use of org.bouncycastle.asn1.ocsp.CertID in project jruby-openssl by jruby.
the class OCSPRequest method sign.
@JRubyMethod(name = "sign", rest = true)
public IRubyObject sign(final ThreadContext context, IRubyObject[] args) {
final Ruby runtime = context.runtime;
int flag = 0;
IRubyObject additionalCerts = context.nil;
IRubyObject flags = context.nil;
IRubyObject digest = context.nil;
Digest digestInstance = new Digest(runtime, _Digest(runtime));
IRubyObject nocerts = (RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOCERTS);
switch(Arity.checkArgumentCount(runtime, args, 2, 5)) {
case 3:
additionalCerts = args[2];
break;
case 4:
additionalCerts = args[2];
flags = args[3];
break;
case 5:
additionalCerts = args[2];
flags = args[3];
digest = args[4];
break;
default:
break;
}
if (digest.isNil())
digest = digestInstance.initialize(context, new IRubyObject[] { RubyString.newString(runtime, "SHA1") });
if (additionalCerts.isNil())
flag |= RubyFixnum.fix2int(nocerts);
if (!flags.isNil())
flag = RubyFixnum.fix2int(flags);
X509Cert signer = (X509Cert) args[0];
PKey signerKey = (PKey) args[1];
String keyAlg = signerKey.getAlgorithm();
String digAlg = ((Digest) digest).getShortAlgorithm();
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(digAlg + "with" + keyAlg);
signerBuilder.setProvider("BC");
ContentSigner contentSigner = null;
try {
contentSigner = signerBuilder.build(signerKey.getPrivateKey());
} catch (OperatorCreationException e) {
throw newOCSPError(runtime, e);
}
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.setRequestorName(signer.getSubject().getX500Name());
for (OCSPCertificateId certId : certificateIds) {
builder.addRequest(new CertificateID(certId.getCertID()));
}
List<X509CertificateHolder> certChain = new ArrayList<X509CertificateHolder>();
if (flag != RubyFixnum.fix2int(nocerts)) {
try {
certChain.add(new X509CertificateHolder(signer.getAuxCert().getEncoded()));
if (!additionalCerts.isNil()) {
Iterator<java.security.cert.Certificate> certIt = ((RubyArray) additionalCerts).iterator();
while (certIt.hasNext()) {
certChain.add(new X509CertificateHolder(certIt.next().getEncoded()));
}
}
} catch (Exception e) {
throw newOCSPError(runtime, e);
}
}
X509CertificateHolder[] chain = new X509CertificateHolder[certChain.size()];
certChain.toArray(chain);
try {
asn1bcReq = org.bouncycastle.asn1.ocsp.OCSPRequest.getInstance(builder.build(contentSigner, chain).getEncoded());
} catch (Exception e) {
throw newOCSPError(runtime, e);
}
if (nonce != null) {
addNonceImpl();
}
return this;
}
use of org.bouncycastle.asn1.ocsp.CertID in project keycloak by keycloak.
the class OcspHandler method handleRequest.
@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
if (exchange.isInIoThread()) {
exchange.dispatch(this);
return;
}
final byte[] buffy = new byte[16384];
try (InputStream requestStream = exchange.getInputStream()) {
requestStream.read(buffy);
}
final OCSPReq request = new OCSPReq(buffy);
final Req[] requested = request.getRequestList();
final Extension nonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
final DigestCalculator sha1Calculator = new JcaDigestCalculatorProviderBuilder().build().get(AlgorithmIdentifier.getInstance(RespID.HASH_SHA1));
final BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder(subjectPublicKeyInfo, sha1Calculator);
if (nonce != null) {
responseBuilder.setResponseExtensions(new Extensions(nonce));
}
for (final Req req : requested) {
final CertificateID certId = req.getCertID();
final BigInteger certificateSerialNumber = certId.getSerialNumber();
responseBuilder.addResponse(certId, REVOKED_CERTIFICATES_STATUS.get(certificateSerialNumber));
}
final ContentSigner contentSigner = new BcRSAContentSignerBuilder(new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption), new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256)).build(privateKey);
final OCSPResp response = new OCSPRespBuilder().build(OCSPResp.SUCCESSFUL, responseBuilder.build(contentSigner, chain, new Date()));
final byte[] responseBytes = response.getEncoded();
final HeaderMap responseHeaders = exchange.getResponseHeaders();
responseHeaders.put(Headers.CONTENT_TYPE, "application/ocsp-response");
final Sender responseSender = exchange.getResponseSender();
responseSender.send(ByteBuffer.wrap(responseBytes));
exchange.endExchange();
}
use of org.bouncycastle.asn1.ocsp.CertID in project wso2-synapse by wso2.
the class OCSPVerifierTest method generateOCSPResponse.
/**
* This makes the corresponding OCSP response to the OCSP request which is sent to the fake CA. If the request
* has a certificateID which is marked as revoked by the CA, the OCSP response will say that the certificate
* which is referred to by the request, is revoked.
*
* @param request the OCSP request which asks if the certificate is revoked.
* @param caPrivateKey privateKey of the fake CA.
* @param caPublicKey publicKey of the fake CA
* @param revokedID the ID at fake CA which is checked against the certificateId in the request.
* @return the created OCSP response by the fake CA.
* @throws NoSuchProviderException
* @throws OCSPException
* @throws OperatorCreationException
*/
private OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey, PublicKey caPublicKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException, OperatorCreationException {
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
if (extension != null) {
basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
}
Req[] requests = request.getRequestList();
for (Req req : requests) {
CertificateID certID = req.getCertID();
if (certID.equals(revokedID)) {
RevokedStatus revokedStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
basicOCSPRespBuilder.addResponse(certID, revokedStatus, nextUpdate, (Extensions) null);
} else {
basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD);
}
}
X509CertificateHolder[] chain = { certificateHolder };
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caPrivateKey);
BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
OCSPRespBuilder builder = new OCSPRespBuilder();
return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Aggregations