = basicOcspResponse.getResponses();
for (SingleResp singleResponse : responses) {
final CertificateID responseCertificateId = singleResponse.getCertID();
final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber();
if (responseSerialNumber.equals(subjectSerialNumber)) {
Object certStatus = singleResponse.getCertStatus();
// interpret the certificate status
if (CertificateStatus.GOOD == certStatus) {
ocspStatus.setValidationStatus(ValidationStatus.Good);
} else if (certStatus instanceof RevokedStatus) {
ocspStatus.setValidationStatus(ValidationStatus.Revoked);
} else {
ocspStatus.setValidationStatus(ValidationStatus.Unknown);
}
}
}
} catch (final OCSPExceptionIOException | UniformInterfaceException | ClientHandlerException | OperatorCreationException | e) {
logger.error(e.getMessage(), e);
} catch (CertificateException e) {
e.printStackTrace();
}
return ocspStatus;
}
Example 12
Project: jruby-openssl-master File: OCSPRequest.java View source code |
@JRubyMethod(name = "verify", rest = true)
public IRubyObject verify(IRubyObject[] args) {
Ruby runtime = getRuntime();
ThreadContext context = runtime.getCurrentContext();
int flags = 0;
boolean ret = false;
if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) {
flags = RubyFixnum.fix2int((RubyFixnum) args[2]);
}
IRubyObject certificates = args[0];
IRubyObject store = args[1];
OCSPReq bcOCSPReq = getBCOCSPReq();
if (bcOCSPReq == null) {
throw newOCSPError(runtime, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?"));
}
if (!bcOCSPReq.isSigned()) {
return RubyBoolean.newBoolean(runtime, ret);
}
GeneralName genName = bcOCSPReq.getRequestorName();
if (genName.getTagNo() != 4) {
return RubyBoolean.newBoolean(runtime, ret);
}
X500Name genX500Name = X500Name.getInstance(genName.getName());
X509StoreContext storeContext = null;
JcaContentVerifierProviderBuilder jcacvpb = new JcaContentVerifierProviderBuilder();
jcacvpb.setProvider("BC");
try {
java.security.cert.Certificate signer = findCertByName(genX500Name, certificates, flags);
if (signer == null)
return RubyBoolean.newBoolean(runtime, ret);
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) > 0 && ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) > 0))
flags |= RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY));
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) {
PublicKey signerPubKey = signer.getPublicKey();
ContentVerifierProvider cvp = jcacvpb.build(signerPubKey);
ret = bcOCSPReq.isSignatureValid(cvp);
if (!ret) {
return RubyBoolean.newBoolean(runtime, ret);
}
}
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) {
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOCHAIN))) > 0) {
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), context.nil);
} else {
RubyArray certs = RubyArray.newEmptyArray(runtime);
ASN1Sequence bcCerts = asn1bcReq.getOptionalSignature().getCerts();
if (bcCerts != null) {
Iterator<ASN1Encodable> it = bcCerts.iterator();
while (it.hasNext()) {
Certificate cert = Certificate.getInstance(it.next());
certs.add(X509Cert.wrap(runtime, new X509AuxCertificate(cert)));
}
}
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), certs);
}
storeContext.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER"));
storeContext.set_trust(context, _X509(runtime).getConstant("TRUST_OCSP_REQUEST"));
ret = storeContext.verify(context).isTrue();
if (!ret)
return RubyBoolean.newBoolean(runtime, false);
}
} catch (Exception e) {
debugStackTrace(e);
throw newOCSPError(runtime, e);
}
return RubyBoolean.newBoolean(getRuntime(), ret);
}
Example 13
Project: irma_future_id-master File: OCSPTest.java View source code |
private void testECDSA() throws Exception { String signDN = "O=Bouncy Castle, C=AU"; KeyPair signKP = OCSPTestUtil.makeECKeyPair(); X509CertificateHolder testCert = new JcaX509CertificateHolder(OCSPTestUtil.makeECDSACertificate(signKP, signDN, signKP, signDN)); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build(); String origDN = "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)); // // basic request generation // OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(id); OCSPReq req = gen.build(); if (req.isSigned()) { fail("signed but shouldn't be"); } X509CertificateHolder[] certs = req.getCerts(); if (certs.length != 0) { fail("0 certs expected, but not found"); } Req[] requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } // // request generation with signing // X509CertificateHolder[] chain = new X509CertificateHolder[1]; gen = new OCSPReqBuilder(); gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred"))); gen.addRequest(new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1))); chain[0] = testCert; req = gen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain); if (!req.isSigned()) { fail("not signed but should be"); } if (!req.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("signature failed to verify"); } requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } certs = req.getCerts(); if (certs == null) { fail("null certs found"); } if (certs.length != 1 || !certs[0].equals(testCert)) { fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.getEncoded(); OCSPReq newReq = new OCSPReq(reqEnc); if (!newReq.