Examples with OCSPVerifier org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier used on opensource projects

Example 1 with OCSPVerifier

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier in project wso2-synapse by wso2.

the class OCSPVerifierTest method testOCSPVerifier.

/**
 * A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
 * OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
 * response will be put the the cache against the serial number of the fake peer certificate. Since the SingleResp
 * which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
 * Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
 *
 * @throws Exception
 */
public void testOCSPVerifier() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    Utils utils = new Utils();
    // Create fake CA certificate.
    KeyPair caKeyPair = utils.generateRSAKeyPair();
    X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
    // Create fake peer certificate signed by the fake CA private key. This will be a revoked certificate.
    KeyPair peerKeyPair = utils.generateRSAKeyPair();
    BigInteger revokedSerialNumber = BigInteger.valueOf(111);
    X509Certificate revokedCertificate = generateFakePeerCert(revokedSerialNumber, peerKeyPair.getPublic(), caKeyPair.getPrivate(), caCert);
    // Create OCSP request to check if certificate with "serialNumber == revokedSerialNumber" is revoked.
    OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
    // Create OCSP response saying that certificate with given serialNumber is revoked.
    // CertificateID revokedID = new CertificateID(CertificateID.HASH_SHA1, caCert, revokedSerialNumber);
    byte[] issuerCertEnc = caCert.getEncoded();
    X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
    DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
    // CertID structure is used to uniquely identify certificates that are the subject of
    // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560
    CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
    OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), caKeyPair.getPublic(), revokedID);
    SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
    OCSPCache cache = OCSPCache.getCache();
    cache.init(5, 5);
    cache.setCacheValue(revokedSerialNumber, singleResp, request, null);
    OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
    RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
    // the cache will have the SingleResponse derived from the OCSP response and it will be checked to see if the
    // fake certificate is revoked. So the status should be REVOKED.
    assertTrue(status == RevocationStatus.REVOKED);
}

Example 2 with OCSPVerifier

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier in project wso2-synapse by wso2.

the class RevocationVerificationManager method verifyRevocationStatus.

/**
 * This method first tries to verify the given certificate chain using OCSP since OCSP verification is
 * faster. If that fails it tries to do the verification using CRL.
 * @param peerCertificates  javax.security.cert.X509Certificate[] array of peer certificate chain from peer/client.
 * @throws CertificateVerificationException
 */
public void verifyRevocationStatus(javax.security.cert.X509Certificate[] peerCertificates) throws CertificateVerificationException {
    X509Certificate[] convertedCertificates = convert(peerCertificates);
    long start = System.currentTimeMillis();
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(cacheSize, cacheDelayMins);
    CRLCache crlCache = CRLCache.getCache();
    crlCache.init(cacheSize, cacheDelayMins);
    RevocationVerifier[] verifiers = { new OCSPVerifier(ocspCache), new CRLVerifier(crlCache) };
    for (RevocationVerifier verifier : verifiers) {
        try {
            CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier);
            pathValidator.validatePath();
            log.info("Path verification Successful. Took " + (System.currentTimeMillis() - start) + " ms.");
            return;
        } catch (Exception e) {
            log.info(verifier.getClass().getSimpleName() + " failed.");
            log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e);
        }
    }
    throw new CertificateVerificationException("Path Verification Failed for both OCSP and CRL");
}

Example 3 with OCSPVerifier

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier in project wso2-synapse by wso2.

the class OCSPVerifierTest method getOCSPRequest.

/**
 * An OCSP request is made to be given to the fake CA. Reflection is used to call generateOCSPRequest(..) private
 * method in OCSPVerifier.
 *
 * @param caCert the fake CA certificate.
 * @param revokedSerialNumber the serial number of the certificate which needs to be checked if revoked.
 * @return the created OCSP request.
 * @throws Exception
 */
private OCSPReq getOCSPRequest(X509Certificate caCert, BigInteger revokedSerialNumber) throws Exception {
    OCSPVerifier ocspVerifier = new OCSPVerifier(null);
    Class ocspVerifierClass = ocspVerifier.getClass();
    Method generateOCSPRequest = ocspVerifierClass.getDeclaredMethod("generateOCSPRequest", X509Certificate.class, BigInteger.class);
    generateOCSPRequest.setAccessible(true);
    OCSPReq request = (OCSPReq) generateOCSPRequest.invoke(ocspVerifier, caCert, revokedSerialNumber);
    return request;
}

Example 4 with OCSPVerifier

use of org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier in project wso2-synapse by wso2.

the class RevocationVerificationTest method ocspPathValidation.

private void ocspPathValidation(X509Certificate[] certChain) throws Exception {
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(5, 5);
    RevocationVerifier verifier = new OCSPVerifier(ocspCache);
    CertificatePathValidator pathValidator = new CertificatePathValidator(certChain, verifier);
    pathValidator.validatePath();
}