Search in sources :

Example 1 with BasicOCSPResponse

use of org.bouncycastle.asn1.ocsp.BasicOCSPResponse in project jruby-openssl by jruby.

the class OCSPBasicResponse method findSignerCert.

private java.security.cert.Certificate findSignerCert(final ThreadContext context, BasicOCSPResponse basicResp, List<java.security.cert.Certificate> certificates, int flags) {
    final Ruby runtime = context.runtime;
    ResponderID respID = basicResp.getTbsResponseData().getResponderID();
    java.security.cert.Certificate ret;
    ret = findSignerByRespId(context, certificates, respID);
    if (ret == null && (flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOINTERN))) == 0) {
        List<X509AuxCertificate> javaCerts = new ArrayList<X509AuxCertificate>();
        for (X509CertificateHolder cert : getBasicOCSPResp().getCerts()) {
            try {
                javaCerts.add(X509Cert.wrap(context, cert.getEncoded()).getAuxCert());
            } catch (IOException e) {
                throw newOCSPError(runtime, e);
            }
        }
        ret = findSignerByRespId(context, javaCerts, respID);
    }
    return ret;
}
Also used : X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ResponderID(org.bouncycastle.asn1.ocsp.ResponderID) ArrayList(java.util.ArrayList) IOException(java.io.IOException) X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate) Ruby(org.jruby.Ruby)

Example 2 with BasicOCSPResponse

use of org.bouncycastle.asn1.ocsp.BasicOCSPResponse in project nifi by apache.

the class OcspCertificateValidator method getOcspStatus.

/**
 * Gets the OCSP status for the specified subject and issuer certificates.
 *
 * @param ocspStatusKey status key
 * @return ocsp status
 */
private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) {
    final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate();
    final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate();
    // initialize the default status
    final OcspStatus ocspStatus = new OcspStatus();
    ocspStatus.setVerificationStatus(VerificationStatus.Unknown);
    ocspStatus.setValidationStatus(ValidationStatus.Unknown);
    try {
        // prepare the request
        final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber();
        final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
        final CertificateID certificateId = new CertificateID(calculatorProviderBuilder.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber);
        // generate the request
        final OCSPReqBuilder requestGenerator = new OCSPReqBuilder();
        requestGenerator.addRequest(certificateId);
        // Create a nonce to avoid replay attack
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
        requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext }));
        final OCSPReq ocspRequest = requestGenerator.build();
        // perform the request
        final Response response = getClientResponse(ocspRequest);
        // ensure the request was completed successfully
        if (Response.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus()));
            return ocspStatus;
        }
        // interpret the response
        OCSPResp ocspResponse = new OCSPResp(response.readEntity(InputStream.class));
        // verify the response status
        switch(ocspResponse.getStatus()) {
            case OCSPRespBuilder.SUCCESSFUL:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful);
                break;
            case OCSPRespBuilder.INTERNAL_ERROR:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError);
                break;
            case OCSPRespBuilder.MALFORMED_REQUEST:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest);
                break;
            case OCSPRespBuilder.SIG_REQUIRED:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired);
                break;
            case OCSPRespBuilder.TRY_LATER:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater);
                break;
            case OCSPRespBuilder.UNAUTHORIZED:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized);
                break;
            default:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown);
                break;
        }
        // only proceed if the response was successful
        if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString()));
            return ocspStatus;
        }
        // ensure the appropriate response object
        final Object ocspResponseObject = ocspResponse.getResponseObject();
        if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) {
            logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject));
            return ocspStatus;
        }
        // get the response object
        final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
        // attempt to locate the responder certificate
        final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts();
        if (responderCertificates.length != 1) {
            logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", responderCertificates.length));
            return ocspStatus;
        }
        // get the responder certificate
        final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate(responderCertificates[0], issuerCertificate);
        if (trustedResponderCertificate != null) {
            // verify the response
            if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) {
                ocspStatus.setVerificationStatus(VerificationStatus.Verified);
            } else {
                ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
            }
        } else {
            ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
        }
        // validate the response
        final SingleResp[] responses = basicOcspResponse.getResponses();
        for (SingleResp singleResponse : responses) {
            final CertificateID responseCertificateId = singleResponse.getCertID();
            final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber();
            if (responseSerialNumber.equals(subjectSerialNumber)) {
                Object certStatus = singleResponse.getCertStatus();
                // interpret the certificate status
                if (CertificateStatus.GOOD == certStatus) {
                    ocspStatus.setValidationStatus(ValidationStatus.Good);
                } else if (certStatus instanceof RevokedStatus) {
                    ocspStatus.setValidationStatus(ValidationStatus.Revoked);
                } else {
                    ocspStatus.setValidationStatus(ValidationStatus.Unknown);
                }
            }
        }
    } catch (final OCSPException | IOException | ProcessingException | OperatorCreationException e) {
        logger.error(e.getMessage(), e);
    } catch (CertificateException e) {
        e.printStackTrace();
    }
    return ocspStatus;
}
Also used : CertificateException(java.security.cert.CertificateException) Extensions(org.bouncycastle.asn1.x509.Extensions) DEROctetString(org.bouncycastle.asn1.DEROctetString) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) ProcessingException(javax.ws.rs.ProcessingException) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Extension(org.bouncycastle.asn1.x509.Extension) Response(javax.ws.rs.core.Response) JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder) RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) BigInteger(java.math.BigInteger) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)

