Search in sources :

Example 6 with TBSRequest

use of com.github.zhenwei.core.asn1.ocsp.TBSRequest in project xipki by xipki.

the class XiOCSPReqBuilder method generateRequest.

private OCSPRequest generateRequest(ContentSigner contentSigner, Certificate[] chain) throws OCSPException {
    Iterator<RequestObject> it = list.iterator();
    ASN1EncodableVector requests = new ASN1EncodableVector();
    while (it.hasNext()) {
        try {
            requests.add(((RequestObject) it.next()).toRequest());
        } catch (Exception ex) {
            throw new OCSPException("exception creating Request", ex);
        }
    }
    TBSRequest tbsReq = new TBSRequest(requestorName, new DERSequence(requests), requestExtensions);
    Signature signature = null;
    if (contentSigner != null) {
        if (requestorName == null) {
            throw new OCSPException("requestorName must be specified if request is signed.");
        }
        try {
            // CHECKSTYLE:SKIP
            OutputStream sOut = contentSigner.getOutputStream();
            sOut.write(tbsReq.getEncoded(ASN1Encoding.DER));
            sOut.close();
        } catch (Exception ex) {
            throw new OCSPException("exception processing TBSRequest: " + ex, ex);
        }
        DERBitString bitSig = new DERBitString(contentSigner.getSignature());
        AlgorithmIdentifier sigAlgId = contentSigner.getAlgorithmIdentifier();
        if (chain != null && chain.length > 0) {
            ASN1EncodableVector vec = new ASN1EncodableVector();
            for (int i = 0; i != chain.length; i++) {
                vec.add(chain[i]);
            }
            signature = new Signature(sigAlgId, bitSig, new DERSequence(vec));
        } else {
            signature = new Signature(sigAlgId, bitSig);
        }
    }
    return new OCSPRequest(tbsReq, signature);
}
Also used : OutputStream(java.io.OutputStream) DERBitString(org.bouncycastle.asn1.DERBitString) TBSRequest(org.bouncycastle.asn1.ocsp.TBSRequest) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DERSequence(org.bouncycastle.asn1.DERSequence) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) Signature(org.bouncycastle.asn1.ocsp.Signature) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) OCSPRequest(org.bouncycastle.asn1.ocsp.OCSPRequest)

Example 7 with TBSRequest

use of com.github.zhenwei.core.asn1.ocsp.TBSRequest in project LinLong-Java by zhenwei1108.

the class BasicOCSPRespBuilder method build.

public BasicOCSPResp build(ContentSigner signer, X509CertificateHolder[] chain, Date producedAt) throws OCSPException {
    Iterator it = list.iterator();
    ASN1EncodableVector responses = new ASN1EncodableVector();
    while (it.hasNext()) {
        try {
            responses.add(((ResponseObject) it.next()).toResponse());
        } catch (Exception e) {
            throw new OCSPException("exception creating Request", e);
        }
    }
    ResponseData tbsResp = new ResponseData(responderID.toASN1Primitive(), new ASN1GeneralizedTime(producedAt), new DERSequence(responses), responseExtensions);
    DERBitString bitSig;
    try {
        OutputStream sigOut = signer.getOutputStream();
        sigOut.write(tbsResp.getEncoded(ASN1Encoding.DER));
        sigOut.close();
        bitSig = new DERBitString(signer.getSignature());
    } catch (Exception e) {
        throw new OCSPException("exception processing TBSRequest: " + e.getMessage(), e);
    }
    AlgorithmIdentifier sigAlgId = signer.getAlgorithmIdentifier();
    DERSequence chainSeq = null;
    if (chain != null && chain.length > 0) {
        ASN1EncodableVector v = new ASN1EncodableVector();
        for (int i = 0; i != chain.length; i++) {
            v.add(chain[i].toASN1Structure());
        }
        chainSeq = new DERSequence(v);
    }
    return new BasicOCSPResp(new BasicOCSPResponse(tbsResp, sigAlgId, bitSig, chainSeq));
}
Also used : ResponseData(com.github.zhenwei.core.asn1.ocsp.ResponseData) OutputStream(java.io.OutputStream) ASN1GeneralizedTime(com.github.zhenwei.core.asn1.ASN1GeneralizedTime) DERBitString(com.github.zhenwei.core.asn1.DERBitString) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier) DERSequence(com.github.zhenwei.core.asn1.DERSequence) BasicOCSPResponse(com.github.zhenwei.core.asn1.ocsp.BasicOCSPResponse) Iterator(java.util.Iterator) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)

Example 8 with TBSRequest

use of com.github.zhenwei.core.asn1.ocsp.TBSRequest in project LinLong-Java by zhenwei1108.

the class OCSPReq method isSignatureValid.

