Search in sources :

Example 1 with OCSPCache

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache in project wso2-synapse by wso2.

the class OCSPVerifierTest method testOCSPVerifier.

/**
 * A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
 * OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
 * response will be put the the cache against the serial number of the fake peer certificate. Since the SingleResp
 * which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
 * Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
 *
 * @throws Exception
 */
public void testOCSPVerifier() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    Utils utils = new Utils();
    // Create fake CA certificate.
    KeyPair caKeyPair = utils.generateRSAKeyPair();
    X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
    // Create fake peer certificate signed by the fake CA private key. This will be a revoked certificate.
    KeyPair peerKeyPair = utils.generateRSAKeyPair();
    BigInteger revokedSerialNumber = BigInteger.valueOf(111);
    X509Certificate revokedCertificate = generateFakePeerCert(revokedSerialNumber, peerKeyPair.getPublic(), caKeyPair.getPrivate(), caCert);
    // Create OCSP request to check if certificate with "serialNumber == revokedSerialNumber" is revoked.
    OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
    // Create OCSP response saying that certificate with given serialNumber is revoked.
    // CertificateID revokedID = new CertificateID(CertificateID.HASH_SHA1, caCert, revokedSerialNumber);
    byte[] issuerCertEnc = caCert.getEncoded();
    X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
    DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
    // CertID structure is used to uniquely identify certificates that are the subject of
    // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560
    CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
    OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), caKeyPair.getPublic(), revokedID);
    SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
    OCSPCache cache = OCSPCache.getCache();
    cache.init(5, 5);
    cache.setCacheValue(revokedSerialNumber, singleResp, request, null);
    OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
    RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
    // the cache will have the SingleResponse derived from the OCSP response and it will be checked to see if the
    // fake certificate is revoked. So the status should be REVOKED.
    assertTrue(status == RevocationStatus.REVOKED);
}
Also used : KeyPair(java.security.KeyPair) OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509Certificate(java.security.cert.X509Certificate) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)

Example 2 with OCSPCache

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache in project wso2-synapse by wso2.

the class RevocationVerificationManager method verifyRevocationStatus.

/**
 * This method first tries to verify the given certificate chain using OCSP since OCSP verification is
 * faster. If that fails it tries to do the verification using CRL.
 * @param peerCertificates  javax.security.cert.X509Certificate[] array of peer certificate chain from peer/client.
 * @throws CertificateVerificationException
 */
public void verifyRevocationStatus(javax.security.cert.X509Certificate[] peerCertificates) throws CertificateVerificationException {
    X509Certificate[] convertedCertificates = convert(peerCertificates);
    long start = System.currentTimeMillis();
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(cacheSize, cacheDelayMins);
    CRLCache crlCache = CRLCache.getCache();
    crlCache.init(cacheSize, cacheDelayMins);
    RevocationVerifier[] verifiers = { new OCSPVerifier(ocspCache), new CRLVerifier(crlCache) };
    for (RevocationVerifier verifier : verifiers) {
        try {
            CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier);
            pathValidator.validatePath();
            log.info("Path verification Successful. Took " + (System.currentTimeMillis() - start) + " ms.");
            return;
        } catch (Exception e) {
            log.info(verifier.getClass().getSimpleName() + " failed.");
            log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e);
        }
    }
    throw new CertificateVerificationException("Path Verification Failed for both OCSP and CRL");
}
Also used : CertificatePathValidator(org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator) OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache) X509Certificate(java.security.cert.X509Certificate) CRLCache(org.apache.synapse.transport.certificatevalidation.crl.CRLCache) OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier) CRLVerifier(org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)

Example 3 with OCSPCache

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache in project wso2-synapse by wso2.

the class RevocationVerificationTest method ocspPathValidation.

private void ocspPathValidation(X509Certificate[] certChain) throws Exception {
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(5, 5);
    RevocationVerifier verifier = new OCSPVerifier(ocspCache);
    CertificatePathValidator pathValidator = new CertificatePathValidator(certChain, verifier);
    pathValidator.validatePath();
}
Also used : CertificatePathValidator(org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator) OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache) OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)

Aggregations

OCSPCache (org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache)3 OCSPVerifier (org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)3 X509Certificate (java.security.cert.X509Certificate)2 CertificatePathValidator (org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator)2 BigInteger (java.math.BigInteger)1 KeyPair (java.security.KeyPair)1 CRLCache (org.apache.synapse.transport.certificatevalidation.crl.CRLCache)1 CRLVerifier (org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)1 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)1 BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)1 CertificateID (org.bouncycastle.cert.ocsp.CertificateID)1 OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)1 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)1 SingleResp (org.bouncycastle.cert.ocsp.SingleResp)1 DigestCalculatorProvider (org.bouncycastle.operator.DigestCalculatorProvider)1 JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)1