Examples with OCSPVerifier io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier used on opensource projects

Example 1 with OCSPVerifier

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier in project module-ballerina-http by ballerina-platform.

the class RevocationVerificationManager method verifyRevocationStatus.

/**
 * This method first tries to verify the given certificate chain using OCSP since OCSP verification is
 * faster. If that fails it tries to do the verification using CRL.
 *
 * @param peerCertificates javax.security.cert.X509Certificate[] array of peer certificate chain from peer/client.
 * @throws CertificateVerificationException Occurs when certificate fails to be validated from both OCSP and CRL.
 * @return true If the process of certificate revocation becomes successful.
 */
public boolean verifyRevocationStatus(javax.security.cert.X509Certificate[] peerCertificates) throws CertificateVerificationException {
    X509Certificate[] convertedCertificates = convert(peerCertificates);
    long start = System.currentTimeMillis();
    // If not set by the user, default cache size will be 50 and default cache delay will be 15 mins.
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(cacheSize, cacheDelayMins);
    CRLCache crlCache = CRLCache.getCache();
    crlCache.init(cacheSize, cacheDelayMins);
    RevocationVerifier[] verifiers = { new OCSPVerifier(ocspCache), new CRLVerifier(crlCache) };
    for (RevocationVerifier verifier : verifiers) {
        try {
            CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier);
            pathValidator.validatePath();
            if (LOG.isInfoEnabled()) {
                LOG.info("Path verification is successful. Took {} ms.", System.currentTimeMillis() - start);
            }
            return true;
        } catch (Exception e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("{} failed.", verifier.getClass().getSimpleName());
                LOG.debug("Certificate verification with {} failed. ", verifier.getClass().getSimpleName(), e);
            }
        }
    }
    throw new CertificateVerificationException("Path verification failed for both OCSP and CRL");
}

Example 2 with OCSPVerifier

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier in project module-ballerina-http by ballerina-platform.

the class OCSPVerifierTest method testOCSPVerifier.

/**
 * A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
 * OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
 * response will be put into the cache against the serial number of the fake peer certificate. Since the SingleResp
 * which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
 * Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
 *
 * @throws Exception
 */
@Test
public void testOCSPVerifier() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new BouncyCastleProvider());
    Utils utils = new Utils();
    KeyPair caKeyPair = utils.generateRSAKeyPair();
    X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
    KeyPair peerKeyPair = utils.generateRSAKeyPair();
    BigInteger revokedSerialNumber = BigInteger.valueOf(111);
    X509Certificate revokedCertificate = utils.generateFakeCertificate(caCert, peerKeyPair.getPublic(), revokedSerialNumber, caKeyPair);
    OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
    byte[] issuerCertEnc = caCert.getEncoded();
    X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
    DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
    // CertID structure is used to uniquely identify certificates that are the subject of
    // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
    CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
    OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), revokedID);
    SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
    OCSPCache cache = OCSPCache.getCache();
    cache.init(5, 5);
    cache.setCacheValue(response, revokedSerialNumber, singleResp, request, null);
    OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
    RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
    // the cache will have the SingleResponse derived from the create OCSP response and it will be checked to see
    // if the fake certificate is revoked. So the status should be REVOKED.
    assertTrue(status == RevocationStatus.REVOKED);
}

Example 3 with OCSPVerifier

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier in project module-ballerina-http by ballerina-platform.

the class OCSPVerifierTest method getOCSPRequest.

/**
 * An OCSP request is made to be given to the fake CA.
 *
 * @param caCert Fake CA certificate.
 * @param revokedSerialNumber Serial number of the certificate which needs to be checked if revoked.
 * @return Created OCSP request.
 * @throws Exception
 */
private OCSPReq getOCSPRequest(X509Certificate caCert, BigInteger revokedSerialNumber) throws Exception {
    OCSPVerifier ocspVerifier = new OCSPVerifier(null);
    Class ocspVerifierClass = ocspVerifier.getClass();
    Method generateOCSPRequest = ocspVerifierClass.getDeclaredMethod("generateOCSPRequest", X509Certificate.class, BigInteger.class);
    generateOCSPRequest.setAccessible(true);
    return (OCSPReq) generateOCSPRequest.invoke(ocspVerifier, caCert, revokedSerialNumber);
}

Example 4 with OCSPVerifier

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier in project module-ballerina-http by ballerina-platform.

the class RevocationVerificationTest method ocspPathValidation.

private void ocspPathValidation(X509Certificate[] certChain) throws Exception {
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(5, 5);
    RevocationVerifier verifier = new OCSPVerifier(ocspCache);
    CertificatePathValidator pathValidator = new CertificatePathValidator(certChain, verifier);
    pathValidator.validatePath();
}

Example 5 with OCSPVerifier

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier in project module-ballerina-http by ballerina-platform.

the class Utils method getOCSPRequest.

/**
 * An OCSP request is created to be given to the fake CA. The certificate serial numbers are similar to the
 * ballerina client's serial number.
 *
 * @param caCert Fake CA certificate.
 * @param serialNumber Serial number of the certificate which needs to be checked if revoked.
 * @return Created OCSP request.
 * @throws Exception If any error occurs.
 */
static OCSPReq getOCSPRequest(X509Certificate caCert, BigInteger serialNumber) throws Exception {
    OCSPVerifier ocspVerifier = new OCSPVerifier(null);
    Class ocspVerifierClass = ocspVerifier.getClass();
    Method generateOCSPRequest = ocspVerifierClass.getDeclaredMethod("generateOCSPRequest", X509Certificate.class, BigInteger.class);
    generateOCSPRequest.setAccessible(true);
    return (OCSPReq) generateOCSPRequest.invoke(ocspVerifier, caCert, serialNumber);
}