/**
 * verify the signature against the TBSRequest object we contain.
 */
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws OCSPException {
    if (!this.isSigned()) {
        throw new OCSPException("attempt to verify signature on unsigned object");
    }
    try {
        ContentVerifier verifier = verifierProvider.get(req.getOptionalSignature().getSignatureAlgorithm());
        OutputStream sOut = verifier.getOutputStream();
        sOut.write(req.getTbsRequest().getEncoded(ASN1Encoding.DER));
        return verifier.verify(this.getSignature());
    } catch (Exception e) {
        throw new OCSPException("exception processing signature: " + e, e);
    }
}
Also used : ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) OutputStream(java.io.OutputStream) IOException(java.io.IOException) CertIOException(com.github.zhenwei.pkix.cert.CertIOException) ASN1Exception(com.github.zhenwei.core.asn1.ASN1Exception)

Example 9 with TBSRequest

use of com.github.zhenwei.core.asn1.ocsp.TBSRequest in project LinLong-Java by zhenwei1108.

the class OCSPReqBuilder method generateRequest.

private OCSPReq generateRequest(ContentSigner contentSigner, X509CertificateHolder[] chain) throws OCSPException {
    Iterator it = list.iterator();
    ASN1EncodableVector requests = new ASN1EncodableVector();
    while (it.hasNext()) {
        try {
            requests.add(((RequestObject) it.next()).toRequest());
        } catch (Exception e) {
            throw new OCSPException("exception creating Request", e);
        }
    }
    TBSRequest tbsReq = new TBSRequest(requestorName, new DERSequence(requests), requestExtensions);
    Signature signature = null;
    if (contentSigner != null) {
        if (requestorName == null) {
            throw new OCSPException("requestorName must be specified if request is signed.");
        }
        try {
            OutputStream sOut = contentSigner.getOutputStream();
            sOut.write(tbsReq.getEncoded(ASN1Encoding.DER));
            sOut.close();
        } catch (Exception e) {
            throw new OCSPException("exception processing TBSRequest: " + e, e);
        }
        DERBitString bitSig = new DERBitString(contentSigner.getSignature());
        AlgorithmIdentifier sigAlgId = contentSigner.getAlgorithmIdentifier();
        if (chain != null && chain.length > 0) {
            ASN1EncodableVector v = new ASN1EncodableVector();
            for (int i = 0; i != chain.length; i++) {
                v.add(chain[i].toASN1Structure());
            }
            signature = new Signature(sigAlgId, bitSig, new DERSequence(v));
        } else {
            signature = new Signature(sigAlgId, bitSig);
        }
    }
    return new OCSPReq(new OCSPRequest(tbsReq, signature));
}
Also used : OutputStream(java.io.OutputStream) DERBitString(com.github.zhenwei.core.asn1.DERBitString) TBSRequest(com.github.zhenwei.core.asn1.ocsp.TBSRequest) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier) DERSequence(com.github.zhenwei.core.asn1.DERSequence) Signature(com.github.zhenwei.core.asn1.ocsp.Signature) Iterator(java.util.Iterator) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector) OCSPRequest(com.github.zhenwei.core.asn1.ocsp.OCSPRequest)

Example 10 with TBSRequest

use of com.github.zhenwei.core.asn1.ocsp.TBSRequest in project LinLong-Java by zhenwei1108.

the class OcspCache method getOcspResponse.

