Search in sources :

Example 11 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project X-Road by nordic-institute.

the class CertHelper method getOcspResponseForCert.

/**
 * Finds the OCSP response from a list of OCSP responses
 * for a given certificate.
 * @param cert the certificate
 * @param issuer the issuer of the certificate
 * @param ocspResponses list of OCSP responses
 * @return the OCSP response or null if not found
 * @throws Exception if an error occurs
 */
public static OCSPResp getOcspResponseForCert(X509Certificate cert, X509Certificate issuer, List<OCSPResp> ocspResponses) throws Exception {
    CertificateID certId = CryptoUtils.createCertId(cert, issuer);
    for (OCSPResp resp : ocspResponses) {
        BasicOCSPResp basicResp = (BasicOCSPResp) resp.getResponseObject();
        SingleResp singleResp = basicResp.getResponses()[0];
        if (certId.equals(singleResp.getCertID())) {
            return resp;
        }
    }
    return null;
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)

Example 12 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project eblocker by eblocker.

the class OcspCache method createOcspRequest.

private OCSPReq createOcspRequest(X509Certificate issuerCertificate, BigInteger serialNumber) throws OcspException {
    try {
        X509CertificateHolder holder = new X509CertificateHolder(issuerCertificate.getEncoded());
        CertificateID id = new CertificateID(digestCalculatorProvider.get(CertificateID.HASH_SHA1), holder, serialNumber);
        return new OCSPReqBuilder().addRequest(id).build();
    } catch (CertificateEncodingException | OperatorCreationException | IOException | OCSPException e) {
        throw new OcspException("creating ocsp request failed: ", e);
    }
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)

Example 13 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.

the class OCSPVerifier method generateOCSPRequest.

/**
 * This method generates an OCSP Request to be sent to an OCSP authority access endpoint.
 *
 * @param issuerCert the Issuer's certificate of the peer certificate we are interested in.
 * @param serialNumber of the peer certificate.
 * @return generated OCSP request.
 * @throws CertificateVerificationException if any error occurs while generating ocsp request.
 */
public static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws CertificateVerificationException {
    // Programatically adding Bouncy Castle as the security provider. So no need to manually set. Once the programme
    // is over security provider will also be removed.
    Security.addProvider(new BouncyCastleProvider());
    try {
        byte[] issuerCertEnc = issuerCert.getEncoded();
        X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
        DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
        // CertID structure is used to uniquely identify certificates that are the subject of
        // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
        CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, serialNumber);
        // basic request generation with nonce.
        OCSPReqBuilder builder = new OCSPReqBuilder();
        builder.addRequest(id);
        // create details for nonce extension. The nonce extension is used to bind
        // a request to a response to prevent re-play attacks. As the name implies,
        // the nonce value is something that the client should only use once during a reasonably small period.
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        // to create the request Extension
        builder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce.toByteArray()))));
        return builder.build();
    } catch (OCSPException | OperatorCreationException | IOException | CertificateEncodingException e) {
        throw new CertificateVerificationException("Cannot generate OCSP Request with the given certificate", e);
    }
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) DEROctetString(org.bouncycastle.asn1.DEROctetString) Extension(org.bouncycastle.asn1.x509.Extension) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) CertificateVerificationException(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 14 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.

the class Utils method generateOCSPResponse.

/**
 * This method creates the OCSP response for the OCSP request. In here we are providing a non revoked certificate.
 * The OCSP response will say that the certificate is GOOD.
 *
 * @param request OCSP request which asks if the certificate is revoked.
 * @param caPrivateKey PrivateKey of the fake CA.
 * @return Created OCSP response by the fake CA.
 * @throws OCSPException If an error occurs when generating ocsp response.
 * @throws OperatorCreationException If an error occurs when creating bouncy castle operator.
 */
private static OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey) throws OCSPException, OperatorCreationException {
    BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
    Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
    if (extension != null) {
        basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
    }
    Req[] requests = request.getRequestList();
    for (Req req : requests) {
        CertificateID certID = req.getCertID();
        Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
        Date thisUpdate = new Date(new Date().getTime());
        basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD, thisUpdate, nextUpdate);
    }
    X509CertificateHolder[] chain = { certificateHolder };
    ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(BOUNCY_CASTLE_PROVIDER).build(caPrivateKey);
    BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
    OCSPRespBuilder builder = new OCSPRespBuilder();
    return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Also used : BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) Extensions(org.bouncycastle.asn1.x509.Extensions) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension) BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) RespID(org.bouncycastle.cert.ocsp.RespID) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) Req(org.bouncycastle.cert.ocsp.Req) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)

Example 15 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.

the class OCSPVerifierTest method generateOCSPResponse.

/**
 * This makes the corresponding OCSP response to the OCSP request which is sent to the fake CA. If the request
 * has a certificateID which is marked as revoked by the CA, the OCSP response will say that the certificate
 * which is referred by the request, is revoked.
 *
 * @param request OCSP request which asks if the certificate is revoked.
 * @param caPrivateKey PrivateKey of the fake CA.
 * @param revokedID ID in fake CA which is checked against the certificateId in the request.
 * @return Created OCSP response by the fake CA.
 * @throws NoSuchProviderException
 * @throws OCSPException
 * @throws OperatorCreationException
 */
public OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException, OperatorCreationException {
    BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
    Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
    if (extension != null) {
        basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
    }
    Req[] requests = request.getRequestList();
    for (Req req : requests) {
        CertificateID certID = req.getCertID();
        if (certID.equals(revokedID)) {
            RevokedStatus revokedStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
            Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
            Date thisUpdate = new Date(new Date().getTime());
            basicOCSPRespBuilder.addResponse(certID, revokedStatus, thisUpdate, nextUpdate);
        } else {
            basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD);
        }
    }
    X509CertificateHolder[] chain = { certificateHolder };
    ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build(caPrivateKey);
    BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
    OCSPRespBuilder builder = new OCSPRespBuilder();
    return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Also used : BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) Extensions(org.bouncycastle.asn1.x509.Extensions) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension) BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) RespID(org.bouncycastle.cert.ocsp.RespID) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) Req(org.bouncycastle.cert.ocsp.Req) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)

Aggregations

CertificateID (org.bouncycastle.cert.ocsp.CertificateID)45 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23 OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)21 Extension (org.bouncycastle.asn1.x509.Extension)20 IOException (java.io.IOException)19 Extensions (org.bouncycastle.asn1.x509.Extensions)17 BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)17 SingleResp (org.bouncycastle.cert.ocsp.SingleResp)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)15 DEROctetString (org.bouncycastle.asn1.DEROctetString)13 OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)13 DigestCalculator (org.bouncycastle.operator.DigestCalculator)13 Date (java.util.Date)12 OCSPException (org.bouncycastle.cert.ocsp.OCSPException)12 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)12 JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)11 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)11 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)9