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("newReq signature failed to verify"); } // // request generation with signing and nonce // chain = new X509CertificateHolder[1]; gen = new OCSPReqBuilder(); Vector oids = new Vector(); Vector values = new Vector(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.nextBytes(sampleNonce); gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred"))); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(sampleNonce)); gen.setRequestExtensions(extGen.generate()); gen.addRequest(new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1))); chain[0] = testCert; req = gen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain); if (!req.isSigned()) { fail("not signed but should be"); } if (!req.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("signature failed to verify"); } // // extension check. // Set extOids = req.getCriticalExtensionOIDs(); if (extOids.size() != 0) { fail("wrong number of critical extensions in OCSP request."); } extOids = req.getNonCriticalExtensionOIDs(); if (extOids.size() != 1) { fail("wrong number of non-critical extensions in OCSP request."); } Extension extValue = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); ASN1Encodable extObj = extValue.getParsedValue(); if (!(extObj instanceof ASN1OctetString)) { fail("wrong extension type found."); } if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) { fail("wrong extension value found."); } // // request list check // requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } // // response generation // BasicOCSPRespBuilder respGen = new JcaBasicOCSPRespBuilder(signKP.getPublic(), digCalcProv.get(RespID.HASH_SHA1)); respGen.addResponse(id, CertificateStatus.GOOD); BasicOCSPResp resp = respGen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain, new Date()); }
Example 14
Project: jdigidoc-master File: BouncyCastleNotaryFactory.java View source code |
/**
* Get confirmation from AS Sertifitseerimiskeskus
* by creating an OCSP request and parsing the returned
* OCSP response. Used by DigiDocGenFactory.
* @param sig Signature object
* @param nonce signature nonce
* @param signersCert signature owners cert
* @param caCert CA cert for this signer
* @param notaryCert notarys own cert
* @param notId new id for Notary object
* @param httpFrom HTTP_FROM header value (optional)
* @returns Notary object
*/
public Notary getConfirmation(Signature sig, byte[] nonce, X509Certificate signersCert, X509Certificate caCert, X509Certificate notaryCert, String notId, String ocspUrl, String httpFrom, String format, String formatVer) throws DigiDocException {
Notary not = null;
OCSPReq req = null;
OCSPResp resp = null;
try {
if (m_logger.isDebugEnabled())
m_logger.debug("getConfirmation, nonce " + Base64Util.encode(nonce, 0) + " cert: " + ((signersCert != null) ? signersCert.getSerialNumber().toString() : "NULL") + " CA: " + ((caCert != null) ? caCert.getSerialNumber().toString() : "NULL") + " responder: " + ((notaryCert != null) ? notaryCert.getSerialNumber().toString() : "NULL") + " notId: " + notId + " signRequest: " + m_bSignRequests + " url: " + ocspUrl);
if (m_logger.isDebugEnabled()) {
m_logger.debug("Check cert: " + ((signersCert != null) ? signersCert.getSubjectDN().getName() : "NULL"));
m_logger.debug("Check CA cert: " + ((caCert != null) ? caCert.getSubjectDN().getName() : "NULL"));
}
// create the request - sign the request if necessary
req = createOCSPRequest(nonce, signersCert, caCert, m_bSignRequests, (sig != null && sig.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC)));
//debugWriteFile("req.der", req.getEncoded());
if (m_logger.isDebugEnabled())
m_logger.debug("REQUEST:\n" + Base64Util.encode(req.getEncoded(), 0));
// send it
resp = sendRequestToUrl(req, ocspUrl, httpFrom, format, formatVer);
//debugWriteFile("resp.der", resp.getEncoded());
if (m_logger.isDebugEnabled())
m_logger.debug("RESPONSE:\n" + ((resp != null) ? Base64Util.encode(resp.getEncoded(), 0) : "NULL"));
// check response status
if (resp != null)
verifyRespStatus(resp);
// check the result
not = parseAndVerifyResponse(sig, notId, signersCert, resp, nonce, notaryCert, caCert);
if (m_logger.isDebugEnabled())
m_logger.debug("Confirmation OK!");
} catch (DigiDocException ex) {
m_logger.error("Error receiving OCSP confirmation: " + ex + " nonce: " + ConvertUtils.bin2hex(nonce) + " len: " + nonce.length);
try {
byte[] b = req.getEncoded();
m_logger.error("OCSP req: " + ConvertUtils.bin2hex(b) + " len: " + b.length);
b = resp.getEncoded();
m_logger.error("OCSP req: " + ConvertUtils.bin2hex(b) + " len: " + b.length);
} catch (Exception ex2) {
m_logger.error("Error converting OCSP info: " + ex2);
}
throw ex;
} catch (Exception ex) {
DigiDocException.handleException(ex, DigiDocException.ERR_OCSP_GET_CONF);
}
return not;
}
Example 15
Project: uma-master File: OCSPCertificateVerifier.java View source code |
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
String ocspUrl = getOCSPUrl(certificate);
if (ocspUrl == null) {
log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