Example 3 with BasicOCSPResponse

use of org.bouncycastle.asn1.ocsp.BasicOCSPResponse in project signer by demoiselle.

the class RevocationValues method getValue.

@Override
public Attribute getValue() throws SignerException {
    List<X509CRL> crlList = new ArrayList<X509CRL>();
    ArrayList<CertificateList> crlVals = new ArrayList<CertificateList>();
    List<BasicOCSPResponse> ocspVals = new ArrayList<BasicOCSPResponse>();
    try {
        int chainSize = certificates.length - 1;
        for (int ix = 0; ix < chainSize; ix++) {
            X509Certificate cert = (X509Certificate) certificates[ix];
            Collection<ICPBR_CRL> icpCrls = crlRepository.getX509CRL(cert);
            for (ICPBR_CRL icpCrl : icpCrls) {
                crlList.add(icpCrl.getCRL());
            }
        }
        if (crlList.isEmpty()) {
            throw new SignerException(cadesMessagesBundle.getString("error.crl.list.empty"));
        } else {
            for (X509CRL varCrl : crlList) {
                crlVals.add(CertificateList.getInstance(varCrl.getEncoded()));
            }
        }
        CertificateList[] crlValuesArray = new CertificateList[crlVals.size()];
        BasicOCSPResponse[] ocspValuesArray = new BasicOCSPResponse[ocspVals.size()];
        // org.bouncycastle.asn1.esf.RevocationValues revocationVals = new org.bouncycastle.asn1.esf.RevocationValues(crlVals.toArray(crlValuesArray), null, null);
        return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new DERSequence(crlVals.toArray(crlValuesArray))));
    } catch (Exception e) {
        throw new SignerException(e.getMessage());
    }
}
Also used : X509CRL(java.security.cert.X509CRL) Attribute(org.bouncycastle.asn1.cms.Attribute) UnsignedAttribute(org.demoiselle.signer.policy.impl.cades.pkcs7.attribute.UnsignedAttribute) ArrayList(java.util.ArrayList) CertificateList(org.bouncycastle.asn1.x509.CertificateList) DERSet(org.bouncycastle.asn1.DERSet) X509Certificate(java.security.cert.X509Certificate) SignerException(org.demoiselle.signer.policy.impl.cades.SignerException) CertificateEncodingException(java.security.cert.CertificateEncodingException) ICPBR_CRL(org.demoiselle.signer.core.extension.ICPBR_CRL) DERSequence(org.bouncycastle.asn1.DERSequence) BasicOCSPResponse(org.bouncycastle.asn1.ocsp.BasicOCSPResponse) SignerException(org.demoiselle.signer.policy.impl.cades.SignerException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

IOException (java.io.IOException)2 X509Certificate (java.security.cert.X509Certificate)2 ArrayList (java.util.ArrayList)2 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2 FileInputStream (java.io.FileInputStream)1 InputStream (java.io.InputStream)1 BigInteger (java.math.BigInteger)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CertificateException (java.security.cert.CertificateException)1 X509CRL (java.security.cert.X509CRL)1 ProcessingException (javax.ws.rs.ProcessingException)1 Response (javax.ws.rs.core.Response)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 DEROctetString (org.bouncycastle.asn1.DEROctetString)1 DERSequence (org.bouncycastle.asn1.DERSequence)1 DERSet (org.bouncycastle.asn1.DERSet)1 Attribute (org.bouncycastle.asn1.cms.Attribute)1 BasicOCSPResponse (org.bouncycastle.asn1.ocsp.BasicOCSPResponse)1 ResponderID (org.bouncycastle.asn1.ocsp.ResponderID)1 CertificateList (org.bouncycastle.asn1.x509.CertificateList)1