Example 1 with OCSPCache
use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache in project wso2-synapse by wso2.
the class OCSPVerifierTest method testOCSPVerifier.
/**
* A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
* OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
* response will be put the the cache against the serial number of the fake peer certificate. Since the SingleResp
* which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
* Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
*
* @throws Exception
*/
public void testOCSPVerifier() throws Exception {
// Add BouncyCastle as Security Provider.
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
Utils utils = new Utils();
// Create fake CA certificate.
KeyPair caKeyPair = utils.generateRSAKeyPair();
X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
// Create fake peer certificate signed by the fake CA private key. This will be a revoked certificate.
KeyPair peerKeyPair = utils.generateRSAKeyPair();
BigInteger revokedSerialNumber = BigInteger.valueOf(111);
X509Certificate revokedCertificate = generateFakePeerCert(revokedSerialNumber, peerKeyPair.getPublic(), caKeyPair.getPrivate(), caCert);
// Create OCSP request to check if certificate with "serialNumber == revokedSerialNumber" is revoked.
OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
// Create OCSP response saying that certificate with given serialNumber is revoked.
// CertificateID revokedID = new CertificateID(CertificateID.HASH_SHA1, caCert, revokedSerialNumber);
byte[] issuerCertEnc = caCert.getEncoded();
X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
// CertID structure is used to uniquely identify certificates that are the subject of
// an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560
CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), caKeyPair.getPublic(), revokedID);
SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
OCSPCache cache = OCSPCache.getCache();
cache.init(5, 5);
cache.setCacheValue(revokedSerialNumber, singleResp, request, null);
OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
// the cache will have the SingleResponse derived from the OCSP response and it will be checked to see if the
// fake certificate is revoked. So the status should be REVOKED.
assertTrue(status == RevocationStatus.REVOKED);
}
Also used :
KeyPair(java.security.KeyPair)
OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
X509Certificate(java.security.cert.X509Certificate)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)
Example 2 with OCSPCache
use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache in project wso2-synapse by wso2.
the class RevocationVerificationManager method verifyRevocationStatus.
/**
* This method first tries to verify the given certificate chain using OCSP since OCSP verification is
* faster. If that fails it tries to do the verification using CRL.
* @param peerCertificates javax.security.cert.X509Certificate[] array of peer certificate chain from peer/client.
* @throws CertificateVerificationException
*/
public void verifyRevocationStatus(javax.security.cert.X509Certificate[] peerCertificates) throws CertificateVerificationException {
X509Certificate[] convertedCertificates = convert(peerCertificates);
long start = System.currentTimeMillis();
OCSPCache ocspCache = OCSPCache.getCache();
ocspCache.init(cacheSize, cacheDelayMins);
CRLCache crlCache = CRLCache.getCache();
crlCache.init(cacheSize, cacheDelayMins);
RevocationVerifier[] verifiers = { new OCSPVerifier(ocspCache), new CRLVerifier(crlCache) };
for (RevocationVerifier verifier : verifiers) {
try {
CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier);
pathValidator.validatePath();
log.info("Path verification Successful. Took " + (System.currentTimeMillis() - start) + " ms.");
return;
} catch (Exception e) {
log.info(verifier.getClass().getSimpleName() + " failed.");
log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e);
}
}
throw new CertificateVerificationException("Path Verification Failed for both OCSP and CRL");
}
Also used :
CertificatePathValidator(org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator)
OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache)
X509Certificate(java.security.cert.X509Certificate)
CRLCache(org.apache.synapse.transport.certificatevalidation.crl.CRLCache)
OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)
CRLVerifier(org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)
Example 3 with OCSPCache
use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache in project wso2-synapse by wso2.
the class RevocationVerificationTest method ocspPathValidation.
private void ocspPathValidation(X509Certificate[] certChain) throws Exception {
OCSPCache ocspCache = OCSPCache.getCache();
ocspCache.init(5, 5);
RevocationVerifier verifier = new OCSPVerifier(ocspCache);
CertificatePathValidator pathValidator = new CertificatePathValidator(certChain, verifier);
pathValidator.validatePath();
}
Also used :
CertificatePathValidator(org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator)
OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache)
OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)
Aggregations
OCSPCache (org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache)3
OCSPVerifier (org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)3
X509Certificate (java.security.cert.X509Certificate)2
CertificatePathValidator (org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator)2
BigInteger (java.math.BigInteger)1
KeyPair (java.security.KeyPair)1
CRLCache (org.apache.synapse.transport.certificatevalidation.crl.CRLCache)1
CRLVerifier (org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)1
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)1
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)1
CertificateID (org.bouncycastle.cert.ocsp.CertificateID)1
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)1
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)1
SingleResp (org.bouncycastle.cert.ocsp.SingleResp)1
DigestCalculatorProvider (org.bouncycastle.operator.DigestCalculatorProvider)1
JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)1