return status;
}
log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
// Generate OCSP request
OCSPReq ocspReq = generateOCSPRequest(certificateId);
// Get OCSP response from server
OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
log.error("OCSP response is invalid!");
status.setValidity(CertificateValidity.INVALID);
return status;
}
boolean foundResponse = false;
BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
SingleResp[] singleResps = basicOCSPResp.getResponses();
for (SingleResp singleResp : singleResps) {
CertificateID responseCertificateId = singleResp.getCertID();
if (!certificateId.equals(responseCertificateId)) {
continue;
}
foundResponse = true;
log.debug("OCSP validationDate: " + validationDate);
log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
Object certStatus = singleResp.getCertStatus();
if (certStatus == CertificateStatus.GOOD) {
log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
status.setValidity(CertificateValidity.VALID);
} else {
if (singleResp.getCertStatus() instanceof RevokedStatus) {
log.warn("OCSP status is revoked for: " + subjectX500Principal);
if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
status.setValidity(CertificateValidity.VALID);
} else {
Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
status.setRevocationDate(revocationDate);
status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
status.setValidity(CertificateValidity.REVOKED);
}
}
}
}
if (!foundResponse) {
log.error("There is no matching OCSP response entries");
}
} catch (Exception ex) {
log.error("OCSP exception: ", ex);
}
return status;
}
Example 16
Project: Assignments-master File: OcspClientBouncyCastle.java View source code |
/**
* Generates an OCSP request using BouncyCastle.
*
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException, OperatorException, CertificateEncodingException {
//Add provider BC
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCert), serialNumber);
// basic request generation with nonce
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(id);
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded()));
gen.setRequestExtensions(new Extensions(new Extension[] { ext }));
return gen.build();
}
Example 17
Project: sd-dss-master File: OnlineOCSPSource.java View source code |
protected byte[] buildOCSPRequest(final CertificateID certificateId, final NonceContainer nonceContainer) throws DSSException {
try {
final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();
ocspReqBuilder.addRequest(certificateId);
if (nonceContainer != null) {
final DEROctetString nonce = nonceContainer.nonce;
final Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonce);
final Extensions extensions = new Extensions(extension);
ocspReqBuilder.setRequestExtensions(extensions);
}
final OCSPReq ocspReq = ocspReqBuilder.build();
final byte[] ocspReqData = ocspReq.getEncoded();
return ocspReqData;
} catch (OCSPException e) {
throw new DSSException(e);
} catch (IOException e) {
throw new DSSException(e);
}
}
Example 18
Project: atlas-lb-master File: OCSPTest.java View source code |
private void testECDSA() throws Exception { String signDN = "O=Bouncy Castle, C=AU"; KeyPair signKP = OCSPTestUtil.makeECKeyPair(); X509CertificateHolder testCert = new JcaX509CertificateHolder(OCSPTestUtil.makeECDSACertificate(signKP, signDN, signKP, signDN)); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build(); String origDN = "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)); // // basic request generation // OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(id); OCSPReq req = gen.build(); if (req.isSigned()) { fail("signed but shouldn't be"); } X509CertificateHolder[] certs = req.getCerts(); if (certs.length != 0) { fail("0 certs expected, but not found"); } Req[] requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } // // request generation with signing // X509CertificateHolder[] chain = new X509CertificateHolder[1]; gen = new OCSPReqBuilder(); gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred"))); gen.addRequest(new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1))); chain[0] = testCert; req = gen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain); if (!req.isSigned()) { fail("not signed but should be"); } if (!req.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("signature failed to verify"); } requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } certs = req.getCerts(); if (certs == null) { fail("null certs found"); } if (certs.length != 1 || !certs[0].equals(testCert)) { fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.getEncoded(); OCSPReq newReq = new OCSPReq(reqEnc); if (!newReq.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("newReq signature failed to verify"); } // // request generation with signing and nonce // chain = new X509CertificateHolder[1]; gen = new OCSPReqBuilder(); Vector oids = new Vector(); Vector values = new Vector(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.nextBytes(sampleNonce); gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred"))); oids.addElement(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); values.addElement(new X509Extension(false, new DEROctetString(new DEROctetString(sampleNonce)))); gen.setRequestExtensions(new X509Extensions(oids, values)); gen.addRequest(new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1))); chain[0] = testCert; req = gen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain); if (!req.isSigned()) { fail("not signed but should be"); } if (!req.