static OCSPResponse getOcspResponse(CertID certID, PKIXCertRevocationCheckerParameters parameters, URI ocspResponder, X509Certificate responderCert, List<Extension> ocspExtensions, JcaJceHelper helper) throws CertPathValidatorException {
    Map<CertID, OCSPResponse> responseMap = null;
    WeakReference<Map<CertID, OCSPResponse>> markerRef = cache.get(ocspResponder);
    if (markerRef != null) {
        responseMap = markerRef.get();
    }
    if (responseMap != null) {
        OCSPResponse response = responseMap.get(certID);
        if (response != null) {
            BasicOCSPResponse basicResp = BasicOCSPResponse.getInstance(ASN1OctetString.getInstance(response.getResponseBytes().getResponse()).getOctets());
            ResponseData responseData = ResponseData.getInstance(basicResp.getTbsResponseData());
            ASN1Sequence s = responseData.getResponses();
            for (int i = 0; i != s.size(); i++) {
                SingleResponse resp = SingleResponse.getInstance(s.getObjectAt(i));
                if (certID.equals(resp.getCertID())) {
                    ASN1GeneralizedTime nextUp = resp.getNextUpdate();
                    try {
                        if (nextUp != null && parameters.getValidDate().after(nextUp.getDate())) {
                            responseMap.remove(certID);
                            response = null;
                        }
                    } catch (ParseException e) {
                        // this should never happen, but...
                        responseMap.remove(certID);
                        response = null;
                    }
                }
            }
            if (response != null) {
                return response;
            }
        }
    }
    URL ocspUrl;
    try {
        ocspUrl = ocspResponder.toURL();
    } catch (MalformedURLException e) {
        throw new CertPathValidatorException("configuration error: " + e.getMessage(), e, parameters.getCertPath(), parameters.getIndex());
    }
    // 
    // basic request generation
    // 
    ASN1EncodableVector requests = new ASN1EncodableVector();
    requests.add(new Request(certID, null));
    List exts = ocspExtensions;
    ASN1EncodableVector requestExtensions = new ASN1EncodableVector();
    byte[] nonce = null;
    for (int i = 0; i != exts.size(); i++) {
        Extension ext = (Extension) exts.get(i);
        byte[] value = ext.getValue();
        if (OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId().equals(ext.getId())) {
            nonce = value;
        }
        requestExtensions.add(new com.github.zhenwei.core.asn1.x509.Extension(new ASN1ObjectIdentifier(ext.getId()), ext.isCritical(), value));
    }
    // TODO: configure originator
    TBSRequest tbsReq = new TBSRequest(null, new DERSequence(requests), Extensions.getInstance(new DERSequence(requestExtensions)));
    com.github.zhenwei.core.asn1.ocsp.Signature signature = null;
    try {
        byte[] request = new OCSPRequest(tbsReq, signature).getEncoded();
        HttpURLConnection ocspCon = (HttpURLConnection) ocspUrl.openConnection();
        ocspCon.setConnectTimeout(DEFAULT_TIMEOUT);
        ocspCon.setReadTimeout(DEFAULT_TIMEOUT);
        ocspCon.setDoOutput(true);
        ocspCon.setDoInput(true);
        ocspCon.setRequestMethod("POST");
        ocspCon.setRequestProperty("Content-type", "application/ocsp-request");
        ocspCon.setRequestProperty("Content-length", String.valueOf(request.length));
        OutputStream reqOut = ocspCon.getOutputStream();
        reqOut.write(request);
        reqOut.flush();
        InputStream reqIn = ocspCon.getInputStream();
        int contentLength = ocspCon.getContentLength();
        if (contentLength < 0) {
            // TODO: make configurable
            contentLength = DEFAULT_MAX_RESPONSE_SIZE;
        }
        OCSPResponse response = OCSPResponse.getInstance(Streams.readAllLimited(reqIn, contentLength));
        if (OCSPResponseStatus.SUCCESSFUL == response.getResponseStatus().getIntValue()) {