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("signature failed to verify"); } // // extension check. // Set extOids = req.getCriticalExtensionOIDs(); if (extOids.size() != 0) { fail("wrong number of critical extensions in OCSP request."); } extOids = req.getNonCriticalExtensionOIDs(); if (extOids.size() != 1) { fail("wrong number of non-critical extensions in OCSP request."); } X509Extension extValue = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); ASN1Encodable extObj = extValue.getParsedValue(); if (!(extObj instanceof ASN1OctetString)) { fail("wrong extension type found."); } if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) { fail("wrong extension value found."); } // // request list check // requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } // // response generation // BasicOCSPRespBuilder respGen = new JcaBasicOCSPRespBuilder(signKP.getPublic(), digCalcProv.get(RespID.HASH_SHA1)); respGen.addResponse(id, CertificateStatus.GOOD); BasicOCSPResp resp = respGen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain, new Date()); }
Example 19
Project: bc-java-master File: OCSPTest.java View source code |
private void testECDSA() throws Exception { String signDN = "O=Bouncy Castle, C=AU"; KeyPair signKP = OCSPTestUtil.makeECKeyPair(); X509CertificateHolder testCert = new JcaX509CertificateHolder(OCSPTestUtil.makeECDSACertificate(signKP, signDN, signKP, signDN)); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build(); String origDN = "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X500Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)); // // basic request generation // OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(id); OCSPReq req = gen.build(); if (req.isSigned()) { fail("signed but shouldn't be"); } X509CertificateHolder[] certs = req.getCerts(); if (certs.length != 0) { fail("0 certs expected, but not found"); } Req[] requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } // // request generation with signing // X509CertificateHolder[] chain = new X509CertificateHolder[1]; gen = new OCSPReqBuilder(); gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X500Name("CN=fred"))); gen.addRequest(new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1))); chain[0] = testCert; req = gen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain); if (!req.isSigned()) { fail("not signed but should be"); } if (!req.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("signature failed to verify"); } requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } certs = req.getCerts(); if (certs == null) { fail("null certs found"); } if (certs.length != 1 || !certs[0].equals(testCert)) { fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.getEncoded(); OCSPReq newReq = new OCSPReq(reqEnc); if (!newReq.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("newReq signature failed to verify"); } // // request generation with signing and nonce // chain = new X509CertificateHolder[1]; gen = new OCSPReqBuilder(); Vector oids = new Vector(); Vector values = new Vector(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.nextBytes(sampleNonce); gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X500Name("CN=fred"))); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(sampleNonce)); gen.setRequestExtensions(extGen.generate()); gen.addRequest(new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1))); chain[0] = testCert; req = gen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain); if (!req.isSigned()) { fail("not signed but should be"); } if (!req.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) { fail("signature failed to verify"); } // // extension check. // Set extOids = req.getCriticalExtensionOIDs(); if (extOids.size() != 0) { fail("wrong number of critical extensions in OCSP request."); } extOids = req.getNonCriticalExtensionOIDs(); if (extOids.size() != 1) { fail("wrong number of non-critical extensions in OCSP request."); } Extension extValue = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); ASN1Encodable extObj = extValue.getParsedValue(); if (!(extObj instanceof ASN1OctetString)) { fail("wrong extension type found."); } if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) { fail("wrong extension value found."); } // // request list check // requests = req.getRequestList(); if (!requests[0].getCertID().equals(id)) { fail("Failed isFor test"); } // // response generation // BasicOCSPRespBuilder respGen = new JcaBasicOCSPRespBuilder(signKP.getPublic(), digCalcProv.get(RespID.HASH_SHA1)); respGen.addResponse(id, CertificateStatus.GOOD); BasicOCSPResp resp = respGen.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider(BC).build(signKP.getPrivate()), chain, new Date()); }