            boolean validated = false;
            ResponseBytes respBytes = ResponseBytes.getInstance(response.getResponseBytes());
            if (respBytes.getResponseType().equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic)) {
                BasicOCSPResponse basicResp = BasicOCSPResponse.getInstance(respBytes.getResponse().getOctets());
                validated = ProvOcspRevocationChecker.validatedOcspResponse(basicResp, parameters, nonce, responderCert, helper);
            }
            if (!validated) {
                throw new CertPathValidatorException("OCSP response failed to validate", null, parameters.getCertPath(), parameters.getIndex());
            }
            markerRef = cache.get(ocspResponder);
            if (markerRef != null) {
                responseMap = markerRef.get();
                responseMap.put(certID, response);
            } else {
                responseMap = new HashMap<CertID, OCSPResponse>();
                responseMap.put(certID, response);
                cache.put(ocspResponder, new WeakReference<Map<CertID, OCSPResponse>>(responseMap));
            }
            return response;
        } else {
            throw new CertPathValidatorException("OCSP responder failed: " + response.getResponseStatus().getValue(), null, parameters.getCertPath(), parameters.getIndex());
        }
    } catch (IOException e) {
        throw new CertPathValidatorException("configuration error: " + e.getMessage(), e, parameters.getCertPath(), parameters.getIndex());
    }
}
Also used : MalformedURLException(java.net.MalformedURLException) SingleResponse(com.github.zhenwei.core.asn1.ocsp.SingleResponse) CertID(com.github.zhenwei.core.asn1.ocsp.CertID) OutputStream(java.io.OutputStream) ASN1GeneralizedTime(com.github.zhenwei.core.asn1.ASN1GeneralizedTime) URL(java.net.URL) DERSequence(com.github.zhenwei.core.asn1.DERSequence) HttpURLConnection(java.net.HttpURLConnection) BasicOCSPResponse(com.github.zhenwei.core.asn1.ocsp.BasicOCSPResponse) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector) List(java.util.List) OCSPResponse(com.github.zhenwei.core.asn1.ocsp.OCSPResponse) BasicOCSPResponse(com.github.zhenwei.core.asn1.ocsp.BasicOCSPResponse) InputStream(java.io.InputStream) ResponseData(com.github.zhenwei.core.asn1.ocsp.ResponseData) TBSRequest(com.github.zhenwei.core.asn1.ocsp.TBSRequest) OCSPRequest(com.github.zhenwei.core.asn1.ocsp.OCSPRequest) Request(com.github.zhenwei.core.asn1.ocsp.Request) IOException(java.io.IOException) TBSRequest(com.github.zhenwei.core.asn1.ocsp.TBSRequest) Extension(java.security.cert.Extension) ResponseBytes(com.github.zhenwei.core.asn1.ocsp.ResponseBytes) CertPathValidatorException(java.security.cert.CertPathValidatorException) ASN1Sequence(com.github.zhenwei.core.asn1.ASN1Sequence) ParseException(java.text.ParseException) HashMap(java.util.HashMap) Map(java.util.Map) WeakHashMap(java.util.WeakHashMap) ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier) OCSPRequest(com.github.zhenwei.core.asn1.ocsp.OCSPRequest)

Aggregations

ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)5 DERSequence (com.github.zhenwei.core.asn1.DERSequence)5 OutputStream (java.io.OutputStream)5 IOException (java.io.IOException)4 TBSRequest (org.bouncycastle.asn1.ocsp.TBSRequest)4 ArrayList (java.util.ArrayList)3 OCSPRequest (org.bouncycastle.asn1.ocsp.OCSPRequest)3 ASN1GeneralizedTime (com.github.zhenwei.core.asn1.ASN1GeneralizedTime)2 DERBitString (com.github.zhenwei.core.asn1.DERBitString)2 DERTaggedObject (com.github.zhenwei.core.asn1.DERTaggedObject)2 BasicOCSPResponse (com.github.zhenwei.core.asn1.ocsp.BasicOCSPResponse)2 OCSPRequest (com.github.zhenwei.core.asn1.ocsp.OCSPRequest)2 ResponseData (com.github.zhenwei.core.asn1.ocsp.ResponseData)2 TBSRequest (com.github.zhenwei.core.asn1.ocsp.TBSRequest)2 AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)2 Iterator (java.util.Iterator)2 LinkedList (java.util.LinkedList)2 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)2